Unable to ping tier 2 CARP VIP in dual WAN [RESOLVED]
-
Hi,
I am using 2 SG-2440 units setup with HA, dual WAN, and CARP VIPs on WAN and LAN sides. Seems to be working correctly for the most part. A few problems with ipsec failover, but thats a different issue.The dual wan is configured with a single failover gateway group using 2 tiers and the appropriate VIPs. No load balancing is configured.
I have added a floating rule to allow icmp echo requests to both wan interfaces (maybe this is part of the problem?)
The issue is I am ALWAYS able to ping the VIP on the primary (tier 1) isp connection. To test, I "Mark Gateway as Down". After doing that I am able to establish a new ipsec tunnel using the VIP on the tier 2 connection. I have also tested by configuring a monitor IP where I can disable ping response and see the same rfesult.
In both cases, I can still ping the tier 1 VIP, and I cannot ping the tier 2 VIP, even though it appears to be passing traffic.Am I doing somethign wrong?
-
Floating rules do not get "reply-to" so they can't return traffic out the interface it entered. Replies matching a floating rule will always exit out the default gateway/follow the routing table.
Put the pass rules on each WAN individually.
-
Thanks, that fixed the issue.
