Project

General

Profile

Actions
Copy link

Regression #14026

closed

HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address

Added by Christopher Cope over 2 years ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
CARP
Target version:
2.8.0
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

This was brought up by a customer and I am able to reproduce it.

Master 10.41.1.252
Backup 10.40.1.253
CARP 10.40.1.254

10.40.1.253 is unable to ping 10.40.1.254 on 23.01, but is able to on a 22.05 install.

When pinging 10.40.1.253 > 10.40.1.254 and using packet capture it shows packets reaching 10.41.1.252 and replies making it back to 10.41.1.253, but ping never sees the response. There are no blocked entries in the firewall logs.

Related issues

Related to Feature #11369: add Enabling IPv6 Source Address Validation supportResolved02/04/2021

Actions
Has duplicate Bug #14798: can't ping VIP addresses from the secondary nodeDuplicate

Actions
Actions
Copy link
 #2

Updated by Marcos M almost 2 years ago

For reference:
This is due to source validation which is now being enabled by default. To return the previous behavior, set net.inet.ip.source_address_validation and net.inet6.ip6.source_address_validation to 0.

ref: IPv4 commit , IPv6 commit

Actions
Copy link
 #3

Updated by Marcos M almost 2 years ago

  • Related to Feature #11369: add Enabling IPv6 Source Address Validation support added
Actions
Copy link
 #4

Updated by Jim Pingle over 1 year ago

  • Has duplicate Bug #14798: can't ping VIP addresses from the secondary node added
Actions
Copy link
 #5

Updated by Jim Pingle over 1 year ago

  • Subject changed from CARP backup is unable to ping master via CARP IP. to CARP backup node is unable to ping master node CARP VIP address
Actions
Copy link
 #6

Updated by Steven Brown 10 months ago

I have also experienced this bug in 2.7.2.

For reference, I found this bug report in FreeBSD, with a proposed patch that should be merging in upstream.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349

Actions
Copy link
 #7

Updated by Mike Moore 10 months ago

Marcos - similar to IPsec VTI and the strict policy, should we carve out an exception for this?

Actions
Copy link
 #8

Updated by Marcos M 10 months ago

  • Status changed from New to Resolved
  • Target version set to 2.8.0
  • Plus Target Version set to 24.08

The upcoming pfSense software release includes the upstream patch and the ping works as expected there.

Actions
Copy link
 #9

Updated by Jim Pingle 10 months ago

The fix seems to work for IPv4 but not IPv6. With IPv6 the secondary still can't ping the CARP VIP, both for GUA and LL type addresses. Though setting net.inet6.ip6.source_address_validation=0 doesn't help there either so maybe there is something else going on.

Actions
Copy link
 #10

Updated by Jim Pingle 8 months ago

  • Subject changed from CARP backup node is unable to ping master node CARP VIP address to HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address
Actions
Copy link
 #11

Updated by Jim Pingle 8 months ago

  • Plus Target Version changed from 24.08 to 24.11
Actions
Copy link

Also available in: Atom PDF