Hello, I thought it had to be unique _on the same network segment_, but not necessarily on the same machine.
And everything works again since I moved the firewall off the backbone (2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl, 2 firewalls on it). But everything seems to be configured identically on those two switches, and the error log of the 5400zl shows nothing about the ports where my firewalls are... I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows : # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description "Internet" 217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description "DMZ Internet" # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description "Internet" 217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description "DMZ Internet" They also run like a charm !? I have run out of ideas about the cause of the problem. -- Cordialement, Pierre BARDOU -----Message d'origine----- De : uday [mailto:umoorjani....@gmail.com] Envoyi : vendredi 26 juin 2009 21:17 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. >From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM "Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him". Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierre<bardo...@mipih.fr> wrote: > Hello, > > CARP is configured using a script. Here it is (truncated version) : > > ifconfig carp5 create > ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description "LAN" > > ifconfig carp2 create > ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description "DMZ 1" > > ifconfig carp3 create > ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description "DMZ 2" > > ifconfig carp12 create > ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description "DMZ 3" > > > ifconfig carp13 create > ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description "DMZ 5" > > ifconfig carp4 create > ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description "DMZ Internet" > ifconfig carp4 alias 217.109.108.1/24 > > ifconfig carp14 create > ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description "Internet" > > > -- > Cordialement, > Pierre BARDOU > > > -----Message d'origine----- > De : uday [mailto:umoorjani....@gmail.com] > Envoyi : vendredi 26 juin 2009 12:21 > @ : BARDOU Pierre > Cc : misc@openbsd.org > Objet : Re: CARP problem : slave rioting > > Can you post configuration files for the carp interfaces ? > > "Nonviolence means avoiding not only external physical violence but > also internal violence of spirit. You not only refuse to shoot a man, > but you refuse to hate him". Rev. Martin Luther King Jr. > > > > On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierre<bardo...@mipih.fr> wrote: >> Hello, >> >> I have a setup with 2 openBSD boxes used as firewall, redundancy is made using >> CARP. >> Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a >> trunk, collecting all other VLANs. >> Master's advskew is 10, slave's is 50. >> All worked like a charm since nearly 2 years, but since 3 weeks I have odd >> problems : >> * on the net interface, the backup becomes master, but the master remains >> master -> Nearly half of the packets are lost >> I did a tcpdump on the slave's interface, carp packets from the master arrive. >> But it remains master ! >> Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: >> CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] >> Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: >> CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] >> >> * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it >> is part of a trunk, physical connections are good : they work for all other >> VLANs. When I shut down the corresponding carp interface on the slave >> (ifconfig carp4 down), master becomes master again. >> >> Could you give me any clue to keep my master in master state ? >> >> Thank you >> >> -- >> Cordialement, >> >> Pierre BARDOU >> CSIM - Bureau 012 >> >> Midi Picardie Informatique Hospitalihre >> 12 rue Michel Labrousse >> BP93668 >> F-31036 Toulouse CEDEX 1 >> >> Til : 05 67 31 90 84 >> Fax : 05 34 61 51 00 >> Mail : bardo...@mipih.fr
