Virtual IP On LAN - Very Slow takeover



  • Hi All

    Im hoping someone can give me some idea of what the problem may be here, currently im a bit stumped  ???

    Main Setup –---------------------------------------------------------------------------------------------------

    Firewall1                                                                  Firewall2

    LAN            192.168.0.3/21                                                          192.168.0.4/21
    WAN            213.48.xxx.xx1/28                                                      213.48.xxx.xx2/28
    DMZ            10.0.0.31/8                                                                10.0.0.32/8
    CARP          10.0.5.2/28                                                                10.0.5.3/28
    VPN LAN      BRIDGED WITH LAN                                                      NA ----------

    CARP Interfaces

    Firewall1                                                                Firewall2

    CARP0          VHID1                                                                    VHID1
    IP:              192.168.0.250/21                                                      192.168.0.250/21
    Pass:          test                                                                    test
    Advertise:      5                                                                          105

    CARP1          VHID2                                                                    VHID2
    IP:              10.0.0.250/8                                                            10.0.0.250/8
    Pass:          test1                                                                    test1
    Advertise:      5                                                                          105

    CARP2          VHID3                                                                    VHID3
    IP:              213.48.xxx.xx5/28                                                      213.48.xxx.xx5/28
    Pass:          test2                                                                  test2
    Advertise:      5                                                                          105

    RULES ON CARP LAN
    Proto Source Port Destination Port Gateway Schedule Description

          • * *                         CARP LAN

    The carp network is located on a dedicated separate switch.

    End setup ---------------------------------------------------------------------------------------------

    The situation is that i can communicate with all the virtual ips from machines on each of the networks.

    If i send a ping packet to the 10.0.0.250 virtual address it will respond without even dropping a packet....even when i drop carp on one box and bring it back up the changeover is seamless.

    The problem comes with the virtual ip on the LAN 192.168.0.250 ----- If i disable carp on the primary box the changeover is instant. Even sending pings to the interface while carp is taking over from primary to secondary does not result in lost packets.
    However if i bring carp back up on the primary box Packets get lost...lots of them, infact it takes about 5 minutes for the 192.168.0.250 ip to respond to pings again on the primary, even though in the carp status the primary box instantly recognizes itself as master.

    I have rebuilt from scratch both boxes on more than one occasion, I have tried different ips and even multiple ips on the LAN for eg 192.168.0.1, 192.168.251 etc. I have even had the primary configured on different boxes with different nics.

    I always have the same problem that the primary box takes a good while for it to take over the lan ip...all the others ips work fine.

    I am using version 1.2.2 built on Thu Jan 8 22:30:24 EST 2009

    Any help would be greatly appreciated.

    Many thanks
    James



  • Ok, so I didn't actually read your whole post, sorry. But I did notice your DMZ conflicts with your CARP subnet. Do you really need a whole class A for the DMZ? Either change that or move the CARP subnet to 172.16.5.0/28 or something. Oh, and what's with the adskew being 5 and 105? You should leave these at defaults (0 for the master, 100 for the backup).



  • Hi Dotdash

    Cheers for the response, i have changed the CARP LAN address range as you suggested and currently it seems to be taking over addresses correctly. I dont actually need a class A for my DMZ either it just happens to be that this is how it was configured originally and as i have many servers in the DMZ and it works im not going to reassign them all. The reason i have assigned the adskew to 5 and not 0 is so that i can add in my main pfsense firewall into the cluster and gradually get it to take over addresses by assigning them as 0 on it.

    Anyway cheers for the assistance, if i have any more probs ill post back…i should know in a day or two if everything is working fine.


Log in to reply