Hi,
I have two firewalls using isakmpd+pf+sasyncd+carp (OpenBSD 4.0)
preempt is set to 0
At one end (machine names MAED11 and MAED12)
carp0 on external has 172.16.140.145 255.255.255.0 advbase 0 advskew 128 pass
gijane vhid 1
carp1 on external has 172.16.160.33 255.255.255.224 advbase 0 advskew 128 vhid 2
On the other end (machine names MAED21 and MAED22)
carp0 on external has 172.16.140.148 255.255.255.0 advbase 0 advskew 128 pass
gijane vhid 1
carp1 on external has 172.16.160.33 255.255.255.224 advbase 0 advskew 128 vhid 2
I do not want to favor any machine in the cluster. The master stays master
until it fails (same thing happens if advbase is set to 1, not 0).
Here is an interesting scenario that I observed:
1. I reboot the first MAED11 and MAED21 (first machines in the two clusters)
then 20 seconds later I reboot MAED12 and 22
2. MAED11 and MAED21 come back up first and they establish SAs with SPIs
spi11-21 and spi21-11. Packets go through.
3. Their carp interface advertise advbase 0 and advskew 240 (~950ms) for about
45 packets then they start advertising every 500 ms (advbase 0 and advskew 128)
4. MAED12 and MAED22 come back before the 45 packets are sent. They become
master as they advertise directly with advbase 0 and advskew 128.
If I delay the restart of the MAED12 and MAED22 so that the first 45 packets
are sent and the new adv rate is advbase 0 advskew 128 (500 ms) the switchover
does not occur.
Another interesting thing is that in the packets sent on the ext interface,
before the takeover I see Auth Type: Simple Text Authentication (1)
but after the takeover I see No authentication (0). Since I use a pass on
external should I not have authentication on the external?
5. The new masters (MAED12 and MAED 22) establish new SAs with SPIs spi12-22
and spi22-12. But before that they got spi11-12 and spi12-11 using sasyncd
6. I notice that they try to communicate using the new spi12-22 out and the
older spi21-11 in. Basically it mixes the SA pairs. The packets stop going
through.
I believe once new SAs are established the old ones are marked replaced so what
happens it makes sense. But why it decides to use the old SPI I do not know.
Any ideas?
Is there a way to ensure the first firewall that comes up stays master?
Why would the SPI mismatch occur? Is sasyncd setting the replaced flag?
Thanks for the info. Let me know if you need any info. The firewalls have
identical hardware.
Regards,
Catalin
---------------------------------
Instant message from any web browser! Try the new Yahoo! Canada Messenger for
the Web BETA
