Outbound FTP stopped working and WAN address TTL expires



  • Hi all,

    I've got 2 PFSense boxes, one a CARP master and the other a passive machine.  Recently, we had to failover the primary and reboot the machine and failback.  After this event, outbound FTP connections through the primary don't work, and pinging the primary box's WAN gives a TTL expired message.  Traceroutes to the WAN seem to show that it is looping over and over on that address until TTL expires.  The machine itself can't ping it's uplink, but it passes traffic through the various CARP addresses fine.  The primary can not ping itself nor reach FTP sites.  Tcpdumps show a SYN being sent from the public address to the FTP site, and then a SYN-ACK, but no subsequent ACK.  Instead another SYN happens.  I am using the FTP helper on the interface this passes through.  Basically anything that sources itself as the WAN address doesn't seem to work.  The secondary has none of these problems currently, but it also doesn't have any of the CARPs.  A suspicious route that doesn't exist on the secondary is:

    <wanip>        <wan mac="">  UHLW        1 12076103    lo0

    I don't know if that's needed for CARP, but it seems strange that the WANIP is reached via lo0 on the machine.  This is a live, production firewall, otherwise I'd pull the route and see what breaks.  Any ideas as to what's going on?  I wasn't sure if this should go here of the CARP forum, but I have no proof it's CARP related.</wan></wanip>


Log in to reply