4. What should tcpdump look like?

What should tcpdump look like?

  • A

    CARP is not working on one of the interfaces (Work ok on others).  Both master and slave FWs think they are the CARP master for this VIP.  We assume that CARP is multicast on the interface it is assigned to, not the XOVER/pfsync interfaces?

    On the master FW,

    tcpdump -i bce2 -ttt -n proto CARP

    Produces:
    1. 000999 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
    1. 000999 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
    1. 000996 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
    1. 001000 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
    1. 001000 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
    1. 000999 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36
    1. 001001 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 0, authtype none, intvl 1s, length 36

    On the slave fW, we get:
    1. 392001 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
    1. 391999 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
    1. 392000 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
    1. 391999 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
    1. 391998 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36
    1. 392003 IP 10.10.10.6 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36

    What should we see if they are working correctly?

    0
  • A

    Having looked at the IF where CARP is working, both sides see the same thing, I.e. the slave "sees" the masters IP:

    1. 392001 IP 10.10.10.5 > 224.0.0.18: VRRPv2, Advertisement, vrid 16, prio 100, authtype none, intvl 1s, length 36

    So my dump doesnt tell me anything, only that both are advertising.

    0

  • Did you created the rules to allow each other carp traffic?

    Can both pfsenses ping each other?

    0
  • C

    You should see the same on both of them. What you're seeing there shows the two can't see each other on the network. The primary's CARP should show up exactly the same on the secondary, and then the secondary won't send any CARP traffic. If it doesn't show in tcpdump, it's not getting there, even if the firewall were blocking it, it would show in tcpdump.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy