Re: ospfd and carp - Almost there, carp issue

Thu, 12 Mar 2015 05:14:57 -0700

Sorry for the long-winded explanation yesterday, but I've got the problem narrowed down to the carp interfaces.
Essentially, the routers with the fast line are preemptive carp masters. When the fast line goes down, traffic gets routed correctly across the slow line, but once there, it cannot forward to the carp interface, as it's then on the carp "backup" side. 


This makes sense, since the interface is a backup, but I'm unsure why it 
isn't just routing across the crossover cable in that case. Unplugging 
the carp master on the side in question causes the backup to become 
master, and everything works across the slow line as expected.


Ideas?

Thanks,

-John


On 03/11/2015 03:03 PM, John E.P. Hynes wrote:

Hi all,


I'm having an issue getting my ospf setup working.  It's almost there, 
and I've read Claudio Jecker's excellent guide, and have nearly 
reproduced the setup he describes when discussing ospf with two 
routers on each end, the "remote" end carp'd.  The differences in my 
setup are as follows:


-the "backup" line is an ipsec transport encrypted gre tunnel.

-I have tried carp'ing the "local" end as well, and I think my setup 
is *close*.


Here's what it looks like:

             REMOTE

                                                   nfe0 
192.168.254.1/30 (private fiber link)->private fiber link (local)

                                                   nfe1 (carpdev)
                                                   bge0 (crossover)
192.168.0.0/24----192.168.0.1<    |
                                  carp             |
                                                   bge0 (crossover)
                                                   nfe1 (carpdev)

                                                   nfe0 
www.xxx.yyy.zzz (public ISP link)
                                                   gre0 (tunnel 
through www.xxx.yyy.zzz to aaa.bbb.ccc.ddd)
                                                   enc0 (ipsec 
transport encryption for gre0)



               LOCAL

                                                nfe0 192.168.254.2/30 
(private fiber link)->private fiber link (remote)

                                                nfe1 (carpdev)
 core router                             bge0 (crossover)
10.0.0.1-------------10.0.0.100<   |
                                  carp          |
                                                bge0 (crossover)
                                                nfe1 (carpdev)

                                                nfe0 aaa.bbb.ccc.ddd 
(public ISP link)
                                                gre0 (tunnel though 
aaa.bbb.ccc.ddd to www.xxx.yyy.zzz)
                                                enc0 (ipsec transport 
encryption for gre0)


(apologies if this diagram gets hosed - I stink at making these...)


First off:  All point to point connections function properly. Traffic 
over the gre PTP connection is encrypted correctly.  Carp works fine, 
and functions as expected with the routers connected to the fast fiber 
line as preemptive masters.  Router at 10.0.0.1 has static routes to 
10.0.0.100 for all networks connected above, including the /30 
crossovers.  The "remote" routers have no default gateway assigned in 
/etc/mygate.  The "local" routers have 10.0.0.1 in /etc/mygate.  The 
public internet interfaces only route to each other.  All sysctl's for 
gre, esp, carp, and forwarding are enabled.



Here's where ospfd comes in.  On the "remote" side, the 
/etc/ospfd.conf files look like this:


-----"fiber" router-----
router-id 1.1.1.1

area 0.0.0.0 {
    auth-type crypt
    auth-md 1 "password1"
    auth-md 2 "password2"
    auth-md-keyid 1

    interface nfe0 { metric 10 }
    interface bge0 { metric 20 }
    interface carp0
}

-----"slow" router-----
router-id 2.2.2.2

area 0.0.0.0 {
    auth-type crypt
    auth-md 1 "password1"
    auth-md 2 "password2"
    auth-md-keyid 1

    interface gre0 { metric 10 }
    interface bge0 { metric 20}
    interface carp0
}


The above is basically what's in the paper I mentioned, except for the 
gre interface taking the place of an ethernet interface.


The "local" side looks like this:

-----"fiber" router-----
router-id 3.3.3.3
redistribute default

area 0.0.0.0 {
    auth-type crypt
    auth-md 1 "password1"
    auth-md 2 "password2"
    auth-md-keyid 1

    interface nfe0 { metric 10 }
    interface bge0 { metric 20 }
    interface carp0
}

-----"slow" router-----
router-id 4.4.4.4
redistribute default

area 0.0.0.0 {
    auth-type crypt
    auth-md 1 "password1"
    auth-md 2 "password2"
    auth-md-keyid 1

    interface gre0 { metric 10 }
    interface bge0 { metric 20 }
    interface carp0
}

WHAT DOES WORK:


Reboot all four routers, traffic from remote 192.168.0.0/24 gets to 
10.0.0.1 no problem.


WHAT DOES NOT WORK:


Unplug either side's carp master and no traffic passes.  The b/u carp 
becomes master, though.  Replace the cable and the original master 
again becomes master, as expected.


Unplug the "fast" point to point line and no traffic passes.

Unplugging either side carp masters and no traffic passes.


As expected, unplugging either side's carp backup or the "slow" point 
to point line and there is no effect.


WHAT I'VE TRIED:


Removing "redistribute default" from the locals, removing "interface 
carp0" from the locals, removing the default gateway in /etc/mygate 
from the locals.


Can anybody point me in the right direction for how to troubleshoot this?

Thanks in advance.

-John
























					Reply via email to