Unicast flooding with CARP. How to debug?

  • Wireshark revealed that my HP 1910 switches are flooding unicast packages from workstations to pfSense router's CARP/VIP addresses (but not the other way around), as they don't have MAC/port (CAM?) table entries for the VIPs.

    Based on old topics on this forum, I got the impression that the switch connected to pfSense is supposed to learn/refresh VIP MACs and ports from the CARP advertisements pfSense sends roughly once a second. I have two questions:

    1. What are the most common/likely reasons a switch does not learn the MACs? That is, where to start debugging? IGMP snooping is turned off, and CARP failover seems to work correctly.

    2. Is the CARP advertisement supposed to reach all switches in the same segment and VLAN, or just the one connected to pfSense? I.e. should every switch learn those MACs and correct ports automatically?

    I can force the switches to learn them by running the following "arping" script, but obviously this would need to be hooked to CARP master promotion, and shouldn't be necessary in the first place, right?

    #!/usr/local/bin/php -f
    // pfsense script to send unsolicited ARP broadcasts on all CARP interfaces
    if (is_package_installed("arping")) {
            foreach ($config['virtualip']['vip'] as $vip) {
                    if ($vip['mode'] == "carp") {
                            $realif = get_real_interface($vip['interface']);
                            if (!does_interface_exist($realif)) {
                                    log_error("No real_interface found for CARP vhid {$vip['vhid']} on {$vip['interface']}. Skipping.");
                            $status = get_carp_interface_status("_vip{$vip['uniqid']}");
                            if ($status == "MASTER") {
                                    $mac = sprintf("00:00:5E:00:01:%02X", $vip['vhid']);
                                    log_error("Broadcasting ARP for CARP VIP {$vip['subnet']}'s MAC $mac on {$vip['interface']} ($realif)");
                                    mwexec("/usr/local/sbin/arping -s $mac -i $realif -c 3 -p -q -B");
    } else {
            log_error("Package 'arping' is not installed.");

  • LAYER 8 Netgate

    If the switch is not learning CARP VIPs from the CARP advertisements it is probably some sort of multicast "feature" on the switch.

    If the switch is receiving traffic from that MAC address it needs to:

    1. Remove that MAC address from all other ports
    2. Add the MAC address to the port it was received on

    If that is not happening, it's a problem with the switch.

Log in to reply