Unable to ping tier 2 CARP VIP in dual WAN [RESOLVED]

  • Hi,
    I am using 2 SG-2440 units setup with HA, dual WAN, and CARP VIPs on WAN and LAN sides. Seems to be working correctly for the most part. A few problems with ipsec failover, but thats a different issue.

    The dual wan is configured with a single failover gateway group using 2 tiers and the appropriate VIPs. No load balancing is configured.

    I have added a floating rule to allow icmp echo requests to both wan interfaces (maybe this is part of the problem?)

    The issue is I am ALWAYS able to ping the VIP on the primary (tier 1) isp connection. To test, I "Mark Gateway as Down". After doing that I am able to establish a new ipsec tunnel using the VIP on the tier 2 connection. I have also tested by configuring a monitor IP where I can disable ping response and see the same rfesult.
    In both cases, I can still ping the tier 1 VIP, and I cannot ping the tier 2 VIP, even though it appears to be passing traffic.

    Am I doing somethign wrong?

  • Rebel Alliance Developer Netgate

    Floating rules do not get "reply-to" so they can't return traffic out the interface it entered. Replies matching a floating rule will always exit out the default gateway/follow the routing table.

    Put the pass rules on each WAN individually.

  • Thanks, that fixed the issue.