Hello, A quick question.
I have a pair of 4.1 boxes acting as firewalls using carp/pfsync etc.
The primary has advskew 0, the backup has advskew 100. I have

net.inet.carp.preempt=1 on both.
So anyway, I was downloading some 4.2 install binaries onto the backup

fw, and I noticed that the backup/primary carp interfaces kept on

switching between master/backup fairly rapidly ( around every 5 - 10

seconds or so ) despite both hosts being up just fine.
Any ideas on what might be causing this?
Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I

think; I thought that it meant if one carp interface goes down, ie,

unplugged or whatever, then the rest go down, ie all other interfaces on

the box? Is this right?
Thanks,

    Josh

Your understanding of preempt seems correct
I had a similar issue on a pair of 4.1 FW's.
A careful examination revealed that one of the carp ifaces on one system

had ip addrs that were missing on the other.
Carefully compare ifconfig -aA on each machine to each other.

I now slavishly alsoensure that the addrs occur in the same order ... I

am sure that has no effect, but there it is.
Are you allowing the carp traffic in and out?

Does a tcpdump show the expected traffic?.

I have checked all those things... ifconfig output (in relation to carp)

is identical with the obvious exceptions of BACKUP/MASTER and advskew.
One of the first lines in my pf.conf is always pass in quick on foo

proto carp keep state... and a look at pflog shows nothing in the carp

department is being blocked.
It does not happen all the time, just seems to happen when I put some

network load on the secondary firewall.
I will investigate what Stuart Henderson mentioned.
Cheers,

	Josh

If it's that, tcpdump on the parent iface will show proto 112 IPv6

packets every few seconds, and "ifconfig carpXX destroy && sh /etc/netstart
In that case, also check sysctl net.inet.ip.ifq.drops. If any are present,

bump net.inet.ip.ifq.maxlen (256 is a good starting point, used by default

in 4.2).

Hmmm,
sysctl net.inet.ip.ifq.drops

net.inet.ip.ifq.drops=7895040
Will make the changes you suggest... But what does net.inet.ip.ifq.drops

mean?
Thanks,

	Josh

> Are you allowing the carp traffic in and out?
	This is the more common fuckup I make when configuring them that has

this result.  make sure the carp and pfsync traffic makes it in and

out.

If you reconfigured addresses on the interfaces after configuring

them, it's most likely to be the problem fixed in r1.135 of
Not always, see http://www.mail-archive.com/misc@openbsd.org/msg34354.html