CARP VIP not passing traffic

  • I have 2x SG-8860's in a HA configuration. Last week my primary locked up when I logged in, so I had to send it back to Netgate for repair. I received it a few days ago and I restored my config from my monthly backup and everything worked fine for a couple of days.

    Last night I lost all traffic on just one of the CARP VIP's. The firewall pass traffic if I change the gateway of the client to the interface IP of either of the SG-8860's, but no traffic passes through the CARP VIP.

    However, if I 'change' the CARP VIP (I just changed the vhid to check replication) and then apply the changes the VIP passes traffic for a few minutes and then goes back to denying all traffic.

    Any thoughts on troubleshooting this would be appreciated.

  • LAYER 8 Netgate

    What do you mean no traffic passes through the CARP VIP?

    What are you actually doing/trying?

    If the CARP interface is igb0, look at:

    ifconfig igb0 when it is working and not working. Please post the results.

    Based on what you said, it sounds like something is getting the ARP from a gratuitous ARP when you change the VIP and is not responding properly to the ARP responses after that expires. But based on what you provided that is pretty much just a guess.

  • I appreciate your time and I'm sorry for not being more accurate.

    I have 3 networks that share the same WAN connection. I have CARP VIP as a gateway for each LAN network as well as the WAN. The CARP VIP for igb2 is not routing to any of the other networks (WAN or LAN).

  • It appears that I cannot post the ifconfig information for igb2, as Akismet keeps marking the post as spam.
    However, there are no changes in the information whether it's working or not.

  • LAYER 8 Netgate

    Can you even ping it?

    Never heard of that being flagged as spam before. Maybe you're being penalized based on your source IP address or something. If you need to send it to me in chat and see if that works.

  • Yes, the CARP VIP responds to PING. When I ran ifconfig, it listed both the assigned IP and the CARP VIP addresses for the igb2 interface.

    It shows the carp: Master vhid 10 advbase 1 asvskew 0.

    I'll send the ifconfig results in chat when I find you online.

  • LAYER 8 Netgate

    I'm always online.

  • LAYER 8 Netgate

    igb2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 00:08:a2:0d:4b:ba
    hwaddr 00:08:a2:0d:4b:ba
    inet6 fe80::208:a2ff:fe0d:4bba%igb2 prefixlen 64 scopeid 0x3
    inet netmask 0xffffff00 broadcast
    inet netmask 0xffffff00 broadcast vhid 10
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    carp: MASTER vhid 10 advbase 1 advskew 0

    That ifconfig looks fine. Is that when it is working or not working?

  • That was from not working.

  • LAYER 8 Netgate

    OK well there's nothing wrong there. Can you ping your WAN address from there?

    Can an inside host resolve DNS?

  • LAYER 8 Netgate

    If you look at the ARP table on the inside host when it is not working, the MAC address there should be 00:00:5e:00:01:0a for Is it?

  • That MAC (and the associated IP) is not in the ARP table.

  • When it works, I get this in the ARP table

    COMMLAN 84:16:f9:29:53:d9 Expires in 1186 seconds ethernet

  • LAYER 8 Netgate

    Then that is something else on your network, not the CARP VIP.

    84:16:F9 Tp-LinkT Tp-Link Technologies Co.,Ltd.

  • LAYER 8 Netgate

    I am talking about the ARP table on the client.

    Are you seeing entries in the system log about "someone else is using my IP" or something to that effect?

  • I found a Tp-Link switch that matches that MAC. It appears that it turned on it's default ip address ( that was causing conflict with the CARP VIP.

    Side note, don't build your work network on an over used class C addressing scheme..

  • LAYER 8 Netgate

    That'll do it. Glad you found it.

  • LAYER 8 Global Moderator

    If you do - don't use .1 or .254 since those are common default IPs ;)

    Pretty much the reason pfsense IP on all its vlans is .253...

Log in to reply