* Clifford Bailey <[EMAIL PROTECTED]> [2008-03-05 16:45]: > Hi, > > I have a puzzling issue with carp which I wondered whether anyone knew > the answer to. I have two carp + pf + pfsync (on openbsd 4.2) boxes in > a standard failover configuration (master and backup designated by > advskew values). When the master is brought down the failover works > nicely. When the master comes back up though, it takes control > straight away, but doesn't respond to anything for between 5 and 20 > seconds. I have found a workaround for this issue by enabling portfast > on the port switches that the firewall is connected to, but it doesn't > make any sense to me why the firewall acts in this way when portfast > is disabled.
err... portfast refers to spanning tree. here is what happens with portfast disabled: -machine comes up, port goes up -switch blocks the port for 15..30s, depending on configured stop timings, and listens for stp announcements on that port -the machine does not see carp advertisements from the other machine, since the switchport is bocked by stp. thus it thinks it is alone and goes to master. the other machine is master too, but since the freshly booted one has no net that does not matter much. -after the switch figured out there is no spanning tree speaking device on that port, it unblocks it and traffic can flow. for a short period both machines are master. since they see their repective carp announcements one goes to backup quickly. With setting portfast, you tell teh switch that there is no stp speaking device on that port and the port transitions to forwarding (i. e. NOT blocking) right away after the link comes up. so that is not a workaround but the proper solution. > 4. HOWEVER, although the master now originates and receives traffic, > it doesn't respond to any traffic, ie it won't send an echo reply to a > request or ack any tcp traffic.This stays like this for between 5 and > 20 seconds, are you sure that the master gets any traffic that it didn't originateitself, i. e. that actually wnt thru teh switchport in question? I have a hard time believing that. > If I turn off portfast on the switch ports, the sequence is exactly > the same, except that the 5 to 20 second delay isn't there. turn OFF portfast?? -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
