CARP issue (master on both nodes at the same time)
-
Dear all,
We are in the process of setting up pfSense in a high-availability environment using CARP. For some reason, both the primary and secondary node are MASTER at the same time for a single VLAN.
Both nodes are connected to the same Cisco switch (SG550X). The ports that the pfSense nodes are connected to are untagged in VLAN 99 and tagged in VLAN 1, 4, 100, 150, 200.
High-availability is configured using a crossover cable and a dedicated network adapter on both nodes.pfSense 1:
π Log in to viewpfSense 2:
π Log in to viewIf we connect the pfSense nodes to two different Cisco switches (which are connected to each other), the CARP status for VLAN 99 is fine, but now the problem exists on VLAN 4:
π Log in to viewAny help is highly appreciated.
-
Dual master means they are not seeing each other at L2, the advertisement packets aren't coming through. Usually in a case like yours with VLANs that means either one or the other trunk ports isn't tagged for that VLAN, or it isn't tagged between multiple switches if you are plugging into different ones.
-
Thanks for your reply @jimp.
Both ports are on the same switch and configured with the same VLANs (untagged: 99 / tagged: 1, 4, 100, 150, 200).
Since we connect to each pfSense node using the IP address on VLAN 99 (pfSense1 β 10.99.10.99/16, pfSense2 β 10.99.11.99/16), I believe the ports on the switch are configured properly.
So, why are both nodes master in VLAN 99 as shown in the screenshots above? Is there something else that we could check?
-
This is getting mysterious⦠Swapping the switchports solved my problem. Node 1 was connected to switch port 31 and node 2 was connected to switch port 44. After swapping, CARP is working fine!
For testing purposes, I swapped back, and the CARP issue was also back again. Swapped again and the problem disappeared...
The switch ports are configured completely identically. What is causing this?!
-
Are you sure it's working OK? Did you try putting the primary into maintenance mode and seeing if the secondary took over?
Dual master has to be an L2 issue -- either the VLAN traffic isn't being carried in both directions or the VLAN config in pfSense isn't right (e.g. the interface VLAN isn't actually set to the right ID number).
If it works in one direction but not the other, you might also check the switch for anything that might interfere with multicast traffic, such as storm control or IGMP snooping.
Also worth doing a packet capture on both nodes to see if you see inbound CARP heartbeats in both scenarios.
-
@jimp
Sorry for my late reply. I performed several tests and CARP is working fine now :) Thanks for your help!