CARP VIP not passing traffic
I have 2x SG-8860's in a HA configuration. Last week my primary locked up when I logged in, so I had to send it back to Netgate for repair. I received it a few days ago and I restored my config from my monthly backup and everything worked fine for a couple of days.
Last night I lost all traffic on just one of the CARP VIP's. The firewall pass traffic if I change the gateway of the client to the interface IP of either of the SG-8860's, but no traffic passes through the CARP VIP.
However, if I 'change' the CARP VIP (I just changed the vhid to check replication) and then apply the changes the VIP passes traffic for a few minutes and then goes back to denying all traffic.
Any thoughts on troubleshooting this would be appreciated.
What do you mean no traffic passes through the CARP VIP?
What are you actually doing/trying?
If the CARP interface is igb0, look at:
ifconfig igb0when it is working and not working. Please post the results.
Based on what you said, it sounds like something is getting the ARP from a gratuitous ARP when you change the VIP and is not responding properly to the ARP responses after that expires. But based on what you provided that is pretty much just a guess.
I appreciate your time and I'm sorry for not being more accurate.
I have 3 networks that share the same WAN connection. I have CARP VIP as a gateway for each LAN network as well as the WAN. The CARP VIP for igb2 is not routing to any of the other networks (WAN or LAN).
It appears that I cannot post the ifconfig information for igb2, as Akismet keeps marking the post as spam.
However, there are no changes in the information whether it's working or not.
Can you even ping it?
Never heard of that being flagged as spam before. Maybe you're being penalized based on your source IP address or something. If you need to send it to me in chat and see if that works.
OneWayLane last edited by OneWayLane
Yes, the CARP VIP responds to PING. When I ran ifconfig, it listed both the assigned IP and the CARP VIP addresses for the igb2 interface.
It shows the carp: Master vhid 10 advbase 1 asvskew 0.
I'll send the ifconfig results in chat when I find you online.
I'm always online.
igb2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:08:a2:0d:4b:ba hwaddr 00:08:a2:0d:4b:ba inet6 fe80::208:a2ff:fe0d:4bba%igb2 prefixlen 64 scopeid 0x3 inet 192.168.0.253 netmask 0xffffff00 broadcast 192.168.0.255 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 vhid 10 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active carp: MASTER vhid 10 advbase 1 advskew 0
That ifconfig looks fine. Is that when it is working or not working?
That was from not working.
OK well there's nothing wrong there. Can you ping your WAN address from there? 126.96.36.199?
Can an inside host resolve DNS?
If you look at the ARP table on the inside host when it is not working, the MAC address there should be 00:00:5e:00:01:0a for 192.168.0.1. Is it?
That MAC (and the associated IP) is not in the ARP table.
When it works, I get this in the ARP table
COMMLAN 192.168.0.1 84:16:f9:29:53:d9 Expires in 1186 seconds ethernet
Then that is something else on your network, not the CARP VIP.
84:16:F9 Tp-LinkT Tp-Link Technologies Co.,Ltd.
I am talking about the ARP table on the client.
Are you seeing entries in the system log about "someone else is using my IP" or something to that effect?
I found a Tp-Link switch that matches that MAC. It appears that it turned on it's default ip address (192.168.0.1) that was causing conflict with the CARP VIP.
Side note, don't build your work network on an over used class C addressing scheme..
That'll do it. Glad you found it.
If you do - don't use .1 or .254 since those are common default IPs ;)
Pretty much the reason pfsense IP on all its vlans is .253...