CARP failover caused by large transfer

  • Hello,

    I have a pair of pfSense 2.4.3-p3 with several VLANs on a single GbE link, each with its own CARP alias. My problem is that I'm getting spurious failovers whenever a large amount of data is going through the firewall (particularly at the start of the transfer).

    My current hypothesis is that the reason for this is that the CARP announcements from the primary are getting delayed badly enough that the backup takes over.

    I have tried everything I can think of:

    • replacing the single GbE connection with an LACP group of two such links, with no effect (as expected; a single transfer would still go through only one of them)
    • using the traffic shaper, changing /etc/inc/ to put the CARP packets into their own high-priority queue, but it does not help, and it reduces the throughput so much I'm better off without it.

    What else can I do? The CPU and network interfaces are probably fine, because once the transfer gets going, it (without ALTQ) reaches, and stays at, wire speed.

    Thanks for any hints,

  • Rebel Alliance Developer Netgate

    It might be your switch doing it and not the firewall, check for and disable things like multicast storm control to rule that out.

    Also you could set advbase higher on the VIPs so that it takes longer to trigger a failover. If you increase advbase to 1 that would take 1 second + skew to switch. Or use QoS to limit the initial burst to a lower speed.

Log in to reply