Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP VIP not passing traffic

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    18 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      OneWayLane
      last edited by

      I have 2x SG-8860's in a HA configuration. Last week my primary locked up when I logged in, so I had to send it back to Netgate for repair. I received it a few days ago and I restored my config from my monthly backup and everything worked fine for a couple of days.

      Last night I lost all traffic on just one of the CARP VIP's. The firewall pass traffic if I change the gateway of the client to the interface IP of either of the SG-8860's, but no traffic passes through the CARP VIP.

      However, if I 'change' the CARP VIP (I just changed the vhid to check replication) and then apply the changes the VIP passes traffic for a few minutes and then goes back to denying all traffic.

      Any thoughts on troubleshooting this would be appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What do you mean no traffic passes through the CARP VIP?

        What are you actually doing/trying?

        If the CARP interface is igb0, look at:

        ifconfig igb0 when it is working and not working. Please post the results.

        Based on what you said, it sounds like something is getting the ARP from a gratuitous ARP when you change the VIP and is not responding properly to the ARP responses after that expires. But based on what you provided that is pretty much just a guess.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • O
          OneWayLane
          last edited by

          I appreciate your time and I'm sorry for not being more accurate.

          I have 3 networks that share the same WAN connection. I have CARP VIP as a gateway for each LAN network as well as the WAN. The CARP VIP for igb2 is not routing to any of the other networks (WAN or LAN).

          1 Reply Last reply Reply Quote 0
          • O
            OneWayLane
            last edited by

            It appears that I cannot post the ifconfig information for igb2, as Akismet keeps marking the post as spam.
            However, there are no changes in the information whether it's working or not.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Can you even ping it?

              Never heard of that being flagged as spam before. Maybe you're being penalized based on your source IP address or something. If you need to send it to me in chat and see if that works.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • O
                OneWayLane
                last edited by OneWayLane

                Yes, the CARP VIP responds to PING. When I ran ifconfig, it listed both the assigned IP and the CARP VIP addresses for the igb2 interface.

                It shows the carp: Master vhid 10 advbase 1 asvskew 0.

                I'll send the ifconfig results in chat when I find you online.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  I'm always online.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by Derelict

                    igb2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
                    options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
                    ether 00:08:a2:0d:4b:ba
                    hwaddr 00:08:a2:0d:4b:ba
                    inet6 fe80::208:a2ff:fe0d:4bba%igb2 prefixlen 64 scopeid 0x3
                    inet 192.168.0.253 netmask 0xffffff00 broadcast 192.168.0.255
                    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 vhid 10
                    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
                    media: Ethernet autoselect (1000baseT <full-duplex>)
                    status: active
                    carp: MASTER vhid 10 advbase 1 advskew 0
                    

                    That ifconfig looks fine. Is that when it is working or not working?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • O
                      OneWayLane
                      last edited by

                      That was from not working.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        OK well there's nothing wrong there. Can you ping your WAN address from there? 8.8.8.8?

                        Can an inside host resolve DNS?

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by Derelict

                          If you look at the ARP table on the inside host when it is not working, the MAC address there should be 00:00:5e:00:01:0a for 192.168.0.1. Is it?

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • O
                            OneWayLane
                            last edited by

                            That MAC (and the associated IP) is not in the ARP table.

                            1 Reply Last reply Reply Quote 0
                            • O
                              OneWayLane
                              last edited by

                              When it works, I get this in the ARP table

                              COMMLAN 192.168.0.1 84:16:f9:29:53:d9 Expires in 1186 seconds ethernet

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Then that is something else on your network, not the CARP VIP.

                                84:16:F9 Tp-LinkT Tp-Link Technologies Co.,Ltd.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  I am talking about the ARP table on the client.

                                  Are you seeing entries in the system log about "someone else is using my IP" or something to that effect?

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • O
                                    OneWayLane
                                    last edited by

                                    I found a Tp-Link switch that matches that MAC. It appears that it turned on it's default ip address (192.168.0.1) that was causing conflict with the CARP VIP.

                                    Side note, don't build your work network on an over used class C addressing scheme..

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      That'll do it. Glad you found it.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        If you do - don't use .1 or .254 since those are common default IPs ;)

                                        Pretty much the reason pfsense IP on all its vlans is .253...

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.