CARP VIP becomes Master on both firewalls after IPalias is removed

andrew.leigh

I have seen this problem twice on our production cluster pfSense 2.3.1-1, but so far cannot reproduce it on a test pfsense cluster.  The test firewalls are virtual running on KVM so the VLANs are being handled by Linux, so its not quite the same environment.

The production cluster uses a physical port for HA between the two firewalls, but the LANs are configured using a LAGG to two physical switches.  This LAGG is used by several VLANs. Each VLAN has a CARP with several IPaliases attached to each CARP.

i.e.

LAGG0    igb0,igb1
        VLAN 4 lagg0
                CARP on VLAN4 interface
                        IPalias x.x.x.1
                        IPalias x.x.x.2
                        IPalias x.x.x.3
                        IPalias x.x.x.4
                        IPalias x.x.x.5
                        IPalias x.x.x.6

When removing one of the IPaliases, its master CARP becomes Master on both primary and secondary firewalls just that VLAN.  The others on the same LAGG work normally.  If I run a packet capture I see the VRRP packet form the primary firewall, yet the secondary is Master instead of Backup.

This problem occurred immediately after removing the IPalias.  As I needed this system up I rebooted the primary firewall and it returned to normal.

jimp

If you check the ifconfig output from both units, it will likely be different in some way than it was when it was working. If, for example, the secondary unit didn't remove the IP Alias VIP from the interface, that might cause it to think the master had a problem ("I should be master because the other node forgot about this IP address").