-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (another meaning of "auto-reply"?)
Markus Wernig wrote: | | problem 2) is a bit strange. I'll start with the network layout: | [...] | | - unplug cable on OBSD 1 (.49) : carp&ipsec fails over to OBSD 2 | - plug cable back in : carp fails back over to OBSD 1, but ipsec does so | only on carp0 - i.e.: packets from Client A to B go through carp0 on | OBSD 1, replies go through carp 1 on OBSD 2. This lasts for exactly 30 | seconds, but Client B will not decrypt the packets. tcpdump on Client B | shows the replies (esp) coming from OBSD 2's MAC address. Then ipsec | also goes back to OBSD 1, and pings resume. The ssh session established | before the failover doesn't work anymore (replies are no longer passed | on to ssh client on Client B). New sessions can be established though. | OK, got a bit further on that one. After plugging the cable back in, it takes 30 seconds before OBSD 2 to receives the first carp advertisments from OBSD 1, so it remains master on that interface while immediately going into backup on the other one. This might be a setting on the switch blocking outgoing packets on the freshly plugged back-in cable. I'll try it with a hub. /m -----BEGIN PGP SIGNATURE----- iD8DBQFDJg3f8BX/d8pVi/cRAm35AJ0cz5+DIC568LIoN2WjCjjnMUSRpQCdFAZo hsYjrgJKrnhMCI0O3c18stc= =HjcG -----END PGP SIGNATURE-----
