On Fri, Mar 17, 2006 at 02:35:55PM -0500, Steven S wrote: > Adam D. Morley wrote: > ... > > Have you checked: > > > > - carp settings in sysctl? > > - carp pass rules (and ordering) in pf.conf (if you have default > > deny)? > > - that you have advskew set "right" on the backup firewall? > > > > # grep carp /etc/sysctl.conf > > net.inet.carp.allow=1 # allow incoming CARP packets > > net.inet.carp.preempt=1 # failover all CARP > > interfaces if one fails > > > > # grep carp /etc/pf.conf > > pass quick on $ext_ints proto carp keep state > > pass on $int_phys proto carp keep state > > pass on $int_vlan proto carp keep state > > > > # cat /etc/hostname.carp1 > > vhid 1 advskew 100 pass XXXX > > inet XXX 0xffffff00 > > Thanks, this is helpful. The settings on the FW's are as above. An > incorrect setting (above) would seem to make it not work -- as opposed to
Ok. But mine works and yours doesn't? > what I'm seeing. Sometimes FW2 takes over as MASTER for some interfaces, > but FW1 never moves to BACKUP. I do have net.inet.carp.preempt=1 set on > FW1, but not FW2. You're supposed to set preempt on both, iirc. > > As another experiment I moved advbase on FW2 to '2' for all carps, but the base is how often. skew is priority. -- adam
