Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What should tcpdump look like?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 3 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ace
      last edited by

      CARP is not working on one of the interfaces (Work ok on others).  Both master and slave FWs think they are the CARP master for this VIP.  We assume that CARP is multicast on the interface it is assigned to, not the XOVER/pfsync interfaces?

      On the master FW,

      tcpdump -i bce2 -ttt -n proto CARP

      Produces:
      1. 000999 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
      1. 000999 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
      1. 000996 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
      1. 001000 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
      1. 001000 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
      1. 000999 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
      1. 001001 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36

      On the slave fW, we get:
      1. 392001 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
      1. 391999 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
      1. 392000 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
      1. 391999 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
      1. 391998 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
      1. 392003 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36

      What should we see if they are working correctly?

      1 Reply Last reply Reply Quote 0
      • A
        ace
        last edited by

        Having looked at the IF where CARP is working, both sides see the same thing, I.e. the slave "sees" the masters IP:

        1. 392001 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36

        So my dump doesnt tell me anything, only that both are advertising.

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          Did you created the rules to allow each other carp traffic?

          Can both pfsenses ping each other?

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            You should see the same on both of them. What you're seeing there shows the two can't see each other on the network. The primary's CARP should show up exactly the same on the secondary, and then the secondary won't send any CARP traffic. If it doesn't show in tcpdump, it's not getting there, even if the firewall were blocking it, it would show in tcpdump.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.