2.3.2 WAN VIP blocks ping/management intermittently. Port forwards always work.

  • Hi guys.

    I've run into something weird. I have a 2.3.2 cluster with 4 VIPs configured (2 WANs, 2 LANs).

    I am often unable to ping or connect to the webConfigurator on the WAN VIP. The problem comes and goes. Sometimes it'll work, and sometimes it won't. I can always reach the webConfigurator and ping the VIPs on the LANs, and I can always reach the webConfigurator and ping the real WAN IPs for the nodes. It's just the VIP on the WAN that seems to be a problem.

    The interesting thing is that port forwards through the WAN VIP always work, even when they're originating from the same machine that can't ping or reach the webConfigurator on the WAN VIP.

    I do have firewall rules set for the WAN interface (and indeed, every interface) to allow ping and connectivity to the webConfigurator from my IPs (otherwise I wouldn't be able to ping or connect when using the nodes real WAN IPs) - and like I say, sometimes it works for a little bit, then stops again.

    I've failed the nodes over and back, and the problem persists even when the slave takes over.

    The problem doesn't make sense to me.

    Any ideas of where I can look, or what I can do to diagnose the issue?

  • LAYER 8 Netgate

    Standard Network Connectivity troubleshooting to see what's really failing. What you are seeing is certainly not normal.

  • Thanks for the reply, Derelict.

    Sorry for my slow reply. I went in for surgery, and am just back on my feet again.

    It is indeed unusual. I can see the connection in the state table of the master node, with TIME_WAIT:TIME_WAIT, and 9/4 packets, but the browser tells me the connection was reset, and indeed telnet to the management port is denied as well. ARP of the pfSense VIP is correct on the pinging machine, and ARP of the pinging machine is correct on the pfSense box. It seems like pfSense is blocking the connections, even though it's been told to allow them through (my allow rule uses an alias that includes the VIP and both real IPs of the pfSense boxes). Very, very strange.

    I'll walk through the Network Connectivity process and see if it turns up anything.