Point to Point CARP dropping out -



  • All,

    We have a setup of a one PF Cluster in one location talking over a point to point to another PF cluster.  The problem is we can not use the VIP between the two clusters. If we try to use the VIP - we sustain massive packet loss.

    Example –

    FWCluster 1

    FW1 - 192.168.10.2 - master
    FW2 - 192.168.10.3
    VIP - 192.168.10.1

    FWCluster 2
    FW1 - 192.168.10.11 - master
    FW2 - 192.168.10.12
    VIP - 192.168.10.10

    When we use the VIP for routing traffic - we sustain massive packet loss but a few do actually go through, but using the two master IPs - we have zero drops and everything works fine.

    Thoughts? anyone else have this issue?

    background info --

    both firewall clusters are vmware nodes.

    both have Promiscuous Mode enabled as well as MAC Address changes and Forged Transmits all in Vmware for both the VLAN SWITCH & the VLAN itself.

    VIPS work fine for private IPs and Public side. Just the point to point VIPS have the issue.

    When i'm coming from the LAN pinging the VIP behind the same firewall - it pings without issue. If i ping the remote firewall - i get the same packet loss. This is the same vise versa from either side.

    Any help would greatly be appreciated.

    Thanks



  • solved this one via commercial support, following up here for the sake of others who find it in the future. Problem was using a CARP IP with the same VHID on two separate pairs. Input validation prevents doing so on a single pair. When you have multiple pairs on the same broadcast domain, make sure you use unique VHIDs, since the VHID determines the MAC address. When you duplicate VHIDs, you create duplicate MACs, which causes the typical issues when you have duplicate MACs - significant packet loss and general network confusion.

    Also a good idea to only use each VHID once at each physical location even if separate broadcast domains (VLANs), while that should work no problem as switches should keep the MACs specific to each VLAN appropriately, it can potentially confuse your switches.


Log in to reply