CARP Sync problem on NSX-T (VMWare Cloud Director)

skalyx

Hello,

We are planning to create a cluster of PFSense Firewalls with High Availability (HA), which requires a virtual IP with CARP.
The goal => have high availability for our 2 virtual pfsense nodes.

Sadly, it does not work and we troubleshoot for over 4 hours and think we cannot do anything more.

The error is that both nodes appear as MASTER in CARP Status.
The documentation states:

This will happen if the secondary node cannot see the CARP hearbeat advertisements from the primary. Check for firewall rules, connectivity trouble, switch configurations. Also check the system logs for any relevant errors that may lead to a solution. If this is encountered in a Virtual Machine (VM) hypervisor environment such as VMWare ESX, see Troubleshooting High Availability Clusters in Virtual Environments.

The documentation:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability.html#both-nodes-appear-as-master
There are what Netgate proposes to make the high availability working on a Vmware vSphere environment:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability-virtual.html

However, our virtual cloud provider has VMWare Cloud Director and NSX-T.

It is such an urgent project and we do not know what to do next.

Do you have any ideas?

Thanks!

jlw52761

You must allow for MAC Address changes, Promiscious MOde, and Forged Transmits on the port group to the VM for any interface that uses CARP. I created a single trunk portgroup that has these settings and only use it for my pfSense box.