CARP Interface not automatically created on Secondary
-
I've got a pair of PFSence FWs I've been testing, and one of the stranger issues that comes up is that frequently, when I create a CARP VIP, the interface will come up on the Master OK, and the Status in the "Status" menu looks fine, but when I look at the status on the secondary, the secondary shows the IP, but the column that should have the carp interface name is empty except for the green arrow icon, and the status column is also blank except for the icon.
If I click on "Disable CARP", it will refresh and then show the interface name, and when I click on "Enable CARP", it will enable OK and go to BACKUP status, but if I don't think to check and fail from Master to Secondary before doing this, the IP, though listed in the Status page and in the rules, etc., will not come up.This is pretty rough, as every time I create a VIP I'll need to check on the slave and cycle CARP. It's also bad because I noticed that under a fair load, when I cycle CARP on the Secondary, the Master seems to take a little bit of a hit… the traffic graph shows a dip for a couple seconds. Not enough to error, but a little slowdown.
Also, in a slightly related topic (and this one may be answered in the forums, I didn't look, sorry), what is the preferred method for failing over a box? Is it disabling CARP from the Status page? I wasn't sure if there is a better way to go about moving IPs for, say, upgrades.
Thanks!
-
Want to ping a little bit on this… Basically whenever I add a CARP VIP to the master, I have to log into the backup and start/stop CARP.
-
I was working on using the PHP interface to create a CARP VIP and NAT to an IP and the first attempt on this involved me just adding to the config array, and not actually calling any of the functions that I needed to reset things. After doing this, I noticed that the result looked exactly like what it looks like when I create a CARP VIP on my Primary: namely that the info is synced, but no interface is assigned. Basically, I'd run something like:
$GLOBALS['config']['virtualip']['vip'][7]['mode'] = 'carp';
$GLOBALS['config']['virtualip']['vip'][7]['interface'] = 'wan';
$GLOBALS['config']['virtualip']['vip'][7]['vhid'] = 8;
$GLOBALS['config']['virtualip']['vip'][7]['advskew'] = 0;
$GLOBALS['config']['virtualip']['vip'][7]['password'] = '******';
$GLOBALS['config']['virtualip']['vip'][7]['descr'] = 'new interface';
$GLOBALS['config']['virtualip']['vip'][7]['type'] = 'single';
$GLOBALS['config']['virtualip']['vip'][7]['subnet_bits'] = 32;
$GLOBALS['config']['virtualip']['vip'][7]['subnet'] = '1.1.1.1';
write_config("Adding new interface");
execand it would add it but there would be no carp interface assigned. So I looked through the PHP used in the pages to add a VIP and discovered this particular group of functions:
config_lock();
services_proxyarp_configure();
reset_carp();
filter_configure();
config_unlock();After running that, the interface came up. I'm wondering if the reset_carp() function is not being executed when the new VIP is synced over to the secondary firewall.