Backup firewall blocks all traffic that tries to get through it
-
It seem that the states aren't synchronized.
Do you have checked "synchronize states" in HA-setting? -
Yes, synchronize states is checked. I can't tell if they're making it over, but even if they aren't, shouldn't a device be able to open a new state through the backup?
-
You can check it by the number of states at the dashboard and check particular state in Diagnostic > States.
shouldn't a device be able to open a new state through the backup?
Yes, but only if a new connection is established. If you open a new connection it should also work on the second box.
-
Agreed which is what has me mystified. Devices are unable to establish new states and existing ones aren't functional.
What would you try next?
-
Is your hardware of both boxes identical? States are bound to the interfaces hardware name.
-
Is your hardware of both boxes identical? States are bound to the interfaces hardware name.
Yep, identical hardware. Power edge R200 boxes with an Intel Pro 1000 dual port NIC onboard.
No messages in the logs about failed syncs or anything.
-
You've got everything using the carp ip as the gateway, and all the outbound NAT using the carp?
-
Yep, everything is using the shared VIP as the GW. Outbound NAT uses it as well on the WAN side
-
The blocks in your screenshot above shows definitively out of state packets. If the second box is master and you establish a new connection, there must be logged an TCP:S flag if logging for the appropriate rule is on, otherwise the syn-packet goes not through this box.
I would try to disconnect the master box for testing.
-
Should I try pointing the gateway of a few clients at the "real" LAN IP address of the backup firewall?
-
For testing, you can do that.
But if the second is master and the other is disconnected from WAN and LAN, the second owns the CARP VIP and it should also work this way. -
Okay just tried that. The plot thickens.
Now the logs are reporting that the traffic being allowed. I also see traffic from my Windows DNS servesrs reaching out to Google's public resolvers being shown as "Passed". However, running nslookups and pinging anything that isn't LAN side isn't working :(
This is thoroughly mystifying. This was working only a week ago I believe.
