What happen if both firewall are master because of a faulty sync link?

  • Hello,
    I'd like to know what happens when two member of a CARP cluster are master.

    In term of VIP announcement.

    Imagine the situation where both firewall are running fine, the WAN interfaces also. But suddenly, the layer 2 link between both firewall, which is used for the CARP protocol, becomes unavailable.
    So both firewall become master (which is normal).

    But what about the VIP? Will it be "announced" from both firewalls?
    If yes, what can we do in order to prevent such issue?

    Thank you.

  • The sync interface is used for state and config sync. Dropping link on the sync will not cause the backup to become master- the CARP announcements are on the interfaces where the CARP VIPS are- LAN, WAN, etc.

  • Ah I see! The layer 2 link which is used for the sync is also used for the LAN interfaces (it's a kind of datacenter interconnection link), so I guess this is why both became master.

    So, what happen then if both become master?


  • I'm having a hard time understanding your setup. If the link between the firewalls was down, I would assume the link to the LAN clients or the WAN router would be down to one of the boxes also. If one box drops link on the LAN, for example, it should preempt it from becoming master on WAN. You may have an unusual setup.

  • Yeah my explanation might be confusing. I did a network diagram in a hopeful way to explain the setup. Let's see if it's working or not :)

    I should have say this first: the pfsenses are virtual firewalls hosted on ESXi hosts.

  • How does the backup firewall work when the WAN isn't connected to that datacenter?

  • My apologies, I was too lazy to draw the right side of the diagram, supposing people would understand it was the mirror of the left one.

    Sorry for that, I uploaded a new correct schema which reflects the existing setup.

  • Sorry, still confused. The WAN connections need to be connected to the same segment to exchange CARP traffic. If they are connected to two separate provider routers, how are they sharing the same IP block?

  • You're right. So this time I've added everything which belongs to my setup … Sorry for not having done this at first, it would have avoided some posts ...

    So as you had remarked, the top WAN interfaces are not CARP synced, only the lower ones (named WAN2 in magenta).

    Does it make more sense like this?

  • Hello, does anyone have an insight on this topic?

  • I don't think your configuration is valid. AFAIK, you can't do split interface failover like that. Unlike HSRP on a Cisco, you need to have all your interfaces matched. Your WAN links are mismatched and can't exchange updates. You might be able to do some hacking to get it to work, but it's not a supported configuration.

  • Thank you for your answer.

    I though that because both WAN interfaces were not part of a CARP cluster that would not interfere to the other CARP cluster members.

    So it is not possible to mix interfaces being part of a CARP cluster and single interfaces?

    What could be a proper setup in my case? Removing the WAN interfaces from the virtual machine and keeping only the WAN2 (since the WAN interfaces are not really needed here)?

    Or I could also put both WAN interfaces in a common public subnet (like the WAN2 ones). But I am not sure if the WAN interfaces can communicate on a layer2 link. That would be a problem for the CARP protocol I guess. Or is the CARP using only the sync interface I have setup under the "High Availability" menu?

  • @nikolaii:

    So it is not possible to mix interfaces being part of a CARP cluster and single interfaces?

    This is my understanding. The documentation only references full failover configurations.

    As for your implementation, I'm not sure exactly how you would go about it. Your best bet would be to get a support incident. I don't think anyone in the forum is going to have both the expertise and the time to come up with a solution.

  • Hi, your spent time on this topic has been very informative for me, I appreciate it.


Log in to reply