VIP for LAN shows BACKUP status on both servers

  • I have set up two VIPs on a dual pfsense configuration.  The VIP for the the WAN works fine and shows status of MASTER on one server and BACKUP on the second (as expected).  The VIP I set up for the LAN shows BACKUP on both servers and I have tried everything I have been able to find to correct this.  I followed the tutorial word for word but to no avail.  I cannot ping the VIP from the LAN so it is definitely not responding (actually the first ping responds with a rather long time delay 700 ms versus a normal lan response of about 1 ms but then no additional responses at all).

    What would cause this condition.  Please give me some ideas as to how to troubleshoot this.


  • Never seen a backup-backup condition yet. I would check all settings and maybe restart from scratch. Usually you see master-master problems if the interfaces of both machines don't see each other.

  • I agree with hoba.  Usually it's MASTER/MASTER if there is no communication between the boxes.  Haven't seen BACKUP/BACKUP yet.

    I would check the firewall rules to make sure that there is a communication between the two machines.  Enable logging on FW rules and use tcpdump to watch for traffic.  Also check the advskew on the MASTER machine for the LAN VIP to make sure that it has lower number than the master (prefer 0).

  • I have tried configuring this several times with different hardware even.  I still get the same thing every time.  I have changed the vhid groups to be different numbers (always the same on both machines tho) and have entered the virtual ip password several time to make sure it is always the same.  The virtual ip will sync over to the other machine when I delete it and start over again.  It looks like it tries to become master (green arrow but it does not say master nor does the carp1 show up).  However, once it goes into backup mode everything appears as normal looking on the status line for a backup machine - but of course both machines are in this state which is the problem.

    I am not that familiar with tcpdump.  What am I looking for here and what is the best command to enter to limit the output to just what I should see to debug.  I know i need to use the -i and specify the interface, but are there other options that would help me limit the output.  I have done this once and have seen an arp line with the vip show up.  I will be glad to post some output if that would help debug but just want to make sure I post the most pertinent output.

    Also, as info, I can ping the lan ip of the other firewall from each one.

    Thanks for your help!

  • What version are you running? Try the latest snapshot in case you are not already running it.

  • OK, I just downloaded the latest snapshot and installed on both firewalls.  Same issue!  How do I go about debugging using TCPDUMP or some other tool that will help figure this out.  Again, I can ping between the two firewalls on the LAN so I know there is connectivity.

  • Can you test with another switch? Or maybe connect the two lans with a crossovercable and access the webgui at wan, just to see if it happens with a crossovercable too. If it works fine then your switch in between does something goofy.

  • The switch does seem to be the problem!  It is an SMC EZ1024DT switch which I have had for several years and has not been a problem at all.  I guess there is something with carp that it does not like.  Is there some protocol that carp uses that may not be supported by some switches?

    I will be getting a replacement switch to remedy this problem but just wondering what it is about my existing switch that does not support carp.

    Thanks for the help!!!

  • CARP is mainly broadcastingtraffic. Have a look at to see how it works.