Subject: Re: question about CARP
To: George Chen <firstname.lastname@example.org>
From: Liam J. Foy <email@example.com>
Date: 05/10/2006 08:21:04
On 10 May 2006, at 02:54, George Chen wrote:
> Hi Liam,
> I have a same script on both firewalls.
> ifconfig spi4 up
> ifconfig spi7 up
> ifconfig carp0 create
> ifconfig carp0 vhid 1
> ifconfig carp0 carpdev spi4
> ifconfig carp0 advskew 150
> ifconfig carp0 188.8.131.52
> ifconfig carp1 create
> ifconfig carp1 vhid 2
> ifconfig carp1 carpdev spi7
> ifconfig carp1 advskew 150
> ifconfig carp1 184.108.40.206
> sysctl -w net.inet.carp.preempt=1
> When setup, carp0 and carp1 are MASTER on fw1. I bring carp0 down with
> Ifconfig carp0 down.
> I expect carp1 on fw1 will be down automatically. But it doesn't
> happen. The
> result is that the traffic is blocked.
On fw1, try not setting the advskew. Only do it on fw2. So, use that
script on fw2 but remove the 'ifconfig carp* advskew 150' for fw1.
> Actually I have made some modification to the code from
This is my patch. The latest can be seen at:
(this patch includes MANY cleanups.)
> I wonder if this problem came from the original code or from my
What modifications have you made. I suggest trying to achieve the
above by using my patch (and not setting the advskew on fw1, assume
this is your prefered master). Also, once you've set up both
you send me the output of 'ifconfig -a' please?
> I didn't know your patch. Would you share it with me?
> George Chen
> On 9 May 2006, at 05:34, George Chen wrote:
>> I have a question about CARP.
>> I have two firewalls named fw1 and fw2. eth0 and eth0 are two
>> interfaces on
>> both fw1 and fw2. It works well when fw1 serves as MASTER, which
>> fw1.eth0 and fw1.eth1 are all MASTER. The problem is, when I down
>> and therefore fw1.eth0 becomes BACKUP while fw2.eth0 becomes
>> MASTER, will
>> fw1.eth1 failovers to fw2.eth1? I didn't see that fw1.eth1 becomes
>> which leads to the traffic fails.
>> I don't know if CARPs on different interfaces but one same
>> appliance are
>> associated. If not, CARP can't help if individual interface fails.
>> Am I
>> right? If yes, how does it implemented?
>> Thanks for all your time,
>> George Chen
Liam J. Foy