GRE from CARP VIP and IPSec



  • I have a GRE over IPSec configuration in place on an HA pair of identical hardware.  Additionally, the GRE interfaces are setup with a CARP IP as the master interface.

    It usually works great, GRE tunnels move from appliance and the IPSec establishes itself properly on the surviving node after a brief outage when IPSec renegotiates the connection.  I expect this and that works as normal.

    Sometimes during a failover or reboot of either node, the GRE interfaces go active and remain active on the appliance when the CARP VIP is in BACKUP mode.  Additionally the IPSec tunnel will show as up, but outside of the GRE interfaces on both ends being able to ping each other on what should be the BACKUP node, no other traffic passes.  Once this gets in this non functioning state, it gets stuck and rebooting one or the other appliance really fixes the issue, unless it's the PRIMARY node that gets shutdown.

    If I manually down the GRE interfaces on the BACKUP node, everything begins to work as expected.

    Is this an unsupported configuration or did I find a bug?  I thought about attempting to write a script that checked for a CARP VIP in BACKUP mode, and then to down any GRE interfaces via CRON.

    I think I would be able to reproduce the issue on demand with the firewalls like they currently are, but not sure what I can upload to help diagnose the problem.