Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Point to Point CARP dropping out -

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    2
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newcoit
      last edited by

      All,

      We have a setup of a one PF Cluster in one location talking over a point to point to another PF cluster.  The problem is we can not use the VIP between the two clusters. If we try to use the VIP - we sustain massive packet loss.

      Example –

      FWCluster 1

      FW1 - 192.168.10.2 - master
      FW2 - 192.168.10.3
      VIP - 192.168.10.1

      FWCluster 2
      FW1 - 192.168.10.11 - master
      FW2 - 192.168.10.12
      VIP - 192.168.10.10

      When we use the VIP for routing traffic - we sustain massive packet loss but a few do actually go through, but using the two master IPs - we have zero drops and everything works fine.

      Thoughts? anyone else have this issue?

      background info --

      both firewall clusters are vmware nodes.

      both have Promiscuous Mode enabled as well as MAC Address changes and Forged Transmits all in Vmware for both the VLAN SWITCH & the VLAN itself.

      VIPS work fine for private IPs and Public side. Just the point to point VIPS have the issue.

      When i'm coming from the LAN pinging the VIP behind the same firewall - it pings without issue. If i ping the remote firewall - i get the same packet loss. This is the same vise versa from either side.

      Any help would greatly be appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        solved this one via commercial support, following up here for the sake of others who find it in the future. Problem was using a CARP IP with the same VHID on two separate pairs. Input validation prevents doing so on a single pair. When you have multiple pairs on the same broadcast domain, make sure you use unique VHIDs, since the VHID determines the MAC address. When you duplicate VHIDs, you create duplicate MACs, which causes the typical issues when you have duplicate MACs - significant packet loss and general network confusion.

        Also a good idea to only use each VHID once at each physical location even if separate broadcast domains (VLANs), while that should work no problem as switches should keep the MACs specific to each VLAN appropriately, it can potentially confuse your switches.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post