CARP Failover between firewalls

  • I am working on a firewall failover setup.  Each firewall has 8 interfaces with its own unique IP address.  I have one dedicated failover interface defined on each firewall and a Virtual IP for each pair of NICs.  Under the carp status page I can see master on one firewall for each interface, and backup for its pair on the other firewall.

    I have CARP setup and working properly(I think) to a point where I can disconnect a single NIC, or multiple NICs from one firewall and still pass traffic, but if I disconnect an interface on one firewall and another on a different firewall(different pairs) the traffic stops passing on last removed NIC until I plug in the first disconnected NIC, and then traffic passes again.

    My question is should this work, or is this a limitation with CARP?

    Here is a rough diagram of my setup


    These are connected to a HP switch using untagged vlans.

  • Anything you do to either of a completely separate pair of systems won't impact a different pair. There are a variety of general network issues that could cause the described scenario, maybe routing to non-CARP IPs somewhere, among other possibilities.

Log in to reply