VIP is set as Master on both nodes.



  • Hi All,

    I have 2 Firewalls. I have the LAN interface setup successfully with CARP. FW1 is set as MASTER and FW2 is setup as backup. The weird issue I am having is I made a new VIP(10.1.0.1) For one of my vlans and it is set to MASTER on both FW1 and FW2.

    Here are the settings on each FW.
    http://imgur.com/a/iuv9r

    The main problem is getting assigned DHCP addresses on VLAN101 but I think it's all related.

    Here is the system log from FW1 regarding DHCP

    Oct 10 15:31:09	dhcpd: DHCPINFORM from 10.0.0.26 via bce1
    Oct 10 15:31:09	dhcpd: DHCPACK to 10.0.0.26 (f0:de:f1:5a:27:21) via bce1
    Oct 10 15:31:15	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:31:23	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:31:27	dhcpd: DHCPREQUEST for 10.0.0.62 from 10:dd:b1:de:45:30 via bce1
    Oct 10 15:31:27	dhcpd: DHCPACK on 10.0.0.62 to 10:dd:b1:de:45:30 via bce1
    Oct 10 15:31:32	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:31:40	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:31:49	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:32:58	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:00	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:03	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:08	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:17	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:20	dhcpd: DHCPREQUEST for 172.16.0.4 from 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan501
    Oct 10 15:33:20	dhcpd: DHCPACK on 172.16.0.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan501
    Oct 10 15:33:20	dhcpd: DHCPREQUEST for 10.4.0.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan401
    Oct 10 15:33:20	dhcpd: DHCPACK on 10.4.0.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan401
    Oct 10 15:33:21	dhcpd: DHCPREQUEST for 10.4.1.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan411
    Oct 10 15:33:21	dhcpd: DHCPACK on 10.4.1.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan411
    Oct 10 15:33:21	dhcpd: DHCPREQUEST for 10.3.0.8 from 00:0f:7d:0e:c8:f0 via bce1_vlan301
    Oct 10 15:33:21	dhcpd: DHCPACK on 10.3.0.8 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan301
    Oct 10 15:33:21	dhcpd: DHCPREQUEST for 10.3.1.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan311
    Oct 10 15:33:21	dhcpd: DHCPACK on 10.3.1.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan311
    Oct 10 15:33:21	dhcpd: DHCPREQUEST for 192.168.1.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan601
    Oct 10 15:33:21	dhcpd: DHCPACK on 192.168.1.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan601
    Oct 10 15:33:21	dhcpd: DHCPREQUEST for 10.2.0.6 from 00:0f:7d:0e:c8:f0 via bce1_vlan201
    Oct 10 15:33:21	dhcpd: DHCPACK on 10.2.0.6 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan201
    Oct 10 15:33:21	dhcpd: DHCPREQUEST for 192.168.10.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan610
    Oct 10 15:33:21	dhcpd: DHCPACK on 192.168.10.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan610
    Oct 10 15:33:22	dhcpd: DHCPREQUEST for 192.168.3.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan603
    Oct 10 15:33:22	dhcpd: DHCPACK on 192.168.3.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan603
    Oct 10 15:33:22	dhcpd: DHCPREQUEST for 192.168.4.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan604
    Oct 10 15:33:22	dhcpd: DHCPACK on 192.168.4.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan604
    Oct 10 15:33:22	dhcpd: DHCPREQUEST for 192.168.2.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan602
    Oct 10 15:33:22	dhcpd: DHCPACK on 192.168.2.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan602
    Oct 10 15:33:22	dhcpd: DHCPREQUEST for 192.168.5.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan605
    Oct 10 15:33:22	dhcpd: DHCPACK on 192.168.5.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan605
    Oct 10 15:33:22	dhcpd: DHCPREQUEST for 192.168.6.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan606
    Oct 10 15:33:22	dhcpd: DHCPACK on 192.168.6.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan606
    Oct 10 15:33:22	dhcpd: DHCPREQUEST for 192.168.7.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan607
    Oct 10 15:33:22	dhcpd: DHCPACK on 192.168.7.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan607
    Oct 10 15:33:22	dhcpd: DHCPREQUEST for 192.168.8.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan608
    Oct 10 15:33:22	dhcpd: DHCPACK on 192.168.8.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan608
    Oct 10 15:33:22	dhcpd: DHCPREQUEST for 192.168.9.4 from 00:0f:7d:0e:c8:f0 via bce1_vlan609
    Oct 10 15:33:22	dhcpd: DHCPACK on 192.168.9.4 to 00:0f:7d:0e:c8:f0 (ETT-XIR4-5) via bce1_vlan609
    Oct 10 15:33:25	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:34	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:42	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:47	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:49	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:51	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:33:55	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:34:04	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    Oct 10 15:34:12	dhcpd: DHCPDISCOVER from 10:dd:b1:de:45:30 via bce1_vlan101: not responding (recovering)
    

    here is the DHCP status page from FW2

    http://imgur.com/M5a1AEY

    Any help would be appreciated.

    ![Screen Shot 2013-10-10 at 3.35.15 PM.png](/public/imported_attachments/1/Screen Shot 2013-10-10 at 3.35.15 PM.png)
    ![Screen Shot 2013-10-10 at 3.35.15 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-10-10 at 3.35.15 PM.png_thumb)



  • I wanted to add that both my Firewalls are plugged into the same Cisco switch. The port configuration of the two ports is this:

    
    interface GigabitEthernet0/49
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 1,101,201,301,311,401,411,501,601-610
     switchport mode trunk
    !
    interface GigabitEthernet0/50
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 1,101,201,301,311,401,411,501,601-610
     switchport mode trunk
    !
    
    

    Could this cause any issues ?



  • your switch config is fine…

    can you ping between fw1 and fw2 on vlan101?



  • I can not get on VLAN101 due to DHCP not working at the moment. When I try to ping from the WebGUI From FW1 VLAN101 to 10.1.0.3(FW2 VLAN101 interface) it does not work. I am able to ping the VIP from both firewalls.



  • If I remove the VIP(10.1.0.1) from the DNS option on the DHCP server settings page I am able to get onto VLAN101 I am not able to ping FW2 from FW1 when doing this.

    ![Screen Shot 2013-10-11 at 7.59.27 AM.png](/public/imported_attachments/1/Screen Shot 2013-10-11 at 7.59.27 AM.png)
    ![Screen Shot 2013-10-11 at 7.59.27 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-10-11 at 7.59.27 AM.png_thumb)
    ![Screen Shot 2013-10-11 at 7.59.15 AM.png](/public/imported_attachments/1/Screen Shot 2013-10-11 at 7.59.15 AM.png)
    ![Screen Shot 2013-10-11 at 7.59.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-10-11 at 7.59.15 AM.png_thumb)



  • I took a tcpdump of both interfaces does this look normal?

    FW1

    00:00:00.000000 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36
    00:00:02.001079 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36
    00:00:02.001082 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36
    00:00:02.001087 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36
    00:00:02.001082 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36
    00:00:02.001081 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36
    00:00:02.001085 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36
    
    

    FW2

    
    tcpdump -i bce1_vlan101 -ttt -n proto CARP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bce1_vlan101, link-type EN10MB (Ethernet), capture size 96 bytes
    00:00:00.000000 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    00:00:02.392089 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    00:00:02.392086 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    00:00:02.392088 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    00:00:02.392089 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    00:00:02.392089 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    00:00:02.392093 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    00:00:02.392085 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    00:00:02.392089 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36
    

Log in to reply