Gateway monitoring pings going out the wrong interface
-
I have this one pair of CARP clustered firewalls where the pings for monitor IP are going out the wrong WAN interface.
I first noticed the problem on 8/27. Right now I am running today's snapshot.
The setup is two WAN connections. Tier 1 (WAN) and Tier 2 (OPT2) in a gateway group.
If I set the monitor IP address to anything other than an IP on the same subnet as OPT2 then the ping packets go out of the WAN interface instead of the OPT2 interface and obviously do not get replied. And the gateway is marked as down.
In packet capture I see the src ip on the packet is that of OPT2 interface but the packet gets sent out on the WAN interface.
If I change the monitor IP to the gateway itself or any other IP on the same subnet as OPT2 then the ping goes out the correct interface and I can see that in the packet capture. And the gateway is marked as up.
Now I have at least 4 other setups at other locations, all running the same snapshot and similar config and I do not have this problem there. So it is possible that I have mangled up the config somehow.
None of my monitor IPs are configured as DNS servers for the FW. None of the monitor IPs show in the routing table has having static routes for them. Don't see anything odd in my outbound NAT setup.
Looking for suggestions on how to troubleshoot this.
Thanks,
Shahid
-
Temporary workaround I have put in place is to add a static route for the monitor IP forcing it to go out of the interface it is supposed to be monitoring.
-
Yeah that is the fix that will be done for 2.1 for now as well.
They were removed on 2.1 but somehow something is not behaving right in the OS.