Virtual IP On LAN - Very Slow takeover
-
Hi All
Im hoping someone can give me some idea of what the problem may be here, currently im a bit stumped ???
Main Setup –---------------------------------------------------------------------------------------------------
Firewall1 Firewall2
LAN 192.168.0.3/21 192.168.0.4/21
WAN 213.48.xxx.xx1/28 213.48.xxx.xx2/28
DMZ 10.0.0.31/8 10.0.0.32/8
CARP 10.0.5.2/28 10.0.5.3/28
VPN LAN BRIDGED WITH LAN NA ----------CARP Interfaces
Firewall1 Firewall2
CARP0 VHID1 VHID1
IP: 192.168.0.250/21 192.168.0.250/21
Pass: test test
Advertise: 5 105CARP1 VHID2 VHID2
IP: 10.0.0.250/8 10.0.0.250/8
Pass: test1 test1
Advertise: 5 105CARP2 VHID3 VHID3
IP: 213.48.xxx.xx5/28 213.48.xxx.xx5/28
Pass: test2 test2
Advertise: 5 105RULES ON CARP LAN
Proto Source Port Destination Port Gateway Schedule Description-
-
-
- * * CARP LAN
-
-
The carp network is located on a dedicated separate switch.
End setup ---------------------------------------------------------------------------------------------
The situation is that i can communicate with all the virtual ips from machines on each of the networks.
If i send a ping packet to the 10.0.0.250 virtual address it will respond without even dropping a packet....even when i drop carp on one box and bring it back up the changeover is seamless.
The problem comes with the virtual ip on the LAN 192.168.0.250 ----- If i disable carp on the primary box the changeover is instant. Even sending pings to the interface while carp is taking over from primary to secondary does not result in lost packets.
However if i bring carp back up on the primary box Packets get lost...lots of them, infact it takes about 5 minutes for the 192.168.0.250 ip to respond to pings again on the primary, even though in the carp status the primary box instantly recognizes itself as master.I have rebuilt from scratch both boxes on more than one occasion, I have tried different ips and even multiple ips on the LAN for eg 192.168.0.1, 192.168.251 etc. I have even had the primary configured on different boxes with different nics.
I always have the same problem that the primary box takes a good while for it to take over the lan ip...all the others ips work fine.
I am using version 1.2.2 built on Thu Jan 8 22:30:24 EST 2009
Any help would be greatly appreciated.
Many thanks
James -
-
Ok, so I didn't actually read your whole post, sorry. But I did notice your DMZ conflicts with your CARP subnet. Do you really need a whole class A for the DMZ? Either change that or move the CARP subnet to 172.16.5.0/28 or something. Oh, and what's with the adskew being 5 and 105? You should leave these at defaults (0 for the master, 100 for the backup).
-
Hi Dotdash
Cheers for the response, i have changed the CARP LAN address range as you suggested and currently it seems to be taking over addresses correctly. I dont actually need a class A for my DMZ either it just happens to be that this is how it was configured originally and as i have many servers in the DMZ and it works im not going to reassign them all. The reason i have assigned the adskew to 5 and not 0 is so that i can add in my main pfsense firewall into the cluster and gradually get it to take over addresses by assigning them as 0 on it.
Anyway cheers for the assistance, if i have any more probs ill post back…i should know in a day or two if everything is working fine.
