Re: Help with CARP
IP addresses have been changed to protect the guilty. The "wrong VHID" packets have a simple explanation: There are two other machines on this net with their own CARP interfaces. No idea what the short packets are about. Master: # ifconfig lo0: flags=8049 mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 sis0: flags=8943 mtu 1500 lladdr 00:00:24:c8:45:48 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 2.1.7.3 netmask 0xffe0 broadcast sis1: flags=8943 mtu 1500 lladdr 00:00:24:c8:45:49 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 1.3.3.7 netmask 0xffc0 broadcast sis2: flags=8943 mtu 1500 lladdr 00:00:24:c8:45:4a media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.40.28.13 netmask 0xff00 broadcast 10.40.28.255 sis3: flags=8842 mtu 1500 lladdr 00:00:24:c7:98:6c media: Ethernet autoselect (none) status: no carrier sis4: flags=8843 mtu 1500 lladdr 00:00:24:c7:98:6d media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.16.1.3 netmask 0xff00 broadcast 172.16.1.255 pflog0: flags=0<> mtu 33224 pfsync0: flags=0<> mtu 1460 pfsync: syncdev: sis4 syncpeer: 224.0.0.240 maxupd: 128 enc0: flags=0<> mtu 1536 carp1: flags=8843 mtu 1500 carp: MASTER carpdev sis0 vhid 1 advbase 1 advskew 0 groups: carp inet 6.2.8.8 netmask 0xfff8 broadcast carp3: flags=8843 mtu 1500 carp: MASTER carpdev sis1 vhid 3 advbase 1 advskew 0 groups: carp inet 1.3.7.8 netmask 0xffc0 broadcast carp4: flags=8843 mtu 1500 carp: MASTER carpdev sis2 vhid 4 advbase 1 advskew 0 groups: carp inet 10.40.28.1 netmask 0xff00 broadcast 10.40.28.255 # netstat -s -p carp carp: 11770017 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter than header 0 discarded for bad checksums 0 discarded packets with a bad version 3956879 discarded because packet too short 0 discarded for bad authentication 7803201 discarded for bad vhid 0 discarded because of a bad address list 4263104 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error # netstat -s -p pfsync pfsync: 8396009 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 6148732 failed state lookup/inserts 22453726 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 0 send error On the backup: # ifconfig lo0: flags=8049 mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 sis0: flags=8943 mtu 1500 lladdr 00:00:24:c6:a8:fc media: Ethernet autoselect (100baseTX full-duplex) status: active inet 2.1.7.5 netmask 0xffe0 broadcast sis1: flags=8943 mtu 1500 lladdr 00:00:24:c6:a8:fd media: Ethernet autoselect (100baseTX full-duplex) status: active inet 1.3.3.6 netmask 0xffc0 broadcast sis2: flags=8943 mtu 1500 lladdr 00:00:24:c6:a8:fe media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.40.28.12 netmask 0xff00 broadcast 10.40.28.255 sis3: flags=8842 mtu 1500 lladdr 00:00:24:c6:2e:74 media: Ethernet autoselect (none) status: no carrier sis4: flags=8843 mtu 1500 lladdr 00:00:24:c6:2e:75 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.16.1.2 netmask 0xff00 broadcast 172.16.1.255 pflog0: flags=0<> mtu 33224 pfsync0: flags=0<> mtu 1460 pfsync: syncdev: sis4 syncpeer: 224.0.0.240 maxupd: 128 enc0: flags=0<> mtu 1536 carp1: flags=8843 mtu 1500 carp: BACKUP carpdev sis0 vhid 1 advbase 1 advskew 230 groups: carp egress inet 6.2.8.8 netmask 0xfff8 broadcast carp3: flags=8843 mtu 1500 carp: BACKUP carpdev sis1 vhid 3 advbase 1 advskew 230 groups: carp inet 1.3.7.8 netmask 0xffc0 broadcast carp4: flags=8843 mtu 1500 carp: BACKUP carpdev sis2 vhid 4 advbase 1 advskew 230 groups: carp inet 10.40.28.
Re: Help with CARP
On Mon, Sep 22, 2008 at 8:30 AM, Jose Quinteiro <[EMAIL PROTECTED]> wrote: > Not set on the MASTER, 230 on the backup. Can you post the output of 'ifconfig' and 'netstat -s -p carp' and 'netstat -s -p pfsync' from both firewalls? -B
Re: Help with CARP
Not set on the MASTER, 230 on the backup. Saludos, Jose. Jonathan Carter wrote: I have it set to (1) on the promary and (100) on the backup. How high did you set yours? Jonathan -Original Message- From: Jose Quinteiro [mailto:[EMAIL PROTECTED] Sent: 20 September 2008 20:45 To: Jonathan Carter Cc: misc@openbsd.org Subject: Re: Help with CARP I had similar problems with a couple of little Soekris boxes. I solved it by increasing advskew. I think they can't handle the interrupt load at peak times. I'm in the process of replacing them. HTH, Jose. Jonathan Carter wrote: Hi Any ideas with this one please? I have 2 openBSD boxes running as pair of firewalls using CARP + PF. This set up is already working for 12 months. Last week I was troubleshooting network problems reported by my clients and I noticed that several CARP interfaces had failed over. I checked that there were no more problems with the Primary firewall and I set the interfaces on the backup firewall back to "BACKUP" and made sure that the the primary firewall interfaces were all set to "MASTER". However I had intermittent timeout problems for the next 24hrs. Eventually I enabled "loud" debugging on PF and I saw that traffic was coming through both firewalls evenn though the backup firewall has all its CARP interfaces set back to "BACKUP". I tried several basic TCP debugging techniques but in the end I set all of the CARP interfaces on the backup firewall to "down". This is where I am at the moment. Can anyone point me in the direction of how I can investigate this further. I want to bring up the backup firewall interfaces as soon as possible so that I have my redundant set up but at the moment I am at a loss to think of what could be wrong. The only thing I can think off is that I have accidentally enabled load balancing - but I have checked the basics from the CARP documentation and , on the surface it does not look like it. I am running "4.1 GENERIC#874 amd64" Regards Jonathan
Re: Help with CARP - more advice needed
Just so the newsgroup knows - I tried this and I still have the problem, so suggestions with commands / techniques for debugging my problem would be gratefully received. Jonathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 21 September 2008 12:58 To: Jonathan Carter Cc: 'Jose Quinteiro'; misc@openbsd.org Subject: Re: Help with CARP Le Sat, 20 Sep 2008 22:18:08 +0200 "Jonathan Carter" <[EMAIL PROTECTED]> a pris sa plume: > I have it set to (1) on the promary and (100) on the backup. > > How high did you set yours? > > Jonathan mine in test phase is nothing on first and 100 on the second firewall
Re: Help with CARP
Le Sat, 20 Sep 2008 22:18:08 +0200 "Jonathan Carter" <[EMAIL PROTECTED]> a pris sa plume: > I have it set to (1) on the promary and (100) on the backup. > > How high did you set yours? > > Jonathan mine in test phase is nothing on first and 100 on the second firewall
Re: Help with CARP
I have it set to (1) on the promary and (100) on the backup. How high did you set yours? Jonathan -Original Message- From: Jose Quinteiro [mailto:[EMAIL PROTECTED] Sent: 20 September 2008 20:45 To: Jonathan Carter Cc: misc@openbsd.org Subject: Re: Help with CARP I had similar problems with a couple of little Soekris boxes. I solved it by increasing advskew. I think they can't handle the interrupt load at peak times. I'm in the process of replacing them. HTH, Jose. Jonathan Carter wrote: > Hi > > Any ideas with this one please? > > I have 2 openBSD boxes running as pair of firewalls using CARP + PF. > This set up is already working for 12 months. > > Last week I was troubleshooting network problems reported by my > clients and I noticed that several CARP interfaces had failed over. I > checked that there were no more problems with the Primary firewall and > I set the interfaces on the backup firewall back to "BACKUP" and made > sure that the the primary firewall interfaces were all set to "MASTER". > > However I had intermittent timeout problems for the next 24hrs. > Eventually I enabled "loud" debugging on PF and I saw that traffic was > coming through both firewalls evenn though the backup firewall has all > its CARP interfaces set back to "BACKUP". I tried several basic TCP > debugging techniques but in the end I set all of the CARP interfaces on the backup firewall to "down". > > This is where I am at the moment. Can anyone point me in the > direction of how I can investigate this further. I want to bring up > the backup firewall interfaces as soon as possible so that I have my > redundant set up but at the moment I am at a loss to think of what could be wrong. > > The only thing I can think off is that I have accidentally enabled > load balancing - but I have checked the basics from the CARP > documentation and , on the surface it does not look like it. > > I am running "4.1 GENERIC#874 amd64" > > > Regards > > Jonathan
Re: Help with CARP
I had similar problems with a couple of little Soekris boxes. I solved it by increasing advskew. I think they can't handle the interrupt load at peak times. I'm in the process of replacing them. HTH, Jose. Jonathan Carter wrote: Hi Any ideas with this one please? I have 2 openBSD boxes running as pair of firewalls using CARP + PF. This set up is already working for 12 months. Last week I was troubleshooting network problems reported by my clients and I noticed that several CARP interfaces had failed over. I checked that there were no more problems with the Primary firewall and I set the interfaces on the backup firewall back to "BACKUP" and made sure that the the primary firewall interfaces were all set to "MASTER". However I had intermittent timeout problems for the next 24hrs. Eventually I enabled "loud" debugging on PF and I saw that traffic was coming through both firewalls evenn though the backup firewall has all its CARP interfaces set back to "BACKUP". I tried several basic TCP debugging techniques but in the end I set all of the CARP interfaces on the backup firewall to "down". This is where I am at the moment. Can anyone point me in the direction of how I can investigate this further. I want to bring up the backup firewall interfaces as soon as possible so that I have my redundant set up but at the moment I am at a loss to think of what could be wrong. The only thing I can think off is that I have accidentally enabled load balancing - but I have checked the basics from the CARP documentation and , on the surface it does not look like it. I am running "4.1 GENERIC#874 amd64" Regards Jonathan
