Carp half syncs, question about config.
-
Carp sort of syncs between our master and slave. We inherited the boxes, so did not do the original config.
We tested a failover, and only 3 of the 20 or so carp addresses failed over, and our system was not working with the slave FW.
The master was set to sync on the LAN, instead of the XOVER, which seems wrong. We chaged it to the failover. In the master, we set the "Synchronize to IP" to the XOVER ip of the slave. The question is, on the slave, do we have to put in the XOVER ip of the master?
We added a new carp vip on the master, and only a bit of it came through on the slave. In the carp status table (which has 3 columns, "carp interface", "virtual ip" and "status"), only the virtual IP is listed for the new vip, the other two are blank. However, if you edit it on the slave, the details are correct (interface, VHID, Ad.Freq = 100 etc).
How does the master know its supposed to be master and slave know its slave when both are operating correctly?
Thanks for any help or ideas,
-
There is usually a sync network setup (typically a crossover cable between the 2). It is part of the full CARP deployment recommendations. This usually handles heartbeat, config sync, and state sync between the 2 systems.
-
Yes, there is a dedicated sync network with a cable plugged directly between the two firewalls. The interface is calle XOVER. I changed it to use this, but still doesnt quite work right.
-
Back to one of your first questions, on the secondary, you do not set a Sync Config to IP. There is a clear warning: NOTE: Do not use the Synchronize Config to IP and password option on backup cluster members!
I don't usually assign an ip to pfsync Synchronize Peer IP option. Leaving it blank uses multicast on the XOVER cluster network.