Thursday, October 11, 2007

OpenBSD carp incorrect hash

It's been a long time since I've posted anything here, and to you loyal readers (ha!), I apologize. I took on a new job in June, and have been spending all my energy building a new corporate data center essentially from scratch. It's a valuable experience, but time consuming. I really haven't done much true security work.

One project that I've been involved in was building a pair of redundant OpenBSD (4.1, 4.2) firewalls for the network. We ran into an interesting issue with CARP. Each firewall was complaining that the other was sending CARP packets that were corrupted, generating a log error of:

carp0: incorrect hash

On firewall1, our /etc/hostname.carp0 looked like:

inet 10.1.1.1 255.255.255.0 10.1.1.255 vhid 1 pass FunkyPassword advskew 1
inet alias 10.1.1.2 255.255.255.255
inet alias 10.1.1.3 255.255.255.255
inet alias 10.1.1.4 255.255.255.255
inet alias 10.1.1.5 255.255.255.255
inet alias 10.1.1.6 255.255.255.255

On firewall2, our /etc/hostname.carp0 looked like:

inet 10.1.1.1 255.255.255.0 10.1.1.255 vhid 1 pass FunkyPassword advskew 2
inet alias 10.1.1.2 netmask 255.255.255.255
inet alias 10.1.1.3 netmask 255.255.255.255
inet alias 10.1.1.4 netmask 255.255.255.255
inet alias 10.1.1.5 netmask 255.255.255.255
inet alias 10.1.1.6 netmask 255.255.255.255

In the manner in which I presented it here, the error should jump out almost immediately, however we were focused on the carp interface line (the first one), not on the aliases. Turns out that CARP packet hashes are based on ALL the uncommented information in /etc/hostname.carp0. The only difference should be the advskew value.

As always, the moral of the story, typos/details matter.

Hope this helps others not waste their time like I did :)

Rich

Labels: , ,