Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Mon, Apr 18, 2011 at 10:32 AM, Adam Thompson athom...@athompso.net wrote: From: Vinicius Coque [mailto:vco...@gmail.com] Sent: Monday, April 18, 2011 08:01 On Sun, Apr 17, 2011 at 11:49 PM, Chris Buechler cbuech...@gmail.com wrote: On Sun, Apr 17, 2011 at 10:25 PM, Vinicius Coque vco...@gmail.com wrote: Now I understand the problem. I'll keep track of the bug on redmine. I would definitely check the problem on the switch too as in a CARP setup it shouldn't have problems with MACs that switch between ports quickly. That bug in and of itself isn't the problem, the nature of CARP means that switch issue will potentially cause other issues for you in the future. My client really needs the cluster working, so I have to find a solution for that. Now you gave me more information about the problem, I'll check the switch and the CARP setup and see what I can get. If something works for me I'll inform you. Can you tell us what model of switch(es) is(are) involved here? There are some specific configurations that can cause issues, others on the list may be able to make suggestions. -Adam Thompson athom...@athompso.net - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org Hi Adam We are using two switches HP E5500-24G -- Vinícius Coque - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Fri, Apr 15, 2011 at 7:31 PM, Chris Buechler cbuech...@gmail.com wrote: On Fri, Apr 15, 2011 at 4:14 PM, Vinicius Coque vco...@gmail.com wrote: What does the CARP status show, and what do the logs show for CARP? CARP Status pfSense master: vip1 172.16.0.39 MASTER pfSense backup: vip1 172.16.0.39 BACKUP System logs: pfSense master: Apr 15 17:08:08 utm-teste1 syslogd: kernel boot file is /boot/kernel/kernel Apr 15 20:08:32 utm-teste1 check_reload_status: syncing firewall Apr 15 17:08:32 utm-teste1 php: : Beginning XMLRPC sync to https://10.10.0.2:5081. Apr 15 17:08:33 utm-teste1 php: : XMLRPC sync successfully completed with https://10.10.0.2:5081. Apr 15 17:08:33 utm-teste1 php: : Beginning XMLRPC sync to https://10.10.0.2:5081. Apr 15 17:08:33 utm-teste1 php: : XMLRPC sync successfully completed with https://10.10.0.2:5081. Apr 15 17:08:35 utm-teste1 php: : Filter sync successfully completed with https://10.10.0.2:5081. pfSense backup: Apr 15 17:08:12 utm-teste2 syslogd: kernel boot file is /boot/kernel/kernel Apr 15 17:08:32 utm-teste2 check_reload_status: syncing firewall Apr 15 17:08:32 utm-teste2 kernel: vip1: link state changed to DOWN Apr 15 17:08:32 utm-teste2 kernel: vip1: INIT - MASTER (preempting) Apr 15 17:08:32 utm-teste2 kernel: vip1: link state changed to UP Apr 15 17:08:32 utm-teste2 kernel: vip1: MASTER - BACKUP (more frequent advertisement received) That looks like a consequence of: http://redmine.pfsense.org/issues/1433 plus something on your switch(es). The MAC will move in the switch's CAM table from the primary's port to the secondary's when the secondary switches from master to backup even though it's for a fraction of a second, but should immediately move back on the switch when the master picks back up. There's something on the switch that isn't behaving correctly for MACs that quickly change ports, which is ultimately the actual problem, though that CARP switch shouldn't happen during a config change which exacerbates the issue. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org Now I understand the problem. I'll keep track of the bug on redmine. Thanks for helping Chris. -- Vinícius Coque - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
Some kind of routing issue it seems. Check the routing table on the firewall when it doesn't work and verify it. Hi Chris I don't think it is a routing issue because I can access the VIP and the pfSense lan IP from other subnets. When I change some configuration on cluster just the VIP goes down, while the lan IP of the pfSense boxes (10.10.0.2 and 10.10.0.3) are still available. -- Vinícius Coque - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] VPN IPSEC
Hi I have an IPSEC tunnel configured to connect the network 170.60.x.x, on side A, with network 189.19.x.x on side B. LAN Server A INTERNET Server B 10.0.0.0/8 189.19.x.x 170.60.x.x The tunnel connection is established and the traffic between servers go through the tunnel with no problems, the problem is when the traffic came from LAN. Since the tunnel network is configured to my WAN address range, SPD table doesn't has my lan network 10.0.0.0/8 configured, then traffic from lan to 170.60.x.x goes through wan interface instead of enc0. I know that is possible to do it using NAT on enc0 interface, but I tried to configure this many ways without success. Anybody knows how to make it works on pfSense, or if is it possible to do? -- Vinícius Coque - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org