No continuous ping to carp interface

bemar · Sep 10, 2012, 4:19 PM

Hello,

I've setup pfsense 2.0.1-RELEASE (i386) on two watchguard fireboxes X750E. I've setup also a WAN and LAN Carp interface which is running the most time fine.
The switch of the active box after unplugging a WAN or LAN cable is working.

I've setup firewall rules to allow pinging the WAN CARP interface and allow to connect the pfsense gui on https by WAN. But I can't get a continuous ping. It happens that there are missing packages.
The work with the gui is also very slow and sometimes the "website not reachable" - error appears in firefox.

When I go to INTERFACES menu item and save the WAN interface (without changing something) the carp connection works very well for the next 10 minutes. Then the dropping of packages starts again. It seems with saving the WAN interface something will be resetted.

I've tested to ping the wan interface with different hosts (Home Connection, Office Connection) with the same result.

Has somebody any idea?

Thanks in advance

Ben

cmb · Sep 11, 2012, 1:30 AM

Sounds like an IP conflict. Saving the interface issues a gratuitous ARP which will temporarily fix an IP conflict.

bemar · Sep 12, 2012, 3:36 PM

@cmb:

Sounds like an IP conflict. Saving the interface issues a gratuitous ARP which will temporarily fix an IP conflict.

No its not a duplicate IP.

I made some research in the meantime and god strange results:

When I have the situation the WAN CARP IP is not reachable from a different host in a different wan network the second (backup) pfsense box is still getting answers because its in the same WAN subnet (we have 32 wan ip adresses).
I'm behind a cablemodem from Cablecom (Swiss ISP) and it looks like the cable modem has some trouble.

I captured some packages:
One situation was I've sent 4 ping request to the carp wan ip from an other external host and god 2 replies from pfsense. In the capture loggs only 2 requests where logged.

Some ideas?

Best regards

Ben

cmb · Sep 12, 2012, 8:24 PM

If the packet capture only shows two requests and both got replies, the problem isn't the firewall, it's whatever is upstream that should be sending traffic to the firewall. Packet capture shows what's on the wire before any processing, so it's not getting to you. That still sounds like an IP conflict.

bemar · Sep 13, 2012, 7:24 AM

@cmb:

If the packet capture only shows two requests and both got replies, the problem isn't the firewall, it's whatever is upstream that should be sending traffic to the firewall. Packet capture shows what's on the wire before any processing, so it's not getting to you. That still sounds like an IP conflict.

You think IP conflict because both pfsenses have the carp ip on the same time?
That would be the only IP conflict because I've checked it thousand times and there is definitely no other machine in the wan with that ip.

Then there is the next question: I've made an "ifconfig" on the "command prompt" menu and all carp "VIPx" interfaces are displayed on both machines.
I'm not sure how is it exactly solved by pfsense but should the VIPx not only be on the active/master machine?
In the carp status on both machines the master/backup status is displayed correctly on each machine.

Thank you and best regards

Ben

cmb · Sep 14, 2012, 2:27 AM

No, CARP will never create an IP conflict, the IPs are always there on both and just the master/backup status changes. There is some reason upstream that some of the traffic doesn't get to the firewall.

bemar · Sep 14, 2012, 11:01 AM

@cmb:

No, CARP will never create an IP conflict, the IPs are always there on both and just the master/backup status changes. There is some reason upstream that some of the traffic doesn't get to the firewall.

And thats the point I don't understand. If you are right, I should have the same effects with simple virtual ips. But it works with simple virtual ips. No packet loss with pinging.
It's only not working with carp on WAN side. Carp in LAN also no problem.

In the pfense carp troubleshooting I've read about the point of a layer 2 switch for carp.

Ensure that the interfaces on both boxes (The WANs, LANs, etc, etc) are connected to the proper switch/vlan/layer 2.

Is this mandatory?

Thanks you for your hints

Best regards

Ben

nospam · Mar 9, 2013, 6:07 AM

I'm experiencing similar issues. If I configure a virtual ip as a carp address it only replies to pings or forwards nat a while then stops working. switching to an ip alias makes it stable…ver 2.0.1 release

DQM · Apr 21, 2013, 4:34 AM

Dear all,

I'm getting the same problem. I have 2 PF boxes in the cluster topology. I have also 2 internet connections with 2 CARP IP separate.

The CARP IP on 1st line is working well
But the other one on 2nd line only work in 15 minutes if I perform to modify on CARP setting. After 15 minutes, it doesn't work again :-[

Could everybody please show me how to fix this problem? May I need to modify speed and duplex on the interface that has problem?

Thank in advances !
DQM

cmb · Apr 21, 2013, 5:00 AM

this thread's been hijacked enough, please start new threads. Locking this. OP if you want to follow up to this please PM me and I'll be glad to unlock. The rest of you, you need your own thread where people can help you troubleshoot without making a mess of someone else's thread.