Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP on pfsense 1.2.3 doesn't work properly

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    3
    3
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      defender80
      last edited by

      Hi,
      Before I start to describe my issues I just need to mention that it worked ok on version 1.0.1.
      Also I attached my basic network map.

      We're running this for our web and voip servers and IPSec tunnels (virtual IPs are used for these services). Sometimes we can't access to the local servers over the VPN. And the reason is that there are 2 IPSec tunnel open - on master and on the slave. Also if I looked on the status page there were some inconsistency - master pfsense has some IPs in green (slave pfsense has got them in gray colour) and some in gray (slave pfsense has them in green colour).
      I checked few things like: time (both boxes have got the same time), advertise frequency (master 0, slave 100) and I think everything is ok.

      Also as we're registering our snom phones with the server behind this firewall we've got some issues with our telephones because of that.
      Also our web servers won't respond during this time.
      Then I'm stopping carp on the slave and then everything is back to normal. I'm thinking that it shouldn't be noticeable for us (1-3 seconds maybe) to swap between master-slave.

      I need to mention that there's a STP enabled on HP switches to prevent the loops.

      I'll appreciate for any ideas, is there anything what I should check.

      carp_network_map.JPG
      carp_network_map.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • C
        chrisluk
        last edited by

        anything funny from the system log?

        you may try delete all the VIPs, and create them again.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          As long as IPsec is bound to a CARP IP, it can't come up on the secondary until it's master. If you have dual master status, there's some kind of connectivity problem between the two hosts (though that should be no diff from 1.0.x to 1.2.x).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post