Thus when the "master" is down, ether don't do any change to slave, or if there is change to slave, we have to manually update the master when it is up I guess?

I tried to do the "bold" but it gave error on the "slave" immediately saying something like it does find the target as a valid sync device.

No suggestions?

It cant be network traffic on Sync interface since its a direct connect.

Not sure where to look and how to fix this.

What the correct procedure to swing  the interface back to primary?
Last time I just rebooted the secondary but it seems a bit crude.

I created another vlan (12) today, and have the exact same issue. I can ping the backup-carp ip, but not that master nor the virtual. The firewall rules are empty, so nothing should be allowed. Any help or ideas are very welcome!

That's still a bit vague as to what they actually meant.

They might have meant that you should have multiple ISPs not just that one, so that you could have some redundancy in case it fails.

To say more you'll need to have them clarify the original statement.

No.

@cmb:

only if it's the only remaining IP alias in that subnet. See comments on the bug ticket you linked. You have to have an IP assigned to an interface within the subnet of CARP.

Can we make it so it is not like this? Is seems unreasonable. I deleted the CARP IP and the VIP then recreated the CARP IP. Why can't I do this in just one step? I would end up in the same place. At the moment creating an additional IP is a one-way operation, that I can't easily reverse. It's miserable.

I forgot to add: for those extra three IPs I don't have to have CARP. They will be used for non-essential operations. Does that make it easier?

Plz detail your network configuration.  Maybe there is a clue there.

I just wanted to confirm that this was the solution. The interface had gone down due to inactivity while I was repairing the second firewall.

No one with an idea? That usually means that I asked a really stupid question :-)

I also might be completely wrong with the idea that it has something to do with the difference between BSD and Linux.

Any help here is very welcome. I have no idea left on where to look for the problem.

We also have exactly this issue with UPC Ireland.

No resolution as of yet no matter what we tried.

Thanks

Hello,

Thanks for your reply!

I'm using version 2.1.3.

So, is there any configuration to send packets (at least ARP replies) with the vip mac address ?

I think I know what's causing that, if you're referring to Interfaces>assign. There was an edge case along those lines that's been fixed in 2.2. Could try your config on a test 2.2 install and see if you can replicate? I suspect not, but if so I'd like to look at it ASAP as we're nearing release candidate stage on 2.2.

Hello viragomann,

Thank you for your reply!

I can see that notification is sent when CARPSYNC has issues. This is very helpful.

Is there a command line way of checking that there is an issue?

Thank you

@_Cyph3r_:

Your post confused me a bit, because outbound nat is not "gateway" based.

Am I correct in assuming that

you have a WAN interface with a public ip you have a TestLAN interface with a private ip you want traffic from the TestLAN towards internet to be originating as if it was the Public VIP?

Outbound NAT rule like this should do the trick:

Interface: WAN Source: subnet(s) behind the TestLAN (eg 192.168.1.0/24) Translation: your VIP everything else left on default

Can't comment on the failover, sorry.

Thank you for your answer Cypher.

Here is what i did this far:

VIP - IP alias - This ip is in the same range as the WAN ip.

Outbound NAT rule:

Interface: The interface mentioned above in the VIP conf.
Subnet: TEST_LAN subnet
Translation: The VIP mentioned above
Static Port: No

Did the same for the ISAKMP one (just changed the translation in fact) but Static Port is at Yes.

Firwall rule:

Protocol: any
source: Test_LAN subnet
destination: any
gateway: The gateway of the WAN mentionned above.

So now i can ping 8.8.8.8 or www.google.com but, i can't access http://www.google.com or any other website in a browser from the LAN.

Also tried with another browser, no luck there.

@Derelict: Thank you for your answer Derelict, if i understand well, i just have to configure an outbound NAT rule for each WAN interface on the TEST_LAN and when failover happens, it will just use the one corresponding to the actual WAN ?

Thanks.

EDIT: We tried some other protocols, SSH work.

I tried adding some outbound NAT rules stating that the target ports is 80 and another for 443, didn't work.

Also tried the same two rules with the static port options activated, didn't work either.

It's strange, it seems to fail to map some ports, but 30022 (the modified ssh port we use) worked.