High network traffic on secondary firewall when CARP in BACKUP mode
-
Greetings,
Upgraded from 2.2.6 to 2.3.2 and am seeing a very bizarre issue. I have a pair of 2.3.2 pfSense VMs running on ESXi 5.5U2. For some reason, the secondary/standby firewall is seeing very high network traffic on the WAN interface ( >50Mb/sec) when the CARP interfaces are in BACKUP mode. As soon as I disable CARP the traffic goes to 1KB each direction (as it should). Once I re-enable CARP, the unit goes to BACKUP and the high traffic continues. After some time, I get "em1 watchdog timeout" on the console and have to reboot the appliance (running on ESXi 5.5). It appears the secondary firewall is responding to traffic (as per the traffic graphs). Yet, all the CARP interfaces are active on the primary firewall.
I have not seen this behavior in 2.2.6. Any clues on how to troubleshoot?
-
Packet capture on the secondary WAN and see what the traffic is?
-
Thanks for the quick reply.
Packet capture on the WAN interface indicates the secondary firewall is processing traffic for the VIPs. I see a ton of VIP-to-internet traffic. Why is the secondary firewall is responding to VIP traffic at all if it is in BACKUP mode?
-
Is it responding to traffic or being sent the traffic? In all honesty this is probably something in your ESXi environment and not your HA pair.
-
In a last ditch effort to get things running again, I blew reset the config on FW2 and started over. Since this is an HA pair, I just did the initial setup and had FW1 sync over the settings. This seems to have fixed the problem. The secondary FW is in BACKUP mode and the traffic is very minor (16KB/sec).
Not sure what happened, but something must have gone wrong during the upgrade from 2.2.6 to 2.3.2. I might consider doing the same on FW1 (reset to factory then sync from FW2).
Thanks again for helping out!
