Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP interfaces work separately

    HA/CARP/VIPs
    ha carp
    3
    16
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Jakub_J
      Jakub_ @viragomann
      last edited by

      @viragomann
      Yes you are right I corrected it, it should be CARP

      DerelictD 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @Jakub_
        last edited by

        @jakub_ said in CARP interfaces work separately:

        @viragomann
        Yes you are right I corrected it, it should be CARP

        Or an IP alias with the interface set to the existing CARP VIP on the interface, not the interface itself.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        Jakub_J 2 Replies Last reply Reply Quote 0
        • Jakub_J
          Jakub_ @Derelict
          last edited by

          @derelict
          Ok, I did the tests everything switches correctly.
          I don't know how it happened that the maintenance mode was on.

          1 Reply Last reply Reply Quote 1
          • Jakub_J
            Jakub_ @Derelict
            last edited by

            @derelict
            This morning the problem returned.
            First the first 7200U (master) traffic stalled , I put it in "CARP maitenence mode " the backup switched to the master but, the stalled master only half switched to the backup role (see pictures).
            When I turned off "Maitenence mode" on this first 7200 on the second one only half returned to the backup role. The issue was fixed by turning CARPA off and on.
            But it looks poor because HA should be reliable on this critical link.
            I got screen shots and ifconfig's from both.
            interfaces.png

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @Jakub_
              last edited by

              @jakub_
              Something CARP relating in the system log?

              The reason for interfaces in master state on both nodes is often that the secondary (with higher skew) doesn't get the advertisements from the master.
              So ensure that the interfaces of both can communicate properly using the CARP protocol.

              Jakub_J 1 Reply Last reply Reply Quote 0
              • Jakub_J
                Jakub_ @viragomann
                last edited by

                @viragomann
                Not much :

                Apr 19 08:27:00 Node1 sshguard[7411]: Now monitoring attacks.
                Apr 19 08:39:30 Node1 php-fpm[94281]: /status_logs_filter.php: Successful login for user 'xxxxx' from: xx.xxx.xxx.10 (Local Database Fallback)
                Apr 19 08:42:30 Node1 check_reload_status[392]: Syncing firewall
                Apr 19 08:42:30 Node1 check_reload_status[392]: Carp backup event
                Apr 19 08:42:30 Node1 kernel: carp: 1@ix0: MASTER -> BACKUP (more frequent advertisement received)
                Apr 19 08:42:30 Node1 kernel: carp: 2@ix1: MASTER -> BACKUP (more frequent advertisement received)
                Apr 19 08:42:30 Node1 kernel: in_scrubprefix: err=65, prefix delete failed
                Apr 19 08:42:30 Node1 check_reload_status[392]: Carp backup event
                Apr 19 08:42:36 Node1 check_reload_status[392]: Carp master event
                Apr 19 08:42:36 Node1 kernel: carp: 2@ix1: BACKUP -> MASTER (master timed out)
                Apr 19 08:43:00 Node1 sshguard[7411]: Exiting on signal.
                Apr 19 08:43:00 Node1 sshguard[55540]: Now monitoring attacks.
                Apr 19 08:44:00 Node1 sshguard[55540]: Exiting on signal.

                forum.jpg

                But the carp only worked after my intervention.

                DerelictD 1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate @Jakub_
                  last edited by

                  @jakub_ You have to figure out why the CARP heartbeats from the MASTER node are not making it to the secondary node.

                  pcap for CARP on that interface on the primary node. You should see advskew=0 heartbeats.

                  pcap for CARP on the secondary node. You should see those heartbeats. If you do not and see the heartbeats from the secondary (advskew=100) instead your Layer 2 is broken.

                  If the protocol is set for CARP on the pcap page it will properly decode the advbase/advskew so you can tell them apart. They will be from the same virtual MAC address so you can't tell by that.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  Jakub_J 2 Replies Last reply Reply Quote 0
                  • Jakub_J
                    Jakub_ @Derelict
                    last edited by Jakub_

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • Jakub_J
                      Jakub_ @Derelict
                      last edited by Jakub_

                      @derelict

                      Hi again, I checked the vrrp packages :
                      IP xx.xx.xx.3 > 224.0.0.18: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 authlen=7 counter=14661700377225625920
                      IP xx.xx.xx.3 > 224.0.0.18: CARPv2-advertise 36: vhid=99 advbase=1 advskew=0 authlen=7 counter=316479634456754718
                      IP xx.xx.xx.3 > 224.0.0.18: CARPv2-advertise 36: vhid=99 advbase=1 advskew=0 authlen=7 counter=316479634456754719
                      IP xx.xx.xx.3 > 224.0.0.18: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 authlen=7 counter=14661700377225625921
                      IP xx.xx.xx.3 > 224.0.0.18: CARPv2-advertise 36: vhid=99 advbase=1 advskew=0 authlen=7 counter=316479634456754720
                      IP xx.xx.xx.3 > 224.0.0.18: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 authlen=7 counter=14661700377225625922
                      IP xx.xx.xx.3 > 224.0.0.18: CARPv2-advertise 36: vhid=99 advbase=1 advskew=0 authlen=7 counter=316479634456754721

                      I sorted out the vrrp and they look ok, my only doubt is the address xx.xx.xx.xx.3 is the physical interface of the master and not the CARP VIP. unless that is ok ?

                      DerelictD 1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate @Jakub_
                        last edited by Derelict

                        @jakub_ Yes. The advertisements are sourced from the interface IP address and CARP MAC.

                        Not sure why you are seen advertisements from both the primary (advskew 0) and secondary (advskew 100) there.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.