From: Jacob Yocom-Piatt (jy-pfixedpointgroup.com)
Date: Sat Aug 04 2007 - 17:35:46 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

am in the process of rotating in a backup firewall machine and when i
bring up the backup machine's carp interface, there are packets being
misdirected to it, even though it's interface is shown with state
BACKUP. the peculiar thing about this is that if i use another machine
(i386) besides the one i plan to rotate in, a netra t1 105, as the carp
backup host it works just fine.

both machines are running 4.1-release. the master firewall is i386 and
the backup is sparc64.

the existing firewall has internal interfaces

vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:40:63:da:b0:6c
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::240:63ff:feda:b06c%vr0 prefixlen 64 scopeid 0x1
        inet 10.0.0.252 netmask 0xffffff00 broadcast 10.0.0.255
...
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:02
        carp: MASTER carpdev vr0 vhid 2 advbase 1 advskew 0
        groups: carp
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x11

and when this is up by itself it works fine (hosts can ping out and ping
10.0.0.1 sans packet loss). however, once the backup machine, the netra
t1, is configured appropriately with interfaces

fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:03:47:81:d0:02
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::203:47ff:fe81:d002%fxp0 prefixlen 64 scopeid 0x3
        inet 10.0.0.253 netmask 0xffffff00 broadcast 10.0.0.255
...
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:02
        carp: BACKUP carpdev fxp0 vhid 2 advbase 1 advskew 200
        groups: carp
        inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x8
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255

packets start being misdirected to it even though carp1 is BACKUP. there
are packets showing up at the netra in this case:

# tcpdump -nettvi fxp0 host 10.0.0.1
tcpdump: listening on fxp0, link-type EN10MB
1186265960.985578 0:80:c8:38:d:f7 0:0:5e:0:1:2 0800 80: 10.0.0.201.4243
> 10.0.0.1.53: [udp sum ok] 43885+ A? download42.avast.com. (38) (ttl
128, id 17947, len 66)
1186265961.770602 0:e0:81:4:64:96 0:0:5e:0:1:2 0800 77: 10.0.0.111.47624
> 10.0.0.1.53: [udp sum ok] 518+ AAAA? gateway.fedex.com. (35) (ttl 64,
id 44746, len 63)
1186265963.149881 0:0:5e:0:1:2 ff:ff:ff:ff:ff:ff 0806 42: arp who-has
10.0.0.1 tell 10.0.0.1
1186265964.986023 0:80:c8:38:d:f7 0:0:5e:0:1:2 0800 80: 10.0.0.201.4243
> 10.0.0.1.53: [udp sum ok] 43885+ A? download42.avast.com. (38) (ttl
128, id 17950, len 66)
1186265967.190227 0:0:5e:0:1:2 ff:ff:ff:ff:ff:ff 0806 42: arp who-has
10.0.0.1 tell 10.0.0.1
1186265968.986657 0:80:c8:38:d:f7 0:0:5e:0:1:2 0800 80: 10.0.0.201.4243
> 10.0.0.1.53: [udp sum ok] 43885+ A? download42.avast.com. (38) (ttl
128, id 17957, len 66)
1186265971.230637 0:0:5e:0:1:2 ff:ff:ff:ff:ff:ff 0806 42: arp who-has
10.0.0.1 tell 10.0.0.1

if this is a known issue or can be fixed by a reboot/interface
configuration on boot, do tell.

cheers,
jake

--

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]