Ok, well this was quick. Fixed my own problem. Had /32 masks on my Virtual IP on my master.  Sorry for the fire drill. Thought I would leave this here in case someone else made a bonehead mistake like that.  I did know to use the interface mask, I just overlooked it until now.

Maintenance mode just bumps the skew to 254. That means it's backup status only if it sees advertisements from a lower skew/higher priority. Absent that, it's still master.

I'm guessing in that case the ones that don't go to backup status are on one particular interface. Likely CARP advertisements don't make it from secondary to primary on that interface for some reason. Most always network-related, either no connectivity between them, or multicast not making it in that direction.

Hi everybody,
I've just upgraded to pfSense 2.3, but I still have the same issue.
Any idea?
Thank you again.

you know that pointing to a wiki is not going to help….

Anyway to the question

Maybe your looking at multi WAN? meaning that the WAN has a diferent gateway from each other ex: 181.xx.xx.114/29 with gateway of 181.xx.xx.113 and lets say you have another lSP 201.xx.xx.21/29 with gateway of 201.xx.xx.222 meaning its called multi WAN with fail over

But if you have one lSP 181.xx.xx.114/29 with gateway of 181.xx.xx.113 but thy give you another ip of 181.xx.xx.117 you need to add a Virtual IP (VIP) then create NAT rules

Hello,
Thank you for your reply.

Therefore, the following configuration is normally possible ?

CARP VIP IP interface : 192.168.1.249/24
STACK CARP IP ALIAS VIP interface :  192.168.2.249/24

Thank you again for your help.
Soulearth

Hello all,

I'd also like to know if this issue is still present in pfSense 2.2.6. Anyone using such configuration ?

Regards,

Régis

The sync address is just the IP of a pfSense Box, which gets the configuration settings. This can be slave or master or any box else.
If you intend to obvert sync direction, first delete the sync IP from the master than add the new one to the slave.

@ewuewu:

What I want to obtain is:

LAN addresses should not be translated AND sould leave the pfsense via the WAN CARP address

Packet can't leave pfSense "via the WAN CARP address". That is just a virtual IP address, nothing physical. Packets may leave pfSense via an interface or can be routed to a gateway. They just have a source and a destination address, and these can be translated or not.

Aaaaand… I broke it again - same behavior.  Unclear exactly how I did that.  I was putting some Snort stuff together, but even suspecting that, and disabling it, still get no-resume behavior (testing from one of the WAN interface sides.

Interestingly, if I reverse the scenario - start downloading a file from the LAN side, pull a cable, that does resume.  So it is somehow related to the WAN side, or the number of VIPS/1:1NATs I have?  B/c WAN, DMZ, and LAN are all using CARP VIPs.  I'll do some more testing, but yes, FW2 (looking in Diag->States) does have that in there (http connection), so states are synching.

If you have CARP and Traffic shaper configured take a look here:
http://forum.pfsense.org/index.php?topic=45045

armando

Thanks. Gee it says so right there. (I did read the entire HA chapter in the book again before I asked :/ ) You're right. I'm probably over-thinking it. Creating the laggs would probably be more disruptive anyway.

I was able to correct this.

Because my testing environment is using different hardware and interfaces I needed to setup the interfaces more carefully

What I discovered is that when CARP assigns matches interfaces, it must choose them in sequential order from the assign interfaces page, matching them with the other firewall.

What I had was
Firewall 1
#1 LAN
#2 EM1
#3 EM2
#4 Bridge0

Firewall 2
#1 WAN
#2 LAN
#3 CXL0
#4 CXL1
#5 Bridge0

So, what I think happened was that CARP was matching #4 from each list, so my bridge0 (#4 on Firewall 1) was being matched with CXL1 (#4 on Firewall 2)

Once I reassigned my interfaces and lined up the interface numbers CARP matched the correct interfaces.

BGP and NAT are two different systems
on BGP you have neighbor not gateway

how many BGP sessions you have with your providers?and which ip is recognized by your provider for BGP session?