Can't ping CARP Virtual IP (VMware ESXi)!!

  • Hello,

    I have 2 pfsense 2.2.2 firewalls set up in a CARP model (I'm using VMware ESXi). Each firewall has 3 interfaces, LAN, WAN and sync for synchronisation.
    Now, I'm configuring a virtual IP on the WAN interface on both firewalls. I can ping the configured virtual IP from both firewalls.
    When I try to ping the Virtual IP from an other machine it dosn't work. (I can see that the master firewall answers ARP requests for the virtual IP).

    Traffic is allowed on the WAN interface and I have activated promiscous mode on the vswitch.

    Any idea about the problem?

    Thank you!

  • Packet capture on the interface where the CARP IP resides while you're sending pings. See the ICMP echo requests coming in? Guessing not, which means your port group on that interface isn't configured for promiscuous, or that isn't working for some reason. If you do see them coming in, it's likely that you don't have a firewall rule to allow the ping.

  • Thanks for you reply!
    I can't see echo requests on the interface (I can see just ARP requests). As you said, it means that there is a problem with the promiscuous mode.
    Do you know why would the virtual IP not be working even if the promiscuous mode is activated?

  • It's not that the virtual IP isn't working, it's that ESX isn't sending the traffic to the NIC so it can work. Issue is in ESX config. Promiscuous either isn't set, or isn't working, or some other network-related config in ESX is wrong.

  • Yes I think you are right because I have tried this on VMware Workstation and I was able to ping the Virtual IP.
    On the ESXi, I'm sure of enabling promiscuous mode on my port group but it doesn't work.

    Anyway thank you cmb!

  • There is actually a bit more than just promisc mode:

  • This is old, I know, but I am throwing this out there in hopes of helping others. I have found another reason that needs to be added to the CARP troubleshooter on the Netgate site when it doesn't work under ESXi. Even if the security settings are all allowing per the documentation in a distributed vSwitch environment AND SR-IOV IS ENABLED it will not work. We had a few hosts that had this enabled on the physical NICs. After hours of trying to determine why CARP would work on some hosts, but not on others as we used vMotion to move them around we found SR-IOV was the cause. When we disabled SR-IOV CARP immediately, without reboot, started to ping on the virtual IPs. This is on ESXi 7. Hope this helps others.

Log in to reply