Failover split brain effect
-
Hi Guys,
I need some help for a strange behavior with 2 firewall in failover mode.
Config
- PfSense 2.1.3-Release
- FreeBSD 8.3
- running into 2 VMs with vSphere 5.1
Firewall 1 (default master)
WAN1 : 91.xxx.xxx.1
WAN2 : 46.xxx.xxx.1Firewall 2 (default backup)
WAN1 : 91.xxx.xxx.2
WAN2 : 46.xxx.xxx.2CARP VIP
WAN1 : 91.xxx.xxx.3
WAN2 : 46.xxx.xxx.3Step 1 : Shutdown Firewall 1
The firewall 2 becomes the master. Perfect !
But i see this king of logs for the firewall 2 :Block - WAN1 - 46.xxx.xxx.2 - 224.0.0.18: VRRPv2, advertisement, vrid 15…
Block - WAN1 - 46.xxx.xxx.2 - 224.0.0.18: VRRPv2, advertisement, vrid 16...
Block - WAN1 - 46.xxx.xxx.2 - 224.0.0.18: VRRPv2, advertisement, vrid 13...
...Step 2 : Restarting Firewall 1
Firewall 1 and 2 are both in master mode and all connections are very slow (split brain ?)
Firewall 1 logs :
Block - WAN1 - 46.xxx.xxx.1 - 224.0.0.18: VRRPv2, advertisement, vrid 23…
Block - WAN1 - 46.xxx.xxx.1 - 224.0.0.18: VRRPv2, advertisement, vrid 22...
Block - WAN2 - 91.xxx.xxx.1 - 224.0.0.18: VRRPv2, advertisement, vrid 6...
Block - WAN2 - 91.xxx.xxx.1 - 224.0.0.18: VRRPv2, advertisement, vrid 8...
...
Firewall 2 logs :
Block - WAN1 - 46.xxx.xxx.2 - 224.0.0.18: VRRPv2, advertisement, vrid 23…
Block - WAN1 - 46.xxx.xxx.2 - 224.0.0.18: VRRPv2, advertisement, vrid 22...
...I'm surprised to see WAN1 with an IP 46.xxx.xxx.x instead of 91.xxx.xxx.x (and vice versa for WAN2)
If i click on the red cross icon, i see the following message :
@36 block drop in log quick proto carp from (self:37) to anyPerhaps unrelated with the problem but a notification (into the header) appears with the following message :
There were error(s) loading the rules pfctl: DIOCADDRULE: Device busy - The line in question reads [0]Step 3 : Rebooting Firewall 2
Firewall 1 stays master and Firewall 2 come back to Backup. Perfect !Thanks for your support !