Date: Wed, 16 Jan 2019 14:14:32 +0000 From: Pete French <petefrench@ingresso.co.uk> To: freebsd-stable@freebsd.org Subject: CARP stopped working after upgrade from 11 to 12 Message-ID: <E1gjlxg-000DSh-Oi@dilbert.ingresso.co.uk>
next in thread | raw e-mail | index | archive | help
I just upgraded my pair of firewalls from 11 to 12, and am now in the situation where CARP no longer works between them to faiilover the virtual addresse. Both machines come up thinking that they are the master. If I manually set the advskew on the interfaces to a high number on what should be passive then it briefly goes to backup mode, but then goes back to master with the message: BACKUP -> MASTER (preempting a slower master) This is kind of a big problem! Its also unexpected as I tested CARP on 12 in my development environment and it works here - though here we only have one address insetad of several. But this has worked fine for a very long time until now. The setup looks like this: ifconfig_em0="inet 10.32.10.1/16" ifconfig_em0_ipv6="inet6 2a02:1658:1:2:e550::1/64" ifconfig_em0_alias0="inet 10.32.10.6/16 vhid 10 advskew 10 pass redacted" ifconfig_em0_alias1="inet6 2a02:1658:1:2:e550::6/64 vhid 30 advskew 10 pass redacted" ifconfig_em1="inet 178.250.73.196/26" ifconfig_em1_ipv6="inet6 2a02:1658:1:1::1:2/64" ifconfig_em1_alias0="inet 178.250.73.198/26 vhid 20 advskew 10 pass redacted" ifconfig_em1_alias1="inet6 2a02:1658:1:1::1:1/64 vhid 40 advskew 10 pass redacted" ifconfig_em1_alias2="inet 178.250.73.199/26 vhid 20 advskew 10 pass redacted" ifconfig_em1_alias3="inet 178.250.73.200/26 vhid 20 advskew 10 pass redacted" ifconfig_em1_alias4="inet 178.250.73.221/26 vhid 20 advskew 10 pass redacted" ...and on the passive side almost identical except for the real IP's and the advskew which is set to 128. I have PF enables with pfsync as well, and I have set net.inet.carp.preempt=1 in systctl.conf. PF is configured to allow protocol 'carp' on both ether interfaces and 'pfsync' on the internal one. I did wonder if having the same vhid for a number of the addresse might be the issue so I then changed the config to have them all on separate vhid numbers, but the problem persists. This is now a bit of a major problem for me, as I am running on a single firewall with no faulover (which I dont like) and dont really know what the path forward is. As ever, all advice is welcome! -pete.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1gjlxg-000DSh-Oi>