[FUG-BR] RES: RES: Ajuda com CARP

Fri, 08 May 2009 10:00:29 -0700 

O que eu notei agora é quee ambos os servers o status do carp0 esta como MASTER.

Trinity# ifconfig carp0
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 200.143.111.113 netmask 0xfffffff0
        carp: MASTER vhid 1 advbase 1 advskew 0
Trinity#

Ajax# ifconfig  carp0
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 200.143.111.113 netmask 0xfffffff0
        carp: MASTER vhid 1 advbase 1 advskew 100
Ajax#

Eu achei que setando o advskew maior ele subiria como  BACKUP.

Veja o carp1:

Trinity# ifconfig  carp1
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 10.100.0.119 netmask 0xffffff00
        carp: MASTER vhid 2 advbase 1 advskew 0
Trinity#

Ajax# ifconfig carp1
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 10.100.0.119 netmask 0xffffff00
        carp: BACKUP vhid 2 advbase 1 advskew 100
Ajax#

O Carp1 aparentemente esta OK.

Alguem pode me dar um help?

Valeu

-----Mensagem original-----
De: freebsd-boun...@fug.com.br [mailto:freebsd-boun...@fug.com.br] Em nome de 
Ricardo Augusto de Souza
Enviada em: sexta-feira, 8 de maio de 2009 10:57
Para: Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)
Assunto: [FUG-BR] RES: Ajuda com CARP

Consegui fazer funcionar o CARP+pfsync com a seguinte conf ( Ipv4 foram 
alterados ):

Trinity:
cloned_interfaces="carp0 carp1"
network_interfaces="lo0 bce0 bce1 pfsync0 em0 em1 em2 em3"
ifconfig_bce1="inet 10.100.0.125  netmask 255.255.255.0"
ifconfig_carp1="up 10.100.0.119/24 vhid 2 pass fw_cmt123"
ifconfig_bce0="inet 200.143.111.111 netmask 255.255.255.240"
ifconfig_carp0="up 200.143.111.113/28 vhid 1 pass fw_cmt123"
ifconfig_em3="inet 10.1.1.1 netmask 255.255.255.0"
ifconfig_pfsync0="up syncif em3"

Trinity# sysctl -a|grep carp
net.inet.ip.same_prefix_carp_only: 0
net.inet.carp.allow: 1
net.inet.carp.preempt: 1
net.inet.carp.log: 1
net.inet.carp.arpbalance: 0
net.inet.carp.suppress_preempt: 0
Trinity#

Ajax:

cloned_interfaces="carp0 carp1"
network_interfaces="lo0 bce0 bce1 pfsync0 em0 em1 em2 em3"
ifconfig_bce0="inet 200.143.111.112  netmask 255.255.255.240"
ifconfig_carp0="up 200.143.111.113/28 vhid 1 advskew 10 pass fw_cmt123"
ifconfig_bce1="inet 10.100.0.124  netmask 255.255.255.0"
ifconfig_carp1="up 10.100.0.119/24 vhid 2 advskew 10 pass fw_cmt123"
ifconfig_pfsync0="up syncif em3"
ifconfig_em3="inet 10.1.1.2 netmask 255.255.255.0"

Ajax# sysctl -a | grep carp
<6>carp0: promiscuous mode enabled
<6>carp0: promiscuous mode disabled
net.inet.ip.same_prefix_carp_only: 0
net.inet.carp.allow: 1
net.inet.carp.preempt: 1
net.inet.carp.log: 1
net.inet.carp.arpbalance: 0
net.inet.carp.suppress_preempt: 0
Ajax#


NO PF.conf tive que liberar as conexões na interface real ( no caso da bce0 ( 
ext_if ).

Neste cenário, a Trinity é a MASTER e o Ajax o BACKUP ( advskew maior, certo ), 
no entanto, monitorando a interface bce0 em ambos os servidores e pingando o IP 
externo do carp (200.143.111.113 ) os pacotes chegam em ambos servidores.

Trinity# tcpdump -i bce0 -n 'src host 189.57.57.57'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes
10:41:53.244939 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 0, length 64
10:41:54.247977 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 1, length 64
10:41:55.257514 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 2, length 64
10:41:56.267556 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 3, length 64
10:41:57.279997 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 4, length 64
10:41:58.286911 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 5, length 64
10:41:59.296871 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 6, length 64
10:42:00.306318 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 7, length 64
10:42:01.316047 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 8, length 64
10:42:02.328597 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 9, length 64
10:42:03.381118 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 10, length 64
10:42:04.345474 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 11, length 64
10:42:05.355074 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 12, length 64
10:42:06.364768 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 13, length 64
10:42:07.374496 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 14, length 64
10:42:08.416190 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 15, length 64
10:42:09.394005 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 16, length 64
10:42:10.404110 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 17, length 64
10:42:11.414550 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 18, length 64
10:42:12.423990 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 19, length 64
10:42:13.534119 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 20, length 64
10:42:21.510762 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 28, length 64
10:42:22.520292 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 29, length 64
10:42:23.530149 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 30, length 64
10:42:24.585748 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 31, length 64
10:42:25.549829 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 32, length 64
10:42:26.559316 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 33, length 64
10:42:27.570089 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 34, length 64
10:42:28.578751 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 35, length 64
10:42:29.588419 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 36, length 64
10:42:30.598119 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 37, length 64
10:42:31.607959 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 38, length 64
10:42:32.618290 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 39, length 64
10:42:33.627330 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 40, length 64
10:42:34.637257 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 41, length 64
10:42:35.646707 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 42, length 64
10:42:36.656547 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 43, length 64
10:42:37.666142 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 44, length 64
10:42:38.675928 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 45, length 64
10:42:53.822062 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 60, length 64
10:42:54.831676 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 61, length 64
10:42:55.841306 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 62, length 64
^C
42 packets captured
304 packets received by filter
0 packets dropped by kernel
Trinity#

Ajax# tcpdump -i bce0 -n 'src host 189.57.57.57'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes
10:42:22.631838 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 21, length 64
10:42:23.630795 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 22, length 64
10:42:24.671341 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 23, length 64
10:42:25.649953 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 24, length 64
10:42:26.722732 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 25, length 64
10:42:27.669233 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 26, length 64
10:42:28.770422 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 27, length 64
10:42:47.933898 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 46, length 64
10:42:48.873414 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 47, length 64
10:42:49.883512 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 48, length 64
10:42:50.892785 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 49, length 64
10:42:51.902614 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 50, length 64
10:42:52.991445 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 51, length 64
10:42:53.921984 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 52, length 64
10:42:54.931980 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 53, length 64
10:42:55.942947 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 54, length 64
10:42:56.952141 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 55, length 64
10:42:57.961046 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 56, length 64
10:42:58.970705 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 57, length 64
10:42:59.980192 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 58, length 64
10:43:00.990430 IP 189.57.57.57 > 200.143.111.113: ICMP echo request, id 18799, 
seq 59, length 64
^C
21 packets captured
238 packets received by filter
0 packets dropped by kernel
Ajax#


Estranho
$ ssh 200.143.111.113 -l ricardo
The authenticity of host '200.143.111.113 (200.143.111.113)' can't be 
established.
DSA key fingerprint is 14:81:d7:e2:bf:ce:43:98:05:bb:44:1f:22:83:82:7a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '200.143.111.113' (DSA) to the list of known hosts.
Password:
Last login: Fri May  8 08:21:18 2009 from 10.100.1.3
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

FreeBSD 7.1-RELEASE (CMT) #0: Thu Apr 16 19:26:19 BRT 2009

Welcome to FreeBSD!

Before seeking technical support, please use the following resources:

o  Security advisories and updated errata information for all releases are
   at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
   for your release first as it's updated frequently.

o  The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
   along with the mailing lists, can be searched by going to
   http://www.FreeBSD.org/search/.  If the doc distribution has
   been installed, they're also available formatted in /usr/share/doc.

If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questi...@freebsd.org mailing list.  If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page.  If you are not familiar with manual pages, type `man man'.

You may also use sysinstall(8) to re-enter the installation and
configuration utility.  Edit /etc/motd to change this login announcement.

$ unRead from remote host 200.143.111.113: Connection reset by peer
Connection to 200.143.111.113 closed.
$ me -a
sh: me: not found
$ w
10:59AM  up 9 days, 20:16, 1 user, load averages: 0.55, 0.75, 0.74
USER    TTY FROM              LOGIN@  IDLE WHAT
ricardo  p0 10.10.20.100     10:57AM     0 w
$ uname -a
OpenBSD Fw.cmtsp.com.br 4.3 CMT#0 i386
$ ssh 200.143.111.113 -l ricardo
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the DSA host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
20:f3:58:b5:ac:d0:46:3d:58:9c:e9:c4:0a:5e:e1:7e.
Please contact your system administrator.
Add correct host key in /home/ricardo/.ssh/known_hosts to get rid of this 
message.
Offending key in /home/ricardo/.ssh/known_hosts:1
DSA host key for 200.143.111.113 has changed and you have requested strict 
checking.
Host key verification failed.
$


-----Mensagem original-----
De: freebsd-boun...@fug.com.br [mailto:freebsd-boun...@fug.com.br] Em nome de 
Franklin França
Enviada em: quarta-feira, 6 de maio de 2009 17:39
Para: Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)
Assunto: Re: [FUG-BR] Ajuda com CARP

Olá

tenta mudar a sequência do seu ifconfig_carp para o seguinte


Trinity
ifconfig_carp1="vhid 2 pass fw_cmt123 10.100.0.128"

Ajax
ifconfig_carp1="vhid 2 pass fw_cmt123 advskew 100 10.100.0.128"

no arquivo /etc/sysctl.conf

#Aceita pacotes CARP
net.inet.carp.allow=1
#Ativa preemptivismo
net.inet.carp.preempt=1
#Ativa log
net.inet.carp.log=1
#Ativa o balanceamento de carga em nivel ARP
net.inet.carp.arpbalance=1


E posta o resultado aiiiiiiiii

2009/5/6 Ricardo Augusto de Souza <ricardo.so...@cmtsp.com.br>

> Pessoal,
>
> Estou configurando um carp entre 2 servidores freeBSD 7.
> Eu consegui fazer o carp externo ( internet) funcionar e não consegui fazer
> o carp interno ( lan ) funcionar.
> Alguem pode me ajudar a identificar onde esta o erro?
>
> Trinity# cat rc.conf |grep carp
> cloned_interfaces="carp0 carp1"
> ifconfig_carp1="up 10.100.0.128/24 vhid 2 pass fw_cmt123"
> ifconfig_carp0="up 200.143.33.XYZ/28 vhid 1 pass fw_cmt123"
> Trinity# cat pf.conf|grep carp
> carp_if="{ carp0, carp1 }"
> pass on $carp_if proto carp keep state
> Trinity#
>
> Ajax# cat rc.conf |grep carp
> cloned_interfaces="carp0 carp1"
> ifconfig_carp0="up 200.143.33.XYZ/28 vhid 1 advskew 10 pass fw_cmt123"
> ifconfig_carp1="up 10.100.0.128/24 vhid 2 advskew 10 pass fw_cmt123"
> Ajax# cat pf.conf |grep carp
> carp_if="{ carp0, carp1 }"
> pass on $carp_if proto carp keep state
> Ajax#
>
> Em ambos:
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> #if one interface fails then all will fail over
> net.inet.carp.preempt=1
> net.inet.tcp.sendspace=65536
> net.inet.tcp.recvspace=65536
>
> Eu não consigo pingar o ip 10.100.0.128 mesmo com o PF de ambos os servers
> desligado.
>
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>



--
atenciosamente,

Franklin de França
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

Responder a