From owner-freebsd-current@FreeBSD.ORG Thu Jul 16 19:04:23 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3C821065674 for ; Thu, 16 Jul 2009 19:04:23 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from inbound01.jnb1.gp-online.net (inbound01.jnb1.gp-online.net [41.161.16.135]) by mx1.freebsd.org (Postfix) with ESMTP id 42C018FC1B for ; Thu, 16 Jul 2009 19:04:22 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from [41.145.103.163] (helo=clue.co.za) by inbound01.jnb1.gp-online.net with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1MRWFg-0005b6-Js; Thu, 16 Jul 2009 21:04:20 +0200 Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MRWFf-0005Xt-P8; Thu, 16 Jul 2009 21:04:19 +0200 To: d@delphij.net From: Ian FREISLICH In-Reply-To: <4A5F7540.7070201@delphij.net> References: <4A5F7540.7070201@delphij.net> <4A5EF889.6040604@delphij.net> X-Attribution: BOFH Date: Thu, 16 Jul 2009 21:04:19 +0200 Message-Id: Cc: FreeBSD Current Subject: Re: CARP broken on -CURRENT? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 19:04:24 -0000 Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ian FREISLICH wrote: > [...] > > I have noticed that if there are multiple IP addresses on the carp > > interface and these are configured in a different order on each > > host, the you can expect messages like the following: > > > > Jun 9 23:56:29 firewall2 kernel: carp15: incorrect hash > > Jun 9 23:56:30 firewall2 kernel: carp15: incorrect hash > > Jun 9 23:56:31 firewall2 kernel: carp15: incorrect hash > > Jun 9 23:56:32 firewall2 kernel: carp15: incorrect hash > > > > And both hosts will claim MASTER status. > > This reminded me... I've set net.inet.carp.log=2 now but except some > bad CARP packets on the outside (12.xxx.xxx.112/28) network due to VRRP > router, I didn't saw any complain about incorrect hash. Are you using > "pass" parameter when setting up CARP? Yes, I use pass. There are many untrusted hosts on my network. Taking another look at the manual page, I think that the behaviour you're seeing is expected. Try setting advbase to the same on all vhids on both hosts. Use advskew to set a preference for one of your servers. Use advbase to determine how quickly a failure will be detected. To use carp, the administrator needs to configure at minimum a common virtual host ID (VHID) and virtual host IP address on each machine which is to take part in the virtual group. Additional parameters can also be set on a per-interface basis: advbase and advskew, which are used to control how frequently the host sends advertisements when it is the master for a virtual host, and pass which is used to authenticate carp advertisements. Ian -- Ian Freislich