On our two iSCSI failover servers we got three bonds:

bond0: LAN för management
bond1: iSCSI inetrface connected to separate iSCSI switches.
bond2: replication between the servers

Heartbeat is running on all three interfaces.

I did a simple test and disconnected all cables from bond0, simulating a network card error. Even if it is unlikely that two network cards should fail at the same time making the bond break, it though that the secondary DSS would see that the virtual IP on that interface is no longer visable and failover, but nothing happend. The DSS signals that the bond0 heartbeat is down, but sine the other two cannels are working it doesn´t do anything.

It just doesn't seem as the seconday servers is actuelly checking the primary servers iSCSI service/status, but only the heartbeat itself and as long as the whole server hasn´t gone down it doesn't failover?

I would therefor also assume that it doesn´t check the status of the iSCSI deamon itself and a crash in the iSCSI service would not make it fail over, right? We need something that fails over in case of any problem that makes the iSCSI non functional, not only if the whole servers burns down.

It just doesn't feel like it is fail-proof at all...