[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CARP failure: Juniper arp timeouts?



Hi,
Eric Eekhof wrote,

> I've skipped irrelevant lines to keep this post as short as possible.
> 
> FW 1
> ----
> /etc/sysctl.conf:
> net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of packets
> net.inet.carp.preempt=1
> net.inet.carp.arpbalance=1
> 
> /etc/hostname.fxp0:
> inet 192.168.0.3 255.255.255.240 NONE
> 
> /etc/hostname.fxp1:
> inet 172.16.31.253 255.255.255.252 NONE
> 
> /etc/hostname.carp0:
> vhid 1 pass mekmitasdigoat 192.168.0.2
> 
> /etc/hostname.carp1:
> vhid 2 pass mekmitasdigoat 192.168.0.2
> 
> /etc/pfsync0:
> up syncif fxp1

What about your cross cable? :} You sureley know that pfsync does
_not_ use cryptographic secured messages.

> ifconfig -a:
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         address: 00:0d:61:32:7a:be
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 192.168.0.3 netmask 0xfffffff0 broadcast 192.168.0.15
>         inet6 fe80::20d:61ff:fe32:7abe%fxp0 prefixlen 64 scopeid 0x5
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         address: 00:0d:61:32:7a:bf
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 172.16.31.253 netmask 0xfffffffc broadcast 172.16.31.255
>         inet6 fe80::20d:61ff:fe32:7abf%fxp1 prefixlen 64 scopeid 0x6
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
> pfsync0: flags=41<UP,RUNNING> mtu 1348
>         pfsync: syncif: fxp1 maxupd: 128
> enc0: flags=0<> mtu 1536
> carp0: flags=41<UP,RUNNING> mtu 1500
>         carp: MASTER vhid 1 advbase 1 advskew 0
>         inet 192.168.0.2 netmask 0xff000000 
> carp1: flags=41<UP,RUNNING> mtu 1500
>         carp: MASTER vhid 2 advbase 1 advskew 0
>         inet 192.168.0.2 netmask 0xff000000 

The netmask value seems to be strange, but it could be a normal
output, can not check this.
> 
> Notice the 'MASTER' on all carp interfaces. I would expect to see 'SLAVE' on
> two interfaces, but I failed to check this while testing this setup.

Yes, this should be SLAVE. Does firewall 1 get the CARP packets from
firewall 2? Check with tcpdump, you will see a lot of VRRPv2 decoded
packets. (BTW: would it be better to fix tcpdump, to decode the
packets as CARP? )

> Can you find any misconfiguration?

Not really, but I still have some suggestions and questions.
How does both external network interfaces are connected to your
jupiter machines? All machines in one Switch?

What happens if you setup your redundant firewall system without Jupiter routers on the
outside, and you connect another machine you try to reach from your
LAN? Still problems?

Try to get more logging information from carp:
sysctl -w net.inet.carp.log=1 

Oh, after reading http://www.countersiege.com/doc/pfsync-carp/
again, I see that your hostname.carp0 are wrong:
/etc/hostname.carp0:

inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo

/etc/hostname.carp1:

inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar

bye
        Waldemar

-- 
CE94 5F99 BA88 65B1 25B9  8CD1 305A FF6B F8F8 1846
gpg --keyserver x-hkp://pgp.mit.edu --recv-keys F8F81846

*** http://www.openbsd.de/~wbx ***



Visit your host, monkey.org