HA strange behaviour, problems on passive box
-
Logs after the failover:
PF1:
NOTE: check the top line, this one is ONLY for the DMZ, not for the others, not sure why
PF2:
PF2 goes to MASTER as expected:
PF1 has disabled status:
Now let's get all back, cleared the logs first
PF1 logs after becoming master again:
And then that RESET DEMOTION STATUS button appeared again, when clicking it I get new lines in the log:
And PF2 logs after becoming backup:
-
@viniciusbr
Don't disable CARP on PF1, just activate the "persistent maintenance mode". -
The way you suggested:
PF1 went to backup status as expected and PF2 as master as expected.
NOTES:
- PF1 as master I sill cannot ping PF1 IP from DMZ;
- PF2 as master DMZ is gone, can only ping PF1 IP, VIP and PF2 IP does not work;
PF1 logs:
PF2 logs:
-
@viniciusbr
Just to be sure, is the promiscuous mode enabled on ESXi? -
-
@viniciusbr
Check out the ARP entry in the PF2 log where you've hidden the IP.
It shows the IP moving from a CARP MAC to an physical MAC, when PF2 takes over. That seems strange to me.
Possibly the virtual IP has the wrong type or something else is miss-configured on that interface. -
@viragomann said in HA strange behaviour, problems on passive box:
y the virtual IP has the wrong type or something else is miss-configured on that interfa
I am investigating this, but that one is a public IP, which as far as I understand I am not having issues with.
DMZ is still the problem.
-
Here are the virtual IPs:
PF1:
PF2:
-
Now the basic questions:
- why from LAN I can ping both PF1 and VIP but NOT PF2? (DMZ IPs)
Looking at the firewall, it is allowed:
- same issue from DMZ:
- why from LAN I can ping both PF1 and VIP but NOT PF2? (DMZ IPs)
-
I was able to find the root cause of the issue:
Nothing to do with pfsense: vmware vs switch port access/trunk modes misconfiguration.
Thanks for the help!
-
@viniciusbr
Thanks for coming back with clarification. -
@viragomann Thanks for your help!
