Bryan Irvine wrote:
> On 3/10/06, Steven S <[EMAIL PROTECTED]> wrote:
>> Bryan Irvine wrote:
>> ...
>> ...
>>> It happened after we installed the carp firewalls, and seems to be
>>> related to ICMP-Redirect coming from the real IP, as op
Bryan Irvine wrote:
...
...
> It happened after we installed the carp firewalls, and seems to be
> related to ICMP-Redirect coming from the real IP, as opposed to the
> carp one the request went to.
>
...
Interesting, in my experiments carp interfaces didn't send ICMP redirects at
all...
http:/
I have two firewalls (FW1 & FW2) with multiple carp interfaces on an
external interface (carp1, carp12, carp14, carp15, carp16, carp17, carp18,
carp19, carp20). FW1 has all carp interfaces set with advbase 1 advskew 0
and FW2 has all carp interfaces with advbase 1 advskew 180. Frequently FW2
thin
Bryan Irvine wrote:
> I don't suppose you are using a quad card of some kind are you?
>
>
...
Three dual cards, dmesg (extracted from /var/log/messages) below:
OpenBSD 3.8-stable (GENERIC.MP) #0: Thu Jan 5 03:55:53 EST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: I
Are these messages "normal" for a carped pair of firewalls running isakmpd
with sasyncd (3.8-stable)?
FW1/master - /var/log/message:
Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s)
222729dc227c8f28 a0d29ef92ee65243
Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.
Simon Slaytor wrote:
>
> I have two logical external firewalls, each configured as
> 3.8-stable HA
> pairs using PFSync, CARP, SASync etc.
>
...
> I have used the traditional isakmpd.conf method of configuring the
> VPN's. In both cases the OBSD boxes replaced Checkpoint R55 boxes,
> during my ex
Anderson Nadal wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hello.
>
> I have the same problem.
>
...
>
> Take a look in your date/time, maybe it's the reason of your strange
> carp issues.
...
I thought of that too. If time changed by a couple seconds on the backup
server th
Bryan Irvine wrote:
> I tried before with 2 quad cards to no avail. That was under 3.6
> though IIRC. 1 or 2 if's would fail over within a couple of hours,
> but if left to it's own devices, eventually they all would.
>
> If you do figure something out lemme know, I'd love to go back to the
> qu
Henning Brauer wrote:
> * Steven S <[EMAIL PROTECTED]> [2006-03-17 19:10]:
>> beginning to think it might be a component of the number of carp
>> interfaces
>
> unlikely.
> <[EMAIL PROTECTED]> $ ifconfig | grep '^carp' | wc -l
> 15
> a
Adam D. Morley wrote:
...
> Have you checked:
>
> - carp settings in sysctl?
> - carp pass rules (and ordering) in pf.conf (if you have default
> deny)?
> - that you have advskew set "right" on the backup firewall?
>
> # grep carp /etc/sysctl.conf
> net.inet.carp.allow=1 # allow incomi
Adam D. Morley wrote:
> On Fri, Mar 17, 2006 at 02:35:55PM -0500, Steven S wrote:
>> Adam D. Morley wrote:
...
>> Thanks, this is helpful. The settings on the FW's are as above. An
>> incorrect setting (above) would seem to make it not work -- as
>> opposed to
&g
Joachim Schipper wrote:
>> Using NTPDATE in cron (30 minutes), I was able to handle this weird
>> behavior.
>>
>> Take a look in your date/time, maybe it's the reason of your strange
>> carp issues.
>
> As to problems with adjtime(2) and SMP machines, there is a small
> diff from tedu@ on tech@
It would appear my issues are related to timekeeping on these boxes (Compaq
DL360 G1).
If I bump advbase to '3' on each box everything is more stable. Given this,
I now have a roughly 10 second fail-over time, but that is still acceptable.
Since these are production boxes I'll probably wait un
Steven S wrote:
> It would appear my issues are related to timekeeping on these boxes
> (Compaq DL360 G1).
>
> If I bump advbase to '3' on each box everything is more stable.
> Given this, I now have a roughly 10 second fail-over time, but that
> is still accep
'netstat -in' will give you a better indication of duplex mismatches (since
it shows errors and collisions.)
-Steve S.
[EMAIL PROTECTED] wrote:
> The ifconfig and brconfig output is as follow:
[EMAIL PROTECTED] wrote:
> On Mon, 5 Dec 2005 10:40:31 -0500 (EST), Brian A. Seklecki wrote:
>
>> All:
>>
...
>> Even if other hosts receive a packet and reply to it, they won't be
>> able to ARP for it, and if they could, the original OpenBSD box will
>> drop the reply with destination host/netw
[EMAIL PROTECTED] wrote:
...
> All branches have VPN tunnels back to central location and
> the firewall rules
> have a pass quick over the VPN tunnels
>
> On the main location I have a
>
> pass quick log inet from to
> keep state
> I also have a
> pass quick log inet from to
> keep state
...
Greetings,
I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default
gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN
from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN
users hit a server return packets are sent to the default gw. I
[EMAIL PROTECTED] wrote:
> On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote:
...
>
> What about sysctl net.inet.ip.forwarding? Is it set to 1?
>
>> wq Claudio
Yep. The firewalls are working perfectly aside from this redirect issue.
They are even performing ISP load b
Stuart Henderson wrote:
...
>> [EMAIL PROTECTED] pfctl -s rules |grep 10.4
>> pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16
>> pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16
>
> I suspect you will need to allow the packets through in order to get
> the redirects sent. A
...
> I know this is not the answer to your question and I'd like
> to hear how
> you wind up getting the OpenBSD box to send the redirects you are
> looking for, but relying on redirects to do your routing for anything
> length of time is asking for trouble IMHO. You might just be better
> off, t
Greetings,
I'm trying to use ifstated to determine the state (up or down) of my two ISP
connections. Currently I'm using ping, which I realize is imperfect, but
I'm getting some odd transitions.
For example, ISP2 is very unreliable and ifstated was in the ISP2down state.
>From there, based on th
[EMAIL PROTECTED] wrote:
> On 1/30/06, Bruno Carnazzi <[EMAIL PROTECTED]> wrote:
>> Hi all,
>>
>> Everything seems to work fine but OpenBSD find only one CPU ! :(
>> Somebody know why and how can I use the 2 CPUs ?
>>
...
>
> Works fine here on the DL380G4's with -current (worked with release
[EMAIL PROTECTED] wrote:
> John R. Shannon wrote:
>> On Monday 06 February 2006 06:46, Nickolay A Burkov wrote:
>>> Hi, All!
>>>
>>> I have a router with two external ethernet links to two different
>>> ISPs. Could someone recommend me a good technique to organize
> failover with
> these
...
>> I
[EMAIL PROTECTED] wrote:
> On Mon, 6 Feb 2006 23:54:21 -0500, Steven S wrote:
>
>> [EMAIL PROTECTED] wrote:
>>> John R. Shannon wrote:
>>>> On Monday 06 February 2006 06:46, Nickolay A Burkov wrote:
>>>>> Hi, All!
...
>
> I don&
> -Original Message-
> On Behalf Of Christopher Vance
>
> I have a network being installed with a pair of 3.8 firewalls running
> carp for failover. Temporarily, their external connection is via
> residential grade router and wireless ADSL modem, with the router
> doing pppoe. A real net
[EMAIL PROTECTED] wrote:
> I recently tried to use netperf, but it seemed more to test
> my CPU than
> the network and thus reporting low througput. benchmarks/netstrain is
> much less demanding on the CPU. Of course, one may use ftp to download
> large files since the OpenBSD one reports speed as
For the archives, I noticed some commits to ifstated for 3.9-beta so I built
the 3.9-beta ifstated on a 3.8-stable box. Ifstated seems to be much more
reliable now. Thanks!
-Steve S.
[EMAIL PROTECTED] wrote:
> Greetings,
>
> I'm trying to use ifstated to determine the state (up or
> down) of my
28 matches
Mail list logo
