[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CARP failure: Juniper arp timeouts?

Eric Eekhof wrote,

> I've skipped irrelevant lines to keep this post as short as possible.
> FW 1
> ----
> /etc/sysctl.conf:
> net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of packets
> net.inet.carp.preempt=1
> net.inet.carp.arpbalance=1
> /etc/hostname.fxp0:
> inet NONE
> /etc/hostname.fxp1:
> inet NONE
> /etc/hostname.carp0:
> vhid 1 pass mekmitasdigoat
> /etc/hostname.carp1:
> vhid 2 pass mekmitasdigoat
> /etc/pfsync0:
> up syncif fxp1

What about your cross cable? :} You sureley know that pfsync does
_not_ use cryptographic secured messages.

> ifconfig -a:
>         address: 00:0d:61:32:7a:be
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet netmask 0xfffffff0 broadcast
>         inet6 fe80::20d:61ff:fe32:7abe%fxp0 prefixlen 64 scopeid 0x5
>         address: 00:0d:61:32:7a:bf
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet netmask 0xfffffffc broadcast
>         inet6 fe80::20d:61ff:fe32:7abf%fxp1 prefixlen 64 scopeid 0x6
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
> pfsync0: flags=41<UP,RUNNING> mtu 1348
>         pfsync: syncif: fxp1 maxupd: 128
> enc0: flags=0<> mtu 1536
> carp0: flags=41<UP,RUNNING> mtu 1500
>         carp: MASTER vhid 1 advbase 1 advskew 0
>         inet netmask 0xff000000 
> carp1: flags=41<UP,RUNNING> mtu 1500
>         carp: MASTER vhid 2 advbase 1 advskew 0
>         inet netmask 0xff000000 

The netmask value seems to be strange, but it could be a normal
output, can not check this.
> Notice the 'MASTER' on all carp interfaces. I would expect to see 'SLAVE' on
> two interfaces, but I failed to check this while testing this setup.

Yes, this should be SLAVE. Does firewall 1 get the CARP packets from
firewall 2? Check with tcpdump, you will see a lot of VRRPv2 decoded
packets. (BTW: would it be better to fix tcpdump, to decode the
packets as CARP? )

> Can you find any misconfiguration?

Not really, but I still have some suggestions and questions.
How does both external network interfaces are connected to your
jupiter machines? All machines in one Switch?

What happens if you setup your redundant firewall system without Jupiter routers on the
outside, and you connect another machine you try to reach from your
LAN? Still problems?

Try to get more logging information from carp:
sysctl -w net.inet.carp.log=1 

Oh, after reading http://www.countersiege.com/doc/pfsync-carp/
again, I see that your hostname.carp0 are wrong:

inet vhid 1 pass foo


inet vhid 2 pass bar


CE94 5F99 BA88 65B1 25B9  8CD1 305A FF6B F8F8 1846
gpg --keyserver x-hkp://pgp.mit.edu --recv-keys F8F81846

*** http://www.openbsd.de/~wbx ***