Re: Can't ping CARP interface from CARP master box.

[andy]

On Wed, 12 Feb 2014 20:26:32 +0100, Laurent CARON
<lca...@unix-scripts.info> wrote:
> On Tue, Feb 11, 2014 at 10:17:46PM +0000, andy wrote:
>> Hi,
>> 
>> You should be able to ping the CARP IP addresses from any host
(including
>> the master), so something is wrong here.
>> 
>> This can sometimes be due to a routing problem.
>> 
>> Your routing table should look similar to;
>> 
>> 10.0.0.1     10.0.0.1     UH         0        4     -     4 carp0
>> 10.0.0.2     127.0.0.1          UGHS       0        2 33144     8 lo0  
>> 10.0.0.2/32  10.0.0.2     U          0        0     -     4 carp0
>> 10.0.0.3     127.0.0.1          UGHS       0        2 33144     8 lo0  
>> 10.0.0.3/32  10.0.0.3     U          0        0     -     4 carp0
>> 
>> Here 10.0.0.1 is the primary IP, and 10.0.0.2 and 10.0.0.3 are
secondary
>> carp IPs.
>> 
>> Your /etc/hostname.carp file should look like;
>> 
>> inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass carpsecurehashpasswd
>> advbase 1 advskew 0
>> inet alias 10.0.0.2 255.255.255.255
>> inet alias 10.0.0.3 255.255.255.255
>> 
>> Notice the secondary IP's have a /32 subnet (which is correct despite
the
>> spurious errors in dmesg during carp fail-overs).
>> 
>> It is having the /32 subnet on the secondaries which causes the
creation
>> of the additional route entry to lo0.
>> 
>> What does your routing table and carp look like?
> 
> 
> Hi Andy,
> 
> My routing table looks like this:
> 
> $ netstat -rn | grep '^46.21.116.5'
> 46.21.116.5        46.21.116.5        UH         0       15     -     4
> carp116
> 
> $ netstat -rn | grep '^213.215.29'
> 213.215.29.254     213.215.29.254     UH         0        0     -     4
> carp0
> 
> Please note carp0 is fine WRT icmp-echo.

>From what you have sent I guess you are talking about trying to ping the
primary IP address on carp116 from the carp master itself.

If you run 'ping 46.21.116.5' I'm guessing you see the count (15 above) on
the route increase, even if you don't see the echo reply?

When pinging the carp address on my master firewall from self
(successfully) and running 'tcpdump -netti carp0' or 'tcpdump -netti lo0' I
don't see any matches interestingly. So I guess this means the reply is
coming from somewhere else.

Do you see anything with 'tcpdump -netti pflog0 icmp' when you run the
ping?

Andy.