Hi Henning, Thanks for your response. Yes, your understanding of spanning tree is the same as mine (I meant turn ON portfast at the end, not turn off sorry!) I realize that enabling portfast is a solution, but I am still very puzzled by why the server pauses when portfast is off as I don't think it should make any difference. If portfast is off, the change over shouldn't happen until the port can send and receive traffic anyway, so that should be seemless, which it isn't.
When portfast isn't enabled it only starts seeing traffic after the port has gone into forwarding mode, and I am sure it is seeing traffic that it didn't originate itself, but it definitely isn't responding. I spent a little while looking into it yesterday as I was worried that it might cause me problems later on, and I captured a few logs of the startup sequence on the master if it helps (some background 192.168.1.101 is the master firewall, and is creating the CARP advertisements with advskew 1, 192.168.1.102 is the backup and has the advskew of 100, 192.168.0.20 and 112 are test boxes that are constantly pinging the 101 address to test its response) Annotated Log: >>PORT IS IN LEARNING MODE, nothing is being allowed out, only STP messages aer allowed in. 11:35:02.162830 802.1d STP config root=2000.0:xx:x:xx:xx:xx rootcost=3 bridge=8000.00 11:35:03.079833 CARPv2-advertise 36: vhid=3 advbase=1 advskew=1 demote=0 (DF) [tos 0] 11:35:04.099833 CARPv2-advertise 36: vhid=3 advbase=1 advskew=1 demote=0 (DF) [tos 0] 11:35:04.163588 802.1d STP config root=2000.0:xx:x:xx:xx:xx rootcost=3 bridge=8000.00 11:35:05.119835 CARPv2-advertise 36: vhid=3 advbase=1 advskew=1 demote=0 (DF) [tos 0] 11:35:05.350726 802.1d STP config flags=1<TC> role=DESIGNATED root=2000.0:d0:0:f3:140 >> PORT SWITCHES TO FORWARDING MODE (here you see echo requests come in from 192.168.0.20 and carp advertisements with a different advskew come in. At this point the other firewall changes to BACKUP from MASTER) 11:35:05.743107 192.168.0.20 > 192.168.1.101: icmp: echo request 11:35:05.921747 CARPv2-advertise 36: vhid=3 advbase=1 advskew=100 demote=0 (DF) 11:35:06.136239 192.168.0.112 > 192.168.1.101: icmp: echo request (DF) 11:35:06.139833 CARPv2-advertise 36: vhid=3 advbase=1 advskew=1 demote=0 (DF) [tos 0] 11:35:06.163971 802.1d STP config flags=1<TC> role=DESIGNATED root=2000.0:d0:0:f3:140 11:35:06.742987 192.168.0.20 > 1927497 192.168.0.112 > 192.168.1.1: icmp: echo request (DF) 11:35:07.136618 192.168.0.112 > 192.168.1.101: icmp: echo request (DF) 11:35:07.159835 CARPv2-advertise 36: vhid=3 advbase=1 advskew=1 demote=0 (DF) [tos 0] 11:35:07.306637 192.168.1.253.1985 > 224.0.0.2.1985:HSRPv0-hello 20: state=active gr4 11:35:07.743116 192.168.0.20 > 192.168.1.101: icmp: echo request 11:35:07.928251 192.168.0.112 > 192.168.1.1: icmp: echo request (DF) 11:35:08.012075 192.168.1.252.1985 > 224.0.0.2.1985:HSRPv0-hello 20: state=stvskew=1 demote=0 (DF) [tos 0] 11:35:09.743998 192.168.0.20 > 192.168.1.101: icmp: echo request 11:35:09.939502 192.168.0.112 > 192.168.1.1: icmp: echo request (DF) 11:35:10.147373 192.168.0.112 > 192.168.1.101: icmp: echo request (DF) 11:35:10.147384 arp who-has 192.168.1.254 tell 192.168.1.101 11:35:10.147622 arp reply 192.168.1.254 is-at 00:00:0c:07:ac:7c >> FIRST REPLY APPEARS (I have no idea what triggers this, but all of a sudden the server starts responding) 11:35:10.147631 192.168.1.101 > 192.168.0.112: icmp: echo reply (DF) 11:35:10.162863 802.1d STP config flags=1<TC> role=DESIGNATED root=2000.0:d0:0:f3:140 11:35:10.219832 CARPv2-advertise 36: vhid=3 advbase=1 advskew=1 demote=0 (DF) [tos 0] 11:35:10.744127 192.168.0.20 > 192.168.1.101: icmp: echo request 11:35:10.744137 192.168.1.101 > 192.168.0.20: icmp: echo reply 11:35:10.941505 192.168.0.112 > 192.168.1.1dvertise 36: vhid=3 advbase=1 advskew=1 demote=0 (DF) [tos 0] 11:35:11.574487 192.168.1.253.1985 > 224.0.0.2.1985:HSRPv0-hello 20: state=active gr4 11:35:11.744881 192.168.0.20 > 192.168.1.101: icmp: echo request 11:35:11.744892 192.168.1.101 > 192.168.0.20: icmp: echo reply On 06/03/2008, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Clifford Bailey <[EMAIL PROTECTED]> [2008-03-05 16:45]: > > > Hi, > > > > I have a puzzling issue with carp which I wondered whether anyone knew > > the answer to. I have two carp + pf + pfsync (on openbsd 4.2) boxes in > > a standard failover configuration (master and backup designated by > > advskew values). When the master is brought down the failover works > > nicely. When the master comes back up though, it takes control > > straight away, but doesn't respond to anything for between 5 and 20 > > seconds. I have found a workaround for this issue by enabling portfast > > on the port switches that the firewall is connected to, but it doesn't > > make any sense to me why the firewall acts in this way when portfast > > is disabled. > > > err... portfast refers to spanning tree. here is what happens with > portfast disabled: > -machine comes up, port goes up > -switch blocks the port for 15..30s, depending on configured stop > timings, and listens for stp announcements on that port > -the machine does not see carp advertisements from the other machine, > since the switchport is bocked by stp. thus it thinks it is alone and > goes to master. the other machine is master too, but since the freshly > booted one has no net that does not matter much. > -after the switch figured out there is no spanning tree speaking > device on that port, it unblocks it and traffic can flow. for a short > period both machines are master. since they see their repective carp > announcements one goes to backup quickly. > > With setting portfast, you tell teh switch that there is no stp > speaking device on that port and the port transitions to forwarding (i. > e. NOT blocking) right away after the link comes up. so that is not a > workaround but the proper solution. > > > > 4. HOWEVER, although the master now originates and receives traffic, > > it doesn't respond to any traffic, ie it won't send an echo reply to a > > request or ack any tcp traffic.This stays like this for between 5 and > > 20 seconds, > > > are you sure that the master gets any traffic that it didn't > originateitself, i. e. that actually wnt thru teh switchport in > question? I have a hard time believing that. > > > > If I turn off portfast on the switch ports, the sequence is exactly > > the same, except that the 5 to 20 second delay isn't there. > > > turn OFF portfast?? > > > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
