CARP Failover between firewalls
-
I am working on a firewall failover setup. Each firewall has 8 interfaces with its own unique IP address. I have one dedicated failover interface defined on each firewall and a Virtual IP for each pair of NICs. Under the carp status page I can see master on one firewall for each interface, and backup for its pair on the other firewall.
I have CARP setup and working properly(I think) to a point where I can disconnect a single NIC, or multiple NICs from one firewall and still pass traffic, but if I disconnect an interface on one firewall and another on a different firewall(different pairs) the traffic stops passing on last removed NIC until I plug in the first disconnected NIC, and then traffic passes again.
My question is should this work, or is this a limitation with CARP?
Here is a rough diagram of my setup
fw1_nic1<–>VLAN10<-->fw2_nic1
fw1_nic2<-->VLAN2<-->fw2_nic2
fw1_nic3<-->VLAN3<-->fw2_nic3
fw1_nic4<-->VLAN4<-->fw2_nic4
fw1_nic5<-->VLAN5<-->fw2_nic5
fw1_nic6<-->VLAN6<-->fw2_nic6
fw1_nic7<-->VLAN7<-->fw2_nic7
fw1_nic8<---------------->fw2_nic8These are connected to a HP switch using untagged vlans.
-
Anything you do to either of a completely separate pair of systems won't impact a different pair. There are a variety of general network issues that could cause the described scenario, maybe routing to non-CARP IPs somewhere, among other possibilities.