CARP/HA in XCP-ng losses packets when in different hypervisor

Luis Cordero · Aug 23, 2023, 9:57 AM

Hi,
i have a setup of Pfsense Firewalls in HA that works perfectly fine when both FWs are in the same hypervisor, however when i migrate one of the FW Virtual Machines to a different hypervisor starts lossing a lot of packets

my configuration is the following:
There is a public IP associated to the CARP WAN interface
xn0- WAN:
CARP:172.16.0.1/24
Primary:172.16.0.2/24
Secondary:172.16.0.3/24

xn1- LAN:
CARP: 172.16.100.1/24
Primary:172.16.100.2/24
Secondary:172.16.100.3/24

xn2- MGMT:
CARP: 172.16.116.1/24
Primary: 172.16.116.2/24
Secondary: 172.16.116.3/24

xn3- SYNC:
Primary: 192.168.0.1/24
Secondary: 192.168.0.2/24

My question: Does anyone knows why i would start lossing packets?

I haver already try the following:
Install Xen-Server tools on the Pfsense VM (source: https://tweenpath.net/running-pfsense-xenserver-xenguest/)

planedrop · Aug 24, 2023, 6:46 AM

When you say "migrate to a different hypervisor" do you mean a different host running the same hypervisor software or do you mean an entirely different hypervisor (like VMWare or something)?

Luis Cordero · Aug 24, 2023, 6:46 AM

@planedrop said in CARP/HA in XCP-ng losses packets when in different hypervisor:

rvisor (like

Yes, we have a machine with 4 hypervisors. when we move one VM in changes the entire supervisor.
Each hipervisor is connected to a switch in the same manner and configuration

planedrop · Aug 24, 2023, 4:31 PM

@Luis-Cordero But are these all XCP-ng or do you have like Proxmox, Hyper-V, VMWare, and XCP-ng? Moving VMs between different hypervisors is usually not an easy task.

Moving them between different hosts of the same hypervisor platform though is a different story.

Either way it sounds like one of the CARP interfaces isn't properly syncing, maybe they can't reach each other once moved to the other host.

Luis Cordero · Aug 29, 2023, 7:51 AM

@planedrop said in CARP/HA in XCP-ng losses packets when in different hypervisor:

cing, maybe they can't

By any chance do you know any know issue for why is there a communication error when host are in differents hypervisors

in the picture it shows when both primary and secondary firewalls are in the same hypervisor everything is ok, but when i change from a to b starts lossing packets

planedrop · Aug 29, 2023, 7:24 PM

@Luis-Cordero OK so looks like both hosts are running XCP-ng.

There are a lot of things that could cause this behavior, are the two hosts in a pool together or 2 separate pools? Either way they are probably communicating over a switch, maybe that physical switch doesn't have the right VLANs in place?