Problems / questions about CARP

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems / questions about CARP

Tobias Walkowiak
I just set up 2 redundant firewalls that use CARP / pfsync. I ran into the
fact that everything works fine but when shutting down the MASTER, the
BACKUP doesn't take over the states of the connections. Is that intended or
did I do something wrong? I configured my systems exactly the way the man
pages and tutorials told me and I'm not using ifstated.

What I hoped is that even the whole master can fail without being noticed
for the existing sessions.

TIA
--
tobias

Reply | Threaded
Open this post in threaded view
|

Re: Problems / questions about CARP

Eli K. Breen
I've seen this problem as well, when shutting down to single-user mode,
the arp on the adapter stays active, yet no IP protocols are usable b/c
the NIC loses it's IP addresses and then refuses to relinquish control
of the carp interface to the BACKUP - This is a huge bug IMHO.

You'll also see the following spewed out to the console upon shutting
down (to Single-User mode), this appears in /var/log/messages and on the
console of the machine shut down to S.U. mode.

kernel: carp_input: received len 20 < sizeof(struct carp_header)


-E-

Tobias Walkowiak wrote:

> I just set up 2 redundant firewalls that use CARP / pfsync. I ran into the
> fact that everything works fine but when shutting down the MASTER, the
> BACKUP doesn't take over the states of the connections. Is that intended or
> did I do something wrong? I configured my systems exactly the way the man
> pages and tutorials told me and I'm not using ifstated.
>
> What I hoped is that even the whole master can fail without being noticed
> for the existing sessions.
>
> TIA

Reply | Threaded
Open this post in threaded view
|

Re: Problems / questions about CARP

Chad M Stewart
In reply to this post by Tobias Walkowiak
On Nov 16, 2005, at 3:57 PM, Tobias Walkowiak wrote:

> I just set up 2 redundant firewalls that use CARP / pfsync. I ran  
> into the
> fact that everything works fine but when shutting down the MASTER, the
> BACKUP doesn't take over the states of the connections. Is that  
> intended or
> did I do something wrong? I configured my systems exactly the way  
> the man
> pages and tutorials told me and I'm not using ifstated.

Something is wrong.  I've setup such a environment and it works,  
state passes between the firewalls.  If state is not passing then  
something is wrong with the configuration.

Search the archives of this list and/or the pf list.

-Chad

>
> What I hoped is that even the whole master can fail without being  
> noticed
> for the existing sessions.
>
> TIA
> --
> tobias

Reply | Threaded
Open this post in threaded view
|

Re: Problems / questions about CARP

Dag Richards
try doing a tcpdump -i pfsync0


you should see traffic if not make sure the iface shows something like
this in a ifconfig

pfsync0: flags=41<UP,RUNNING> mtu 1348
         pfsync: syncdev: em1 syncpeer: 192.168.10.3 maxupd: 128


also
tcpdump -n -e -ttt -i pflog0
can show hints about where your rules are obeying you without consulting
the do_what_I_mean bit.



Chad M Stewart wrote:

> On Nov 16, 2005, at 3:57 PM, Tobias Walkowiak wrote:
>
>> I just set up 2 redundant firewalls that use CARP / pfsync. I ran  
>> into the
>> fact that everything works fine but when shutting down the MASTER, the
>> BACKUP doesn't take over the states of the connections. Is that  
>> intended or
>> did I do something wrong? I configured my systems exactly the way  the
>> man
>> pages and tutorials told me and I'm not using ifstated.
>
>
> Something is wrong.  I've setup such a environment and it works,  state
> passes between the firewalls.  If state is not passing then  something
> is wrong with the configuration.
>
> Search the archives of this list and/or the pf list.
>
> -Chad
>
>>
>> What I hoped is that even the whole master can fail without being  
>> noticed
>> for the existing sessions.
>>
>> TIA
>> --
>> tobias

Reply | Threaded
Open this post in threaded view
|

Re: Problems / questions about CARP

Tobias Walkowiak
On Wed, Nov 16, 2005 at 04:21:00PM -0800, Dag Richards wrote:
>
> pfsync0: flags=41<UP,RUNNING> mtu 1348
>         pfsync: syncdev: em1 syncpeer: 192.168.10.3 maxupd: 128

hm, i get

xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
...
        status: active
        inet 10.250.0.1 netmask 0xffffff00 broadcast 10.250.0.255
...
pfsync0: flags=41<UP,RUNNING> mtu 1348
        pfsync: syncdev: xl0 syncpeer: 224.0.0.240 maxupd: 128

although i chose 10.250.0.0/24 as the pfsync-net between both NICs. so,
doesnt the syncpeer have to be from that class-c net? my hostname.pfsync0
says
        up syncdev xl0
did i forget something?

cheers
--
[id] [hidden email]
[net place] www.tobias-walkowiak.de
[gpg fingerprint] 02D4 BEF0 988A 7E32 8A16  A244 B2B6 0C2E 25B2 0A1E
[message] ><> Jesus loves you <><

Reply | Threaded
Open this post in threaded view
|

Re: Problems / questions about CARP

Dag Richards
Tobias Walkowiak wrote:

> On Wed, Nov 16, 2005 at 04:21:00PM -0800, Dag Richards wrote:
>
>>pfsync0: flags=41<UP,RUNNING> mtu 1348
>>        pfsync: syncdev: em1 syncpeer: 192.168.10.3 maxupd: 128
>
>
> hm, i get
>
> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> ...
>         status: active
>         inet 10.250.0.1 netmask 0xffffff00 broadcast 10.250.0.255
> ...
> pfsync0: flags=41<UP,RUNNING> mtu 1348
>         pfsync: syncdev: xl0 syncpeer: 224.0.0.240 maxupd: 128
>
> although i chose 10.250.0.0/24 as the pfsync-net between both NICs. so,
The above output means you did not choose what you think you did.....

> doesnt the syncpeer have to be from that class-c net? my hostname.pfsync0

Same network yes ... class c no
> says
> up syncdev xl0
> did i forget something?
>
> cheers
should look like this

fw0# cat   hostname.pfsync0
up syncpeer 192.168.10.3 syncdev em1

I think that must be why you pfsync0 device using a multicast addr, you
have not told it what the peer is.

Reply | Threaded
Open this post in threaded view
|

Re: Problems / questions about CARP

Henning Brauer
* Dag Richards <[hidden email]> [2005-11-17 16:32]:
> Tobias Walkowiak wrote:
> >On Wed, Nov 16, 2005 at 04:21:00PM -0800, Dag Richards wrote:
> >pfsync0: flags=41<UP,RUNNING> mtu 1348
> >        pfsync: syncdev: xl0 syncpeer: 224.0.0.240 maxupd: 128

> should look like this
>
> fw0# cat   hostname.pfsync0
> up syncpeer 192.168.10.3 syncdev em1

that is bad advice.

> I think that must be why you pfsync0 device using a multicast addr, you
> have not told it what the peer is.

and using multicast for pfsync is _perfectly_ fine. that's why it is
the default, after all...

--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Reply | Threaded
Open this post in threaded view
|

Re: Problems / questions about CARP

Dag Richards
Henning Brauer wrote:

> * Dag Richards <[hidden email]> [2005-11-17 16:32]:
>
>>Tobias Walkowiak wrote:
>>
>>>On Wed, Nov 16, 2005 at 04:21:00PM -0800, Dag Richards wrote:
>>>pfsync0: flags=41<UP,RUNNING> mtu 1348
>>>       pfsync: syncdev: xl0 syncpeer: 224.0.0.240 maxupd: 128
>
>
>>should look like this
>>
>>fw0# cat   hostname.pfsync0
>>up syncpeer 192.168.10.3 syncdev em1
>
>
> that is bad advice.
>
>
>>I think that must be why you pfsync0 device using a multicast addr, you
>>have not told it what the peer is.
>
>
> and using multicast for pfsync is _perfectly_ fine. that's why it is
> the default, after all...
>

Sorry,
I should have stated this as ...

"This is working for me configured this way. I have pfsync running on
non dedicated links over an ipsec tunnel".

Thank you sir, may I have another?