Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-14 Thread Илья Шипицин 
it doesn't match the FAQ, but it works.
my fail was using nat from 192.168.0.0/16 to !192.168.0.0/16 and it
affected CARP traffic, because of its multicast nature (it matched !
192.168.0.0/16)

not many people read FAQ actually.

I like the idea of OpenBSD just to work out of a box, it's more about how
people think and do.

13 MARTA 2012 G. 14:52 POLXZOWATELX Janne Johansson
icepic...@gmail.comNAPISAL:

 2012/3/4 iLXQ {IPICIN chipits...@gmail.com:
  thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
  lead me to:
 
  pass quick proto carp no state

 Which doesn't match the PF FAQ which says:
 Since CARP is its own protocol it should have an explicit pass rule
 in filter rulesets:
 pass out on $carp_dev proto carp keep state

 I'll test the no state as soon as I can rig one of my previously
 failing boxes to not use my carppeer workaround.

 
 
  it did the job (I still do not understand how forewall passed 6
 interfaces
  and blocked 7th, need to have a closer look, but after that rule
 everything
  became ok,
  pf stopped blocking carp announces)
 
  2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL:
 
  hi list, we have same problem with carp. (with 45 ip addresses)
  and after reboot, host with advskew 200 became master, and with
  advskew 1 - slave.
 
  2012/3/2 iLXQ {IPICIN chipits...@gmail.com:
   no, I copied hostname.carpXX, just added advskew 200
   parameters are the same.
  
   2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
  NAPISAL:
  
   On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
  
hello!
   
we are running CARP-ed load balancers (carp over different vlans).
it was running just great with 6 carp addresses.
   
when we added 7th, randomly we get MASTERs on both server for
 certain
   carp
interface. After reboot we can get different carp interface on dual
   MASTER
state, and so on.
carp negotiations are ok, tcpdump shows them all. both peers see
 each
   other.
   
if I put one interface to BACKUP state, it goes to mASTER soon.
   
we are runnung 5.0/amd64
   
Cheers,
Ilya Shipitsin
  
   Carefully compare the address lists (including masks) on both
   machines. Likely they are not the same.
  
  -Otto
 



 --
  To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-13 Thread Janne Johansson 
2012/3/4 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
 lead me to:

 pass quick proto carp no state

Which doesn't match the PF FAQ which says:
Since CARP is its own protocol it should have an explicit pass rule
in filter rulesets:
pass out on $carp_dev proto carp keep state

I'll test the no state as soon as I can rig one of my previously
failing boxes to not use my carppeer workaround.



 it did the job (I still do not understand how forewall passed 6 interfaces
 and blocked 7th, need to have a closer look, but after that rule everything
 became ok,
 pf stopped blocking carp announces)

 2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL:

 hi list, we have same problem with carp. (with 45 ip addresses)
 and after reboot, host with advskew 200 became master, and with
 advskew 1 - slave.

 2012/3/2 iLXQ {IPICIN chipits...@gmail.com:
  no, I copied hostname.carpXX, just added advskew 200
  parameters are the same.
 
  2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
 NAPISAL:
 
  On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
 
   hello!
  
   we are running CARP-ed load balancers (carp over different vlans).
   it was running just great with 6 carp addresses.
  
   when we added 7th, randomly we get MASTERs on both server for certain
  carp
   interface. After reboot we can get different carp interface on dual
  MASTER
   state, and so on.
   carp negotiations are ok, tcpdump shows them all. both peers see each
  other.
  
   if I put one interface to BACKUP state, it goes to mASTER soon.
  
   we are runnung 5.0/amd64
  
   Cheers,
   Ilya Shipitsin
 
  Carefully compare the address lists (including masks) on both
  machines. Likely they are not the same.
 
  B  B  B  B -Otto




--
B To our sweethearts and wives.B  May they never meet. -- 19th century toast

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-13 Thread Camiel Dobbelaar 
On 13-3-2012 9:52, Janne Johansson wrote:
 2012/3/4 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
 lead me to:

 pass quick proto carp no state
 
 Which doesn't match the PF FAQ which says:
 Since CARP is its own protocol it should have an explicit pass rule
 in filter rulesets:
 pass out on $carp_dev proto carp keep state
 
 I'll test the no state as soon as I can rig one of my previously
 failing boxes to not use my carppeer workaround.

I think keep state (no-sync) is better.  You don't want carp to get
dropped when the box gets congested and only traffic for established
states gets through.

Since this is biting lots of people maybe we should look into setting
no-sync by default on carp traffic, be it in pfctl, pf, or pfsync.

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-04 Thread Илья Шипицин 
thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
lead me to:

pass quick proto carp no state


it did the job (I still do not understand how forewall passed 6 interfaces
and blocked 7th, need to have a closer look, but after that rule everything
became ok,
pf stopped blocking carp announces)

2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL:

 hi list, we have same problem with carp. (with 45 ip addresses)
 and after reboot, host with advskew 200 became master, and with
 advskew 1 - slave.

 2012/3/2 iLXQ {IPICIN chipits...@gmail.com:
  no, I copied hostname.carpXX, just added advskew 200
  parameters are the same.
 
  2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
 NAPISAL:
 
  On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
 
   hello!
  
   we are running CARP-ed load balancers (carp over different vlans).
   it was running just great with 6 carp addresses.
  
   when we added 7th, randomly we get MASTERs on both server for certain
  carp
   interface. After reboot we can get different carp interface on dual
  MASTER
   state, and so on.
   carp negotiations are ok, tcpdump shows them all. both peers see each
  other.
  
   if I put one interface to BACKUP state, it goes to mASTER soon.
  
   we are runnung 5.0/amd64
  
   Cheers,
   Ilya Shipitsin
 
  Carefully compare the address lists (including masks) on both
  machines. Likely they are not the same.
 
 -Otto

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-03 Thread Janne Johansson 
2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 hello!

 we are running CARP-ed load balancers (carp over different vlans).
 it was running just great with 6 carp addresses.

 when we added 7th, randomly we get MASTERs on both server for certain carp
 interface. After reboot we can get different carp interface on dual MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each
other.

 if I put one interface to BACKUP state, it goes to mASTER soon.

 we are runnung 5.0/amd64


I'm seeing this too. The current work-around is to set the carp to
announce to a carppeer to the other box so it doesn't multicast but
rather uses unicasts. In my case, the to-be-slave machine doesn't see
all the carp announcements from the master, but rather one per minute
or so.

I have this on Dell amd64 openbsds ranging from 4.8 to 5.0, in all my
cases when running on top of vlans (just because that is how we set
these up) and running on Extreme Switches.

The ips on the vlan interfaces can talk fine, the master hears all
carp packets, the slave misses most or all carps from the other. This
means that tcpdump on the master shows the higher-skewed carps from
the slave also.

The odd thing is that its not consistent on all carps either, but
rather a few out of many. If I set just those to use carppeer, it
sometimes moves over to other carps, but it could have been moving
around for a long time, haven't had time to fully investigate this.

I have a few non-critical pairs on which to test stuff, it needed.

--
B To our sweethearts and wives.B  May they never meet. -- 19th century toast

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-03 Thread Janne Johansson 
2012/3/3 Janne Johansson icepic...@gmail.com:

 when we added 7th, randomly we get MASTERs on both server for certain carp
 interface. After reboot we can get different carp interface on dual MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each
other.

 if I put one interface to BACKUP state, it goes to mASTER soon.

 we are runnung 5.0/amd64


 I'm seeing this too.
 I have this on Dell amd64 openbsds ranging from 4.8 to 5.0, in all my
 cases when running on top of vlans (just because that is how we set
 these up) and running on Extreme Switches.

And to answer Camiels Q, we have preempt=1

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-03 Thread Илья Шипицин 
I permormed tcpdump on appropriate vlan on BOTH SERVERS, I see on
advskew=200 announces. MASTER with advskew=0 does not do any
advertisement.

22:22:37.296866 CARPv2-advertise 36: vhid=60 advbase=1 advskew=200 demote=2
(DF) [tos 0x10]
22:22:39.096900 CARPv2-advertise 36: vhid=60 advbase=1 advskew=200 demote=2
(DF) [tos 0x10]

2 MARTA 2012 G. 16:14 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 02:53:31PM +0500,  ??? wrote:

  no, I copied hostname.carpXX, just added advskew 200
  parameters are the same.

 To be 100% sure, also look at ifconfig carpXX on both machines.

-Otto
 
  2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
 NAPISAL:
 
   On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
  
hello!
   
we are running CARP-ed load balancers (carp over different vlans).
it was running just great with 6 carp addresses.
   
when we added 7th, randomly we get MASTERs on both server for certain
   carp
interface. After reboot we can get different carp interface on dual
   MASTER
state, and so on.
carp negotiations are ok, tcpdump shows them all. both peers see each
   other.
   
if I put one interface to BACKUP state, it goes to mASTER soon.
   
we are runnung 5.0/amd64
   
Cheers,
Ilya Shipitsin
  
   Carefully compare the address lists (including masks) on both
   machines. Likely they are not the same.
  
  -Otto

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-03 Thread Camiel Dobbelaar 
Why is demote 2?  Do you have any carp interfaces in INIT?

Note that demote takes precedence over advskew.

What does ifconfig -g carp, ifconfig carp and netstat -s -p carp
look like on both machines?


On 3-3-2012 19:26, PP;QQ P(P8P?P8QP8P= wrote:
 I permormed tcpdump on appropriate vlan on BOTH SERVERS, I see on
 advskew=200 announces. MASTER with advskew=0 does not do any
 advertisement.
 
 22:22:37.296866 CARPv2-advertise 36: vhid=60 advbase=1 advskew=200 demote=2
 (DF) [tos 0x10]
 22:22:39.096900 CARPv2-advertise 36: vhid=60 advbase=1 advskew=200 demote=2
 (DF) [tos 0x10]
 
 2 MARTA 2012 G. 16:14 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:
 
 On Fri, Mar 02, 2012 at 02:53:31PM +0500,  ??? wrote:

 no, I copied hostname.carpXX, just added advskew 200
 parameters are the same.

 To be 100% sure, also look at ifconfig carpXX on both machines.

-Otto

 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
 NAPISAL:

 On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

 hello!

 we are running CARP-ed load balancers (carp over different vlans).
 it was running just great with 6 carp addresses.

 when we added 7th, randomly we get MASTERs on both server for certain
 carp
 interface. After reboot we can get different carp interface on dual
 MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each
 other.

 if I put one interface to BACKUP state, it goes to mASTER soon.

 we are runnung 5.0/amd64

 Cheers,
 Ilya Shipitsin

 Carefully compare the address lists (including masks) on both
 machines. Likely they are not the same.

-Otto

may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-02 Thread Илья Шипицин 
hello!

we are running CARP-ed load balancers (carp over different vlans).
it was running just great with 6 carp addresses.

when we added 7th, randomly we get MASTERs on both server for certain carp
interface. After reboot we can get different carp interface on dual MASTER
state, and so on.
carp negotiations are ok, tcpdump shows them all. both peers see each other.

if I put one interface to BACKUP state, it goes to mASTER soon.

we are runnung 5.0/amd64

Cheers,
Ilya Shipitsin

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-02 Thread Otto Moerbeek 
On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

 hello!
 
 we are running CARP-ed load balancers (carp over different vlans).
 it was running just great with 6 carp addresses.
 
 when we added 7th, randomly we get MASTERs on both server for certain carp
 interface. After reboot we can get different carp interface on dual MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each other.
 
 if I put one interface to BACKUP state, it goes to mASTER soon.
 
 we are runnung 5.0/amd64
 
 Cheers,
 Ilya Shipitsin

Carefully compare the address lists (including masks) on both
machines. Likely they are not the same.

-Otto

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-02 Thread Илья Шипицин 
no, I copied hostname.carpXX, just added advskew 200
parameters are the same.

2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

  hello!
 
  we are running CARP-ed load balancers (carp over different vlans).
  it was running just great with 6 carp addresses.
 
  when we added 7th, randomly we get MASTERs on both server for certain
 carp
  interface. After reboot we can get different carp interface on dual
 MASTER
  state, and so on.
  carp negotiations are ok, tcpdump shows them all. both peers see each
 other.
 
  if I put one interface to BACKUP state, it goes to mASTER soon.
 
  we are runnung 5.0/amd64
 
  Cheers,
  Ilya Shipitsin

 Carefully compare the address lists (including masks) on both
 machines. Likely they are not the same.

-Otto

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-02 Thread favar 
hi list, we have same problem with carp. (with 45 ip addresses)
and after reboot, host with advskew 200 became master, and with
advskew 1 - slave.

2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 no, I copied hostname.carpXX, just added advskew 200
 parameters are the same.

 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

  hello!
 
  we are running CARP-ed load balancers (carp over different vlans).
  it was running just great with 6 carp addresses.
 
  when we added 7th, randomly we get MASTERs on both server for certain
 carp
  interface. After reboot we can get different carp interface on dual
 MASTER
  state, and so on.
  carp negotiations are ok, tcpdump shows them all. both peers see each
 other.
 
  if I put one interface to BACKUP state, it goes to mASTER soon.
 
  we are runnung 5.0/amd64
 
  Cheers,
  Ilya Shipitsin

 Carefully compare the address lists (including masks) on both
 machines. Likely they are not the same.

 B  B  B  B -Otto

Re: may 7 carp addresses be too much on 5.0/amd64 ?

2012-03-02 Thread Camiel Dobbelaar 
Do you have spanning tree enabled on the switch?  The firewall ports
should be in portfast mode, otherwise the backup may become master after
a reboot or when bouncing the physical interface.

And do you have carp preempt enabled?  (net.inet.carp.preempt=1)


On 2-3-2012 16:31, favar wrote:
 hi list, we have same problem with carp. (with 45 ip addresses)
 and after reboot, host with advskew 200 became master, and with
 advskew 1 - slave.
 
 2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 no, I copied hostname.carpXX, just added advskew 200
 parameters are the same.

 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

 hello!

 we are running CARP-ed load balancers (carp over different vlans).
 it was running just great with 6 carp addresses.

 when we added 7th, randomly we get MASTERs on both server for certain
 carp
 interface. After reboot we can get different carp interface on dual
 MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each
 other.

 if I put one interface to BACKUP state, it goes to mASTER soon.

 we are runnung 5.0/amd64

 Cheers,
 Ilya Shipitsin

 Carefully compare the address lists (including masks) on both
 machines. Likely they are not the same.

 B  B  B  B -Otto