• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

CARP problem - both nodes on backup state

Scheduled Pinned Locked Moved HA/CARP/VIPs
9 Posts 2 Posters 4.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mvrk
    last edited by Jul 1, 2013, 6:00 PM

    Hi,

    I've tried to setup CARP for the first time using this tutorial: http://www.howtoforge.com/how-to-configure-a-pfsense-2.0-cluster-using-carp

    but both VIPs stay on backup state on both nodes :(

    PFSENSE1:

    wan_vip1: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 192.168.70.253 netmask 0xffffff00
    carp: BACKUP vhid 1 advbase 1 advskew 0
    lan_vip2: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 192.168.2.253 netmask 0xffffff00
    carp: BACKUP vhid 2 advbase 1 advskew 0

    PFSENSE2:

    wan_vip1: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 192.168.70.253 netmask 0xffffff00
    carp: BACKUP vhid 1 advbase 1 advskew 100
    lan_vip2: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 192.168.2.253 netmask 0xffffff00
    carp: BACKUP vhid 2 advbase 1 advskew 100

    Logs of both nodes in attachment.

    Anyone seen this problem before?
    pfsense1_log.txt
    pfsense2_log.txt</up,loopback,running></up,loopback,running></up,loopback,running></up,loopback,running>

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jul 1, 2013, 8:04 PM

      A couple possibilities:

      1. Some kind of network loop/L2 issue causing them to see the advertisements from their neighbors far more often than they should.
      2. Something else on that segment is already doing CARP/VRRP/HSRP with the same VHID.

      First, try using different VHIDs (something random and/or high) and see if that is enough to clear it up.

      Otherwise, look at your switch, and make sure you don't have any bridging or layer 2 loops happening.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • M
        mvrk
        last edited by Jul 1, 2013, 11:23 PM

        @jimp:

        A couple possibilities:

        1. Some kind of network loop/L2 issue causing them to see the advertisements from their neighbors far more often than they should.
        2. Something else on that segment is already doing CARP/VRRP/HSRP with the same VHID.

        First, try using different VHIDs (something random and/or high) and see if that is enough to clear it up.

        Otherwise, look at your switch, and make sure you don't have any bridging or layer 2 loops happening.

        On the same VLAN i have a redhat cluster suite running, but i changed to a new VLAN, only my two pfsenses have access to it, but it didn't fixed the problem.

        Now i disabled promiscous mode on my vmware vswitches and it seems it fixes the problem, but without promiscous mode i can't ping the VIPs from any other machine :(

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jul 2, 2013, 1:10 AM

          oh, well if you're on vmware/esx, there are a lot more things to worry about.

          http://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting#VMware_ESX.2FESXi_Users

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • M
            mvrk
            last edited by Jul 2, 2013, 9:39 AM

            @jimp:

            oh, well if you're on vmware/esx, there are a lot more things to worry about.

            http://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting#VMware_ESX.2FESXi_Users

            Thankx, the solution was activating the Net.ReversePathFwdCheckPromisc option on ESXi.

            Just another question:

            On my vswitch i have this port groups:
            VM Network LAN
            VM Network MGMT
            VM Network WIFI
            VM Network SYNC
            VM Network DMZ

            Do i need to have promiscous mode activated for all portgroups that have VIPs or just for the SYNC portgroup (network used for CARP)?
            I have VIPs for LAN, MGMT, WIFI, DMZ.

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Jul 2, 2013, 12:38 PM

              You need it active on every port group containing the pfSense VMs, not the SYNC port group, but every other one.

              Now that doesn't mean you need to do it for the entire vswitch, you can make a port group on the vswitch for just the pfSense nodes and only enable those options there, leaving the rest of the switch at its defaults.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                mvrk
                last edited by Sep 12, 2013, 2:01 PM

                @jimp:

                You need it active on every port group containing the pfSense VMs, not the SYNC port group, but every other one.

                Now that doesn't mean you need to do it for the entire vswitch, you can make a port group on the vswitch for just the pfSense nodes and only enable those options there, leaving the rest of the switch at its defaults.

                Isn't there anyway to make it work without promiscuous mode activated?

                With promiscuous mode activated all VMs can see the traffic of each other :(

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Sep 12, 2013, 2:09 PM

                  No, but that's not pfSense's fault, it's VMware.

                  You can make a port group just for the ports of the firewall, and make that promiscuous, and then have another different port group for the clients that is not promiscuous.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • M
                    mvrk
                    last edited by Sep 12, 2013, 4:49 PM

                    @jimp:

                    No, but that's not pfSense's fault, it's VMware.

                    You can make a port group just for the ports of the firewall, and make that promiscuous, and then have another different port group for the clients that is not promiscuous.

                    Thankx, works great.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received