[Devil-Linux-discuss] hearbeat operation in Devil-Linux 1.2b2-i586-SMP

[Darren S. <dar...@se...>]

We're hoping to set up a high-availability firewall using Devil-Linux 
and are happy to see the heartbeat program included now. ;)

Our setup is to be two identical firewall hosts which share a virtual IP 
address. We want to have a primary and backup firewall host. All traffic 
should flow through the primary, and upon failure, the backup takes over 
the VIP. The VIP should always be resident on the active host and the 
backup releases the VIP when the primary firewall comes back online. 
We've tested this basic operation by stopping and starting the heartbeat 
service on on the primary firewall and it seems to work correctly.

I think we are running into a problem when one of these hosts reboots, 
though. If we power down the primary firewall, the backup successfully 
takes over the VIP. But when the primary comes back online, it 
apparently cannot regain the VIP because the generation number is reset 
to 1 and the backup host is running a different generation number. 
Here's the log message on the primary firewall when the hearbeat service 
is started after it reboots:

heartbeat: 2004/09/08_16:19:44 WARN: No Previous generation - starting at 1
heartbeat: 2004/09/08_16:19:44 info: Heartbeat generation: 1

And as it communicates with the backup firewall, the log message on the 
backup:

heartbeat: 2004/09/08_16:23:24 ERROR: should_drop_message: attempted 
replay attack [viawest-test-fw-a.sento.com]? [gen = 1, curgen = 5]

My understanding is that generation numbers are not preserved across 
reboots and are off-synch if one host is powered off because of 
devil-linux's volatile memory FS. I don't know if the normal heartbeat 
operation is to preserve the generation in a file so that it is 
persistent across reboots. I might not even be going down the right path 
here. Any ideas?

-- 
Darren Spruell
Sento I.S. Department
dar...@se...