[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CARP states apparently not changing correctly (causes some connection drops)


This is my first post to openbsd-misc so forgive me if this has been raised before. That said, I've just read through the 1200 messages in the archives this month and can't find the same issue.

I am trying to configure a redundant firewall pair. So far almost everything is fine and it behaves how you (I) would expect a CARP system to work. However, when using SSH, I get the following bizarre behaviour (see setup below):

* If I have an SFTP connection transferring data, and I pull the red cable, the transfer freezes. During this time, carp0 on fw1 drops to INIT and carp254 drops to BACKUP. fw2 claims MASTER status on both carp interfaces. BUT, the SFTP transfer freezes. It will fail after short period if I do nothing. However, if I then pull the blue cable, the transfer resumes(!) Normally I can reconnect fw1 back in and it will

The other quirk appears with CARP advertisements happening frequently. If I set fw1 to use (say) 0/50 and 0/60 for advbase/advskew then:

* If I have a PuTTY session open on alfie connected to miniwebserv1, and I run a command that spits out random numbers (jot every 1/10th of a second), and then pull the red cable, the connection doesn't die but the text comes back erratically. It goes from flowing like water to something more like lumpy custard.

I only found the second point because I thought the SFTP died because the connection took too long to transfer- this is evidently not the case.

I just installed PostgreSQL on miniwebserv1 via a remote package, and the file downloaded correctly despite me pulling a cable. So perhaps this is an issue with the SFTP protocol? It is not a client issue, as both CoreFTP and the SSH.com client behave the same way. It's almost certainly not a PF issue because I've run PF without NAT and just "pass in / pass out keep state" rules.

Can anyone offer any advice? [ I hope after writing all this somebody doesn't point to a bug report from 6 months ago :) ]

Cheers for any help


Here is how it is all configured:

alfie is my desktop Win2k machine
miniwebserv1 is my ultimate destination (SSH and Apache2 running on FreeBSD)

                  | |
                  |  FBSD router |
	         alias (for NAT)
		 alias (for NAT- unused)
          red cable/             \
      +---------------+       +---------------+
      |  |dc0    |  |
      |   OBSD fw1    |-------|   OBSD fw1    |
      | |   fxp0| |
      +---------------+       +---------------+
          blue cable\              /

Config files:

fw1# cat /etc/hostname.rl0 inet NONE

fw1# cat /etc/hostname.rl1
inet NONE

fw1 # cat /etc/hostname.dc0
inet NONE

fw1# cat /etc/hostname.carp0
inet carpdev rl0 vhid 1 pass mycarp
inet alias
inet alias

fw1# cat /etc/hostname.carp254
inet carpdev rl1 vhid 254 pass mycarpstudio

fw1# cat /etc/hostname.pfsync0
up syncdev dc0 syncpeer

fw2# cat hostname.rl0
inet NONE

fw2# cat hostname.rl1
inet NONE

fw2# cat hostname.fxp0
inet NONE

fw2# cat hostname.carp0
inet carpdev rl0 vhid 1 advskew 10 pass mycarpstudio
inet alias
inet alias

fw2# cat hostname.carp254
inet carpdev rl1 vhid 254 advskew 10 pass mycarpstudio

fw2# cat hostname.pfsync0
up syncdev fxp0 syncpeer