Hi folks,
After a 5.1 to 5.5 upgrade on a redundant firewall pair, every once in
a while my FW2 (backup) promotes itself and then immediately demotes
itself again. Which I find very odd because it is doing so based on
pinging its peer every 10 seconds, and so the value of that boolean
should only change after 10 seconds, no?
I cannot find anything else going on in other log files around the
same time that would help explain this.
>From my /var/log/daemon :
Nov 15 17:55:25 my-hostname ifstated[28981]: changing state to promoted
Nov 15 17:55:25 my-hostname ifstated[28981]: changing state to backup
Nov 16 21:43:07 my-hostname ifstated[28981]: changing state to promoted
Nov 16 21:43:07 my-hostname ifstated[28981]: changing state to backup
Nov 18 11:44:38 my-hostname ifstated[28981]: changing state to promoted
Nov 18 11:44:38 my-hostname ifstated[28981]: changing state to backup
Nov 19 07:44:27 my-hostname ifstated[28981]: changing state to promoted
Nov 19 07:44:27 my-hostname ifstated[28981]: changing state to backup
Ifstated.conf has changed very little since before the upgrade - a few
minor tweaks and that is it. And what is triggering the flap is this
piece of code :
These are the internal and external interfaces. The first IP is the
"front door". The second one is an internal IP - the stuff I am
protecting. This is happening in 3 different environments all with
carbon-copy configs
peer = '( "ping -q -c 1 -w 1 10.1.1.1 > /dev/null 2>&1" every 10 && \
"ping -q -c 1 -w 1 10.20.1.1 > /dev/null 2>&1" every 10)'
----snip---
if ! $peer {
if $carp_ready {
if $local {
if $relayd {
set-state promoted
}
}
}
}
And here is the whole ifstated.conf - with some added debug statements
to try to help me get to the bottom of this.
init-state backup
carp_ready = "( (! carp0.link.unknown) && (! carp1.link.unknown) && (!
carp5.link.unknown) && (! carp20.link.unknown) && (!
carp25.link.unknown) && (! carp30.link.unknown) )"
local = '( "ping -q -c 1 -w 1 10.1.1.2 > /dev/null 2>&1" every 10 && \
"ping -q -c 1 -w 1 10.20.1.2 > /dev/null 2>&1" every 10)'
# changed this to determine which one was not pinging
# peer = '( "ping -q -c 1 -w 1 10.1.1.1 > /dev/null 2>&1" every 10 && \
# "ping -q -c 1 -w 1 10.20.1.1 > /dev/null 2>&1" every 10)'
peer1 = '( "ping -q -c 1 -w 1 10.1.1.1 > /dev/null 2>&1" every 10)'
peer2 = '( "ping -q -c 1 -w 1 10.20.1.1 > /dev/null 2>&1" every 10)'
# If relayd fails, we will not be promoted.
relayd = '( "pgrep relayd | wc -l | grep 8" every 10 )'
state backup {
init {
run " echo \"$(date +\"%Y-%M-%d %H:%M:%S\") starting
up\" >> /var/log/ifstated"
run "ifconfig carp0 advskew 100"
run "ifconfig carp1 advskew 100"
run "ifconfig carp5 advskew 100"
run "ifconfig carp20 advskew 100"
run "ifconfig carp25 advskew 100"
run "ifconfig carp30 advskew 100"
run "sleep 60"
}
# these debugging statements are new to help get to the bottom of it
if ! $peer1 {
run "echo \"$(date +\"%Y-%M-%d %H:%M:%S\") peer1 no
good\" >> /var/log/ifstated"
}
if ! $peer2 {
run "echo \"$(date +\"%Y-%M-%d %H:%M:%S\") peer2 no
good\" >> /var/log/ifstated"
}
if ! $carp_ready {
run "echo \"$(date +\"%Y-%M-%d %H:%M:%S\") carp_ready
no good\" >> /var/log/ifstated"
}
if ! $local {
run "echo \"$(date +\"%Y-%M-%d %H:%M:%S\") local no
good\" >> /var/log/ifstated"
}
if ! $relayd {
run "echo \"$(date +\"%Y-%M-%d %H:%M:%S\") relayd no
good\" >> /var/log/ifstated"
}
if ( ! $peer1 ) || ( ! $peer2 ) {
if $carp_ready {
if $local {
if $relayd {
set-state promoted
}
}
}
}
}
state promoted {
init {
run "ifconfig carp0 advskew 10"
run "ifconfig carp1 advskew 10"
run "ifconfig carp5 advskew 10"
run "ifconfig carp20 advskew 10"
run "ifconfig carp25 advskew 10"
run "ifconfig carp30 advskew 10"
}
if ( $peer1 ) && ( $peer2 ) {
set-state backup
}
}
--
"Don't eat anything you've ever seen advertised on TV"
- Michael Pollan, author of "In Defense of Food"
