Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VIP persisting after removal

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    7 Posts 2 Posters 685 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pstine
      last edited by

      I have a situation where an old (removed) VIP is continuing to be broadcast as being available on the WAN interface. Looking at the ARP table of the WAN switch the IP appears with the MAC of the WAN interface.

      The old VIP has been removed from pfsense (doesn't show up in the VIP listing, ifconfig or the arp table) but is showing up in the WAN switch ARP table (even after being removed from the WAN switch ARP table.)

      If it matters, the IP in question used to the the IP of the WAN interface before the WAN interface was re-addressed (on the same subnet.)

      It isn't really effecting anything right now, it just shows up as Used-Unmanaged in Infoblox and offends my sensibility.

      Any ideas where this old setting might be lurking in pfsense and how to (permanently) remove it?

      Thanks

      P 1 Reply Last reply Reply Quote 0
      • P
        pstine @pstine
        last edited by

        I should add that it persists between reboots and complete system halts.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          grep -C10 -n ip_address_in_question /cf/conf/config.xml

          ??

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          P 1 Reply Last reply Reply Quote 1
          • P
            pstine @Derelict
            last edited by

            @Derelict said in VIP persisting after removal:

            grep -C10 -n ip_address_in_question /cf/conf/config.xml

            No content returned.
            Tested the grep against a known VIP and expected content was returned.

            I've searched for the VM against the MAC and it returned the firewall vm.
            Get-VM | Get-NetworkAdapter | Where {$_.MacAddress -eq “00:50:56:xx:yy:zz”} | Select-Object Parent,Name,MacAddress

            I've searched for the IP address and nothing was returned.
            Get-VM * |where-object{$_.Guest.IPAddress -match "www.xxx.yyy.zzz"}

            The VIP in question is not listed in the firewall IP addresses whereas the other VIPs are.

            Thanks

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              The VIP in question is not listed in the firewall IP addresses whereas the other VIPs are.

              Is the VIP listed in netstat -rn on the firewall? If not, something else is responding there.

              What kind of VIP was it?

              What was the netmask?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • P
                pstine
                last edited by

                Not listed in netstat -rn result. All the other VIPs for the WAN interface show up in the result.

                Originally, I believe, it was the IP of the WAN interface (.181). A few months back, the WAN interface was re-addressed to .187
                The netmask in 255.255.255.192
                The gateway is at .129
                The MAC reported by the switch ARP table is the same as that of the WAN interface.

                I find it hard to imagine that the .181 address is being broadcast from some other device when it is broadcasting the same MAC address as the firewall.

                Certainly very odd.

                I have considered assigning the .181 IP to a new virtual machine, outside the firewall, to see what effect that has on the switch ARP table. Perhaps that will clear it - or, I guess, create a problem in the table.

                1 Reply Last reply Reply Quote 0
                • P
                  pstine
                  last edited by pstine

                  I created a new vm, assigned the offending IP to that VM, let it hang out for a day, deleted the VM and the DNS records in Infoblox. Finally, after the weekend the record has cleared in Infoblox and presumably the switch.

                  Switch weirdness in the end, I suppose.

                  Thanks to Derelict for the suggestions in trying to track this down.

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.