CARP Failover between firewalls



  • I am working on a firewall failover setup.  Each firewall has 8 interfaces with its own unique IP address.  I have one dedicated failover interface defined on each firewall and a Virtual IP for each pair of NICs.  Under the carp status page I can see master on one firewall for each interface, and backup for its pair on the other firewall.

    I have CARP setup and working properly(I think) to a point where I can disconnect a single NIC, or multiple NICs from one firewall and still pass traffic, but if I disconnect an interface on one firewall and another on a different firewall(different pairs) the traffic stops passing on last removed NIC until I plug in the first disconnected NIC, and then traffic passes again.

    My question is should this work, or is this a limitation with CARP?

    Here is a rough diagram of my setup

    fw1_nic1<–>VLAN10<-->fw2_nic1
    fw1_nic2<-->VLAN2<-->fw2_nic2
    fw1_nic3<-->VLAN3<-->fw2_nic3
    fw1_nic4<-->VLAN4<-->fw2_nic4
    fw1_nic5<-->VLAN5<-->fw2_nic5
    fw1_nic6<-->VLAN6<-->fw2_nic6
    fw1_nic7<-->VLAN7<-->fw2_nic7
    fw1_nic8<---------------->fw2_nic8

    These are connected to a HP switch using untagged vlans.



  • Anything you do to either of a completely separate pair of systems won't impact a different pair. There are a variety of general network issues that could cause the described scenario, maybe routing to non-CARP IPs somewhere, among other possibilities.


Log in to reply