Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unicast flooding with CARP. How to debug?

    HA/CARP/VIPs
    2
    2
    653
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Elnadmin
      last edited by

      Wireshark revealed that my HP 1910 switches are flooding unicast packages from workstations to pfSense router's CARP/VIP addresses (but not the other way around), as they don't have MAC/port (CAM?) table entries for the VIPs.

      Based on old topics on this forum, I got the impression that the switch connected to pfSense is supposed to learn/refresh VIP MACs and ports from the CARP advertisements pfSense sends roughly once a second. I have two questions:

      1. What are the most common/likely reasons a switch does not learn the MACs? That is, where to start debugging? IGMP snooping is turned off, and CARP failover seems to work correctly.

      2. Is the CARP advertisement supposed to reach all switches in the same segment and VLAN, or just the one connected to pfSense? I.e. should every switch learn those MACs and correct ports automatically?

      I can force the switches to learn them by running the following "arping" script, but obviously this would need to be hooked to CARP master promotion, and shouldn't be necessary in the first place, right?

      #!/usr/local/bin/php -f
<?php
// pfsense script to send unsolicited ARP broadcasts on all CARP interfaces
require_once("/etc/inc/config.inc");
require_once("/etc/inc/gwlb.inc");
require_once("/etc/inc/interfaces.inc");
require_once("/etc/inc/pkg-utils.inc");

if (is_package_installed("arping")) {
        foreach ($config['virtualip']['vip'] as $vip) {
                if ($vip['mode'] == "carp") {
                        $realif = get_real_interface($vip['interface']);
                        if (!does_interface_exist($realif)) {
                                log_error("No real_interface found for CARP vhid {$vip['vhid']} on {$vip['interface']}. Skipping.");
                                continue;
                        }
                        $status = get_carp_interface_status("_vip{$vip['uniqid']}");
                        if ($status == "MASTER") {
                                $mac = sprintf("00:00:5E:00:01:%02X", $vip['vhid']);
                                log_error("Broadcasting ARP for CARP VIP {$vip['subnet']}'s MAC $mac on {$vip['interface']} ($realif)");
                                mwexec("/usr/local/sbin/arping -s $mac -i $realif -c 3 -p -q -B");
                        }
                }
        }
} else {
        log_error("Package 'arping' is not installed.");
}
?>
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If the switch is not learning CARP VIPs from the CARP advertisements it is probably some sort of multicast "feature" on the switch.

        If the switch is receiving traffic from that MAC address it needs to:

        1. Remove that MAC address from all other ports
        2. Add the MAC address to the port it was received on

        If that is not happening, it's a problem with the switch.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.