Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks
-
Had a completely functioning HA pair installed, went to upgrade from 2.4.5p1 to 2.5.0 and now seeing blocked packets in the logs.
First off, CARP failover seems to be behaving correctly. Though this problem may be related to another problem I posted.
https://forum.netgate.com/topic/162722/frr-doesn-t-follow-carp-after-2-5-0-upgradeWhat I am seeing in the logs
filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.x.1,224.0.0.18,advertise,255,4,2,0,1 filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.y.1,224.0.0.18,advertise,255,5,2,0,1 filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.z.1,224.0.0.18,advertise,255,1,2,0,1
For each interface a CARP is applied too, I get one of these errors. The source IP's are the self IP of the firewall itself. And I only see these blocks on the who ever is currently active.
I did check the /tmp/rules.debug and found this, which looks to have been in previous versions for a while.
# CARP rules block in log quick proto carp from (self) to any tracker 1000000201 pass quick proto carp tracker 1000000202 no state
Any thoughts, or things I can look at? I did try adding and accept rule early but due to the id of this block I can't get one early enough to accept these packets. Makes me thing something didn't go right during the upgrade.
-
To add to this, deleting a CARP and recreating under a new VHID, had no impact to the problem. Problem is still happening.
-
@defunct78 VMware?
-
@derelict said in Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks:
@defunct78 VMware?
Matter a fact, yes. Though I didn't think that was going to be a problem as 2.4.5p1 didn't have this issue. Though I am open to any suggestions.
-
@defunct78 It is your virtual environment improperly echoing back the CARP advertisements. They are being properly blocked by that rule.
-
@derelict said in Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks:
@defunct78 It is your virtual environment improperly echoing back the CARP advertisements. They are being properly blocked by that rule.
That was it. Fixed the problem perfectly. Thanks.