Re: Odd CARP behavior

Fri, 20 May 2011 05:47:26 -0700 

Hello,
We had the same problem a few weeks ago, where one interface on the backup machine decides to become master. This will create an ARP conflict as both machines will respond to the ARP request, and that will make it very slow. 


The first thing to check is wether the two interfaces see each other, 
are they receiving the CARP messages? do a tcpdump and find out if the 
CARP packets are received

(they will be marked as VRRP in wireshark).

Next check your firewall rules (pf.conf if you are using it) make sure 
that you pass carp packets (add these rules after the global block rule)



After resovling this issue use ifstated that comes with openbsd to force 
MASTER/MASTER interfaces on the machine that becomes MASTER.



Le 20/05/11 00:57, Gary Thornock a icrit :

My previous company has a pair of firewalls running OpenBSD 4.4 with
CARP.  They've been running with no problem since just after the 4.4
release, until the last couple of days.

Now, the firewall that should be in BACKUP state has somehow decided
that it needs to be MASTER for some, but not all, of the CARP interfaces,
even though the master machine is running fine.  Something like this:


if      machine 1   machine 2
carp0   MASTER      BACKUP
carp1   MASTER      BACKUP
carp2   MASTER      MASTER
carp3   MASTER      BACKUP
carp4   MASTER      MASTER


The interfaces where both machines try to be MASTER at the same time
become unreliable or unreachable.

I looked around Google but couldn't turn up any reports of similar
issues.  Admittedly I might have been searching for the wrong terms,
though.

Any ideas as to what could be causing this problem?  They're likely
to rebuild both machines in the next week or so, either with 4.6 (so
they can keep their existing pf.conf) or with 4.9 so as to be current,
but they'd like some assurance that a rebuild will actually solve the
problem.  (If it were, say, a failing NIC, updating the software
wouldn't help.)

For whatever it's worth, the machines in question are Poweredge R200s,
with the two on-board Broadcom gigabit ports and an additional Intel
gigabit card for pfsync.  They're running the i386 rather than the
amd64 version of OpenBSD.

Thanks in advance for any suggestions.




--
Abbass MAROUNI
Internet Memory Foundation
internetmemory.org























					Reply via email to