Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks

defunct78

Had a completely functioning HA pair installed, went to upgrade from 2.4.5p1 to 2.5.0 and now seeing blocked packets in the logs.

First off, CARP failover seems to be behaving correctly. Though this problem may be related to another problem I posted.
https://forum.netgate.com/topic/162722/frr-doesn-t-follow-carp-after-2-5-0-upgrade

What I am seeing in the logs

filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.x.1,224.0.0.18,advertise,255,4,2,0,1
filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.y.1,224.0.0.18,advertise,255,5,2,0,1
filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.z.1,224.0.0.18,advertise,255,1,2,0,1

For each interface a CARP is applied too, I get one of these errors. The source IP's are the self IP of the firewall itself. And I only see these blocks on the who ever is currently active.

I did check the /tmp/rules.debug and found this, which looks to have been in previous versions for a while.

# CARP rules
block in log quick proto carp from (self) to any tracker 1000000201
pass  quick proto carp tracker 1000000202 no state

Any thoughts, or things I can look at? I did try adding and accept rule early but due to the id of this block I can't get one early enough to accept these packets. Makes me thing something didn't go right during the upgrade.

defunct78

To add to this, deleting a CARP and recreating under a new VHID, had no impact to the problem. Problem is still happening.

Derelict

@defunct78 VMware?

defunct78

@derelict said in Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks:

@defunct78 VMware?

Matter a fact, yes. Though I didn't think that was going to be a problem as 2.4.5p1 didn't have this issue. Though I am open to any suggestions.

Derelict

@defunct78 It is your virtual environment improperly echoing back the CARP advertisements. They are being properly blocked by that rule.

https://kb.vmware.com/s/article/59235

https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability-virtual.html#changing-net-reversepathfwdcheckpromisc

defunct78

@derelict said in Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks:

@defunct78 It is your virtual environment improperly echoing back the CARP advertisements. They are being properly blocked by that rule.

https://kb.vmware.com/s/article/59235

https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability-virtual.html#changing-net-reversepathfwdcheckpromisc

That was it. Fixed the problem perfectly. Thanks.