pfSense Gold Subscription

Author Topic: 3rd interface not failing back...  (Read 28751 times)

0 Members and 1 Guest are viewing this topic.

Offline jakehathaway

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: 3rd interface not failing back...
« Reply #15 on: July 11, 2007, 03:28:07 pm »
We are now on duplicate equipment as the other side. Foundry Super X. This did not solve the issue.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: 3rd interface not failing back...
« Reply #16 on: July 11, 2007, 03:56:59 pm »
The equipment is not forwarding or blocking the CARP specific traffic.   Use tcpdump to monitor each machine to see if it is receiving the broadcast traffic.  I bet the switch is the culprit.

Offline jakehathaway

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: 3rd interface not failing back...
« Reply #17 on: July 11, 2007, 05:50:39 pm »
As you can see I did this already and the machines are seeing the carp traffic without any issue.

tcpdump -i xl0 -ttt -n proto CARP
Here is the output of my tcpdump:
709630 IP 172.16.20.152 > 224.0.0.18: VRRPv2, Advertisement, vrid 6, prio 200, authtype none, intvl 1s, length 36
293069 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
1. 002309 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
487570 IP 172.16.20.152 > 224.0.0.18: VRRPv2, Advertisement, vrid 6, prio 200, authtype none, intvl 1s, length 36
514636 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
1. 001317 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
267018 IP 172.16.20.152 > 224.0.0.18: VRRPv2, Advertisement, vrid 6, prio 200, authtype none, intvl 1s, length 36
734179 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
1. 001057 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
047719 IP 172.16.20.152 > 224.0.0.18: VRRPv2, Advertisement, vrid 6, prio 200, authtype none, intvl 1s, length 36
953636 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
829337 IP 172.16.20.152 > 224.0.0.18: VRRPv2, Advertisement, vrid 6, prio 200, authtype none, intvl 1s, length 36
171683 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
1. 001111 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
610157 IP 172.16.20.152 > 224.0.0.18: VRRPv2, Advertisement, vrid 6, prio 200, authtype none, intvl 1s, length 36
391038 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
1. 234670 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36
157247 IP 172.16.20.152 > 224.0.0.18: VRRPv2, Advertisement, vrid 6, prio 200, authtype none, intvl 1s, length 36
1. 039601 IP 172.16.20.251 > 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36

the 151 is the master machine, the 251 is the machine on the other side of the QMOE link that is the other firewall PFsense box. you can see the vrid is different, so that shouldn't affect it.

1) Misconfiguration: password, VHID or advskew problems, check it again.

Checked this, it is correct.

2) Another device using VRRPv2 is using a VHID you are using, check you network devices or change VHID

Obviously it is connected to the pfsense on the other side of the qmoe, but not sure if vrid is same as vhid, but I manually checked in the gui for the config of both sides of qmoe and the vhid is different.

3) You don't see master's packets on the slave node when doing the tcpdump (so the slave node has one or more interface in master mode). You have a communication error between the two machines. Check the switchs, the cables. Or look at problem 4 ;-)

I see the master packets, see about tcpdump.

4) You have a NAT rule, natting everything from a source network to a single IP address which IS NOT the interface address and which is in ANOTHER subnet. Should happen on WAN iface most of the time.

Still checking this. But not sure what that would affect. Will post follow-up in a bit.

thx for the help with this.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: 3rd interface not failing back...
« Reply #18 on: July 11, 2007, 08:54:22 pm »
Well then about the only thing I can think of is the NICS in the machine. 

BTW: I have major problems with Broadcom nics + CARP at work.  It is a driver issue of some sorts.

Offline jakehathaway

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: 3rd interface not failing back...
« Reply #19 on: July 16, 2007, 11:38:01 am »
So I have completely by-passed routing on the pf box since it isn't working. It works until it gets into the following state.  (see attached pics).

Offline smilodon

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
Re: 3rd interface not failing back...
« Reply #20 on: July 20, 2008, 04:08:35 pm »
Iv seen this one before... sorry to say that im a noob and just figuring it out my own probs at:
http://forum.pfsense.org/index.php/topic,10458.0.html

At my configuration... it happened when the CARP suddenly "worked" after i sorted out some bugs... then again it didnt work. It was when the SYNC interfaces were on 10Mb/s old NICs. And the LAN VIP became master on Backup, WAN and WAN2 were left Master at the Master box. And then when i went to 100/10 NIC's the backup took all the VIP's as master... so it might be something different than your prob.

One question... how would i bypass the "broadcast" thing if it really is the switch or NIC's bad appetite for not eating broadcast packets. ?