Drive failed, reinstalled/restored, now NAT doesn't work



  • A while back I had a drive fail in the master of a CARP setup forcing me to run from the slave for a while.  I finally got around to rebuilding the master and restoring the config but now that I've done so, NAT Forwarding isn't working when the master has my CARP IPs.  If I fail over to the slave everything works fine.  Existing sessions continue to work when the master comes back up, but new sessions fail.

    I tried upgrading to 2.0 but that hasn't helped.

    Any thoughts?



  • The output of "pfctl -sn" and "pfctl -sr" are identical for the two boxes, so the rules are being created correctly.

    I've tried a packet capture on the system that isn't working and this is what I get with Full detail.  Unfortunately, I've no idea what it all means.  IP addresses have been censored but otherwise the data is unmodified.  Traffic is from tcping on the port in question (ms-sql-s) but I tried a different port forward (https) and that isn't working either.

    09:56:25.709841 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 114, id 30438, offset 0, flags [DF], proto TCP (6), length 52)
        50.19.www.xxx.62525 > 208.176.yyy.zzz.1433: Flags [s], cksum 0xb5c6 (correct), seq 410772004, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:56:27.718749 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30647, offset 0, flags [DF], proto TCP (6), length 52)
        50.19.www.xxx.62526 > 208.176.yyy.zzz.1433: Flags [s], cksum 0x6be1 (correct), seq 3962460245, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:56:28.706720 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 114, id 30650, offset 0, flags [DF], proto TCP (6), length 52)
        50.19.www.xxx.62525 > 208.176.yyy.zzz.1433: Flags [s], cksum 0xb5c6 (correct), seq 410772004, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:56:29.726159 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30651, offset 0, flags [DF], proto TCP (6), length 52)
        50.19.www.xxx.62527 > 208.176.yyy.zzz.1433: Flags [s], cksum 0xe7e1 (correct), seq 2554933305, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:56:30.716128 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30654, offset 0, flags [DF], proto TCP (6), length 52)
        50.19.www.xxx.62526 > 208.176.yyy.zzz.1433: Flags [s], cksum 0x6be1 (correct), seq 3962460245, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:56:31.736067 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30657, offset 0, flags [DF], proto TCP (6), length 52)
        50.19.www.xxx.62528 > 208.176.yyy.zzz.1433: Flags [s], cksum 0x9363 (correct), seq 3848746904, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:56:32.727035 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30662, offset 0, flags [DF], proto TCP (6), length 52)
        50.19.www.xxx.62527 > 208.176.yyy.zzz.1433: Flags [s], cksum 0xe7e1 (correct), seq 2554933305, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0[/s][/s][/s][/s][/s][/s][/s]
    

Locked