Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP dropping packets to VIP

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    1
    2
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phospher
      last edited by

      I am trying to build a CARP pfsense cluster in vmware esxi 4. First I will say that I have enabled "promiscuious mode", "mac address changes", and "forged transmits" on the esxi virtual switches. I have also read the posts and fix regarding the nic teaming issues and there fore am not teaming two nics together. I have it setup so that each external(wan) interface on pfsense (1.2.3-Release) is connected to a different physical nic on the esxi host.

      My problem is when I try and ping the virtual WAN ip of the cluster. I get a lot of dropped packets here is a look trying to ping 10.20.95.109(wan vip) from another box on the 10.20.95 network

      
Pinging 10.20.95.109 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.20.95.109: bytes=32 time<1ms TTL=58
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.20.95.109: bytes=32 time=1ms TTL=58
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.20.95.109: bytes=32 time=1ms TTL=58

Ping statistics for 10.20.95.109:
    Packets: Sent = 17, Received = 3, Lost = 14 (
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

      From internal the firewall pinging from the lan ip out of the network it will work fine and not drop any packets as long as outbound nat is not enabled as recommended by the docs. Once I set outbound manual nat and select the virtual ip the pings out of the network will also show a similiar result as shown below

      
Reply from 10.20.95.107: bytes=32 time<1ms TTL=62
Reply from 10.20.95.107: bytes=32 time<1ms TTL=62
Reply from 10.20.95.107: bytes=32 time<1ms TTL=62
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.20.95.107: bytes=32 time=1ms TTL=62
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.20.95.107:
    Packets: Sent = 190, Received = 44, Lost = 146 (76% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

      The machines on the internal(lan) interface are set to use the lan VIP as the default gateway and dns server.

      I've been messing with this for a few days but cannot seem to come up with an explanation. Does anyone have any suggestions?

      When I go to "status" "carp" everything appears as it should, I have master and backup as you would expect.

      So why is the WAN VIP not responding to all packets and why once I enable outbound nat does the internal also have problems getting out?  Regardless of weather outbound nat is enabled my WAN VIP drops packets…

      Thanks!

      1 Reply Last reply Reply Quote 0
      • P
        phospher
        last edited by

        Stupid me. I finally figured out that I was using a vhid already in use by our switches. Duh, right there in the troubleshooting carp doc…. All seems to be working great.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post