[Linux-HA] "attempted replay attack" and "Message hist queue
is filling up"
alanr at unix.sh
Tue Jul 24 12:49:41 MDT 2007
Max Hofer wrote:
> On Saturday 21 July 2007, Patrick von der Hagen wrote:
>> Am Freitag, den 20.07.2007, 17:54 +0200 schrieb Patrick von der Hagen:
>>> Any ideas how to recover?
>> I finally decided to apply FAQ 31 to the issue and ignore that this FAQ explicitly mentions heartbeat 1.2.0. I have a bad feeling about it, but it seems to work.
> Yep, ... somehow I had the feeling you had the UUID problem.
> An other way to avoid the problem is using 'time' for hbgenmethod
> (in /etc/ha.d/ha.cf). But make sure your machines use NTP to get
> the current time.
> I always felt that the reply attack protection is a pain in the ass. Specially
> since most HA environments are in a kind of secure network environment.
> I think some people would have a less hard time if the replay attack
> protection would be "off" by default and we could enable it if we want.
2.1.1 does this differently.
The replay attacks should be avoided when restoring starting with 2.1.1.
When it can't find a generation number, it will initialize it to the
current time, similar to how hbgenmethod works.
So, that should nearly always avoid the false replay attack case.
Try it out and let me know what you find out.
Alan Robertson <alanr at unix.sh>
"Openness is the foundation and preservative of friendship... Let me
claim from you at all times your undisguised opinions." - William
More information about the Linux-HA