Hi On Fri, 18 may 2012 at 02:38 CEST shadrock <shadr...@ntlworld.com> wrote:
> still looking for an answer to the following question > > hi all > > have configured two firewalls with carp > > i have connectivity to the internet and the firewalls failover properly. > > when i check the carp states of each firewall the slave reports that its > > wan connection is in the master state the same as the master firewall > > while the slave carp lan connection is in the backup state. > > is this normal or should both carps be in backup for the slave ? > > shadrock > > > > > > master firewall > > /etc/hostname.carp1 > > inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 pass pass1 > > > > /etc/hostname.carp2 > > inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 pass pass2 > > > > /etc/hostname.em0 > > inet 192.168.5.2 255.255.255.0 > > > > /etc/hostname.em1 > > inet 10.5.5.2 255.255.255.0 NONE > > > > /etc/hostname.bge0 > > inet 172.16.0.2 255.255.255.0 NONE > > > > /etc/hostname.pfsync0 > > up syncdev bge0 > > > > > > ifconfig -a > > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196 > > priority: 0 > > groups: lo > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > > inet 127.0.0.1 netmask 0xff000000 > > bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:18:8b:60:7b:06 > > priority: 0 > > media: Ethernet autoselect (1000baseT > > full-duplex,master,rxpause,txpause) > > status: active > > inet 172.16.0.2 netmask 0xffffff00 broadcast 172.16.0.255 > > inet6 fe80::218:8bff:fe60:7b06%bge0 prefixlen 64 scopeid 0x1 > > em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > > mtu 1500 > > lladdr 00:04:23:df:6b:a4 > > priority: 0 > > groups: egress > > media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) > > status: active > > inet 192.168.5.2 netmask 0xffffff00 broadcast 192.168.5.255 > > inet6 fe80::204:23ff:fedf:6ba4%em0 prefixlen 64 scopeid 0x2 > > em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > > mtu 1500 > > lladdr 00:04:23:df:6b:a5 > > priority: 0 > > media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) > > status: active > > inet 10.5.5.2 netmask 0xffffff00 broadcast 10.5.5.255 > > inet6 fe80::204:23ff:fedf:6ba5%em1 prefixlen 64 scopeid 0x3 > > enc0: flags=41<UP,RUNNING> > > priority: 0 > > groups: enc > > status: active > > pfsync0: flags=41<UP,RUNNING> mtu 1500 > > priority: 0 > > pfsync: syncdev: bge0 maxupd: 128 defer: off > > groups: carp pfsync > > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196 > > priority: 0 > > groups: pflog > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:00:5e:00:01:01 > > priority: 0 > > carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 0 > > groups: carp > > status: master > > inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6 > > inet 10.5.5.1 netmask 0xffffff00 broadcast 10.5.5.255 > > carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:00:5e:00:01:02 > > priority: 0 > > carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 0 > > groups: carp > > status: master > > inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7 > > inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255 > > > > > > slave firewall > > > > /etc/hostname.carp1 > > inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 advskew 100 > > pass pass1 > > > > /etc/hostname.carp2 > > inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 advskew > > 100 pass pass2 > > > > /etc/hostname.em0 > > inet 192.168.5.3 255.255.255.0 > > > > /etc/hostname.em1 > > inet 10.5.5.3 255.255.255.0 NONE > > > > /etc/hostname.bge0 > > inet 172.16.0.3 255.255.255.0 NONE > > > > /etc/hostname.pfsync0 > > up syncdev bge0 > > > > > > ifconfig -a > > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196 > > priority: 0 > > groups: lo > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > > inet 127.0.0.1 netmask 0xff000000 > > bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:18:8b:6c:4e:85 > > priority: 0 > > media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) > > status: active > > inet 172.16.0.3 netmask 0xffffff00 broadcast 172.16.0.255 > > inet6 fe80::218:8bff:fe6c:4e85%bge0 prefixlen 64 scopeid 0x1 > > em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > > mtu 1500 > > lladdr 00:04:23:e3:c7:92 > > priority: 0 > > groups: egress > > media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) > > status: active > > inet 192.168.5.3 netmask 0xffffff00 broadcast 192.168.5.255 > > inet6 fe80::204:23ff:fee3:c792%em0 prefixlen 64 scopeid 0x2 > > em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > > mtu 1500 > > lladdr 00:04:23:e3:c7:93 > > priority: 0 > > media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) > > status: active > > inet 10.5.5.3 netmask 0xffffff00 broadcast 10.5.5.255 > > inet6 fe80::204:23ff:fee3:c793%em1 prefixlen 64 scopeid 0x3 > > enc0: flags=41<UP,RUNNING> > > priority: 0 > > groups: enc > > status: active > > pfsync0: flags=41<UP,RUNNING> mtu 1500 > > priority: 0 > > pfsync: syncdev: bge0 maxupd: 128 defer: off > > groups: carp pfsync > > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196 > > priority: 0 > > groups: pflog > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:00:5e:00:01:01 > > priority: 0 > > carp: BACKUP carpdev em1 vhid 1 advbase 1 advskew 100 > > groups: carp > > status: backup > > inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6 > > inet 10.5.5.1 netmask 0xffffff00 broadcast 10.5.5.255 > > carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:00:5e:00:01:02 > > priority: 0 > > carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 100 > > groups: carp > > status: master > > inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7 > > inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255 It isn't normal. Check connectivity on em0 interface between both firewalls. When I hit something very similar, the reason turned out to be misconfigured vlans on switch ports. -- Greetings Rafal Bisingier
