Regression #14026: HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Regression #14026

closed

HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address

Added by Christopher Cope over 1 year ago. Updated about 1 month ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

CARP

Target version:

2.8.0

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

24.11

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

This was brought up by a customer and I am able to reproduce it.

Master 10.41.1.252
Backup 10.40.1.253
CARP 10.40.1.254

10.40.1.253 is unable to ping 10.40.1.254 on 23.01, but is able to on a 22.05 install.

When pinging 10.40.1.253 > 10.40.1.254 and using packet capture it shows packets reaching 10.41.1.252 and replies making it back to 10.41.1.253, but ping never sees the response. There are no blocked entries in the firewall logs.

Related issues

Related to Feature #11369: add Enabling IPv6 Source Address Validation support

Resolved

02/04/2021

Actions

Has duplicate Bug #14798: can't ping VIP addresses from the secondary node

Duplicate

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Jonathan Lee over 1 year ago

https://forum.netgate.com/topic/181163/strange-carp-behavioral-change-bug-in-ha-setup-after-upgrade-from-2-6-0-to-2-7-0/13

Have you seen this post others are having this issue too.

Actions

Copy link

Updated by Marcos M over 1 year ago

For reference:
This is due to source validation which is now being enabled by default. To return the previous behavior, set net.inet.ip.source_address_validation and net.inet6.ip6.source_address_validation to 0.

ref: IPv4 commit , IPv6 commit

Actions

Copy link

Updated by Marcos M over 1 year ago

Related to Feature #11369: add Enabling IPv6 Source Address Validation support added

Actions

Copy link

Updated by Jim Pingle about 1 year ago

Has duplicate Bug #14798: can't ping VIP addresses from the secondary node added

Actions

Copy link

Updated by Jim Pingle about 1 year ago

Subject changed from CARP backup is unable to ping master via CARP IP. to CARP backup node is unable to ping master node CARP VIP address

Actions

Copy link

Updated by Steven Brown 4 months ago

I have also experienced this bug in 2.7.2.

For reference, I found this bug report in FreeBSD, with a proposed patch that should be merging in upstream.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349

Actions

Copy link

Updated by Mike Moore 4 months ago

Marcos - similar to IPsec VTI and the strict policy, should we carve out an exception for this?

Actions

Copy link

Updated by Marcos M 4 months ago

Status changed from New to Resolved
Target version set to 2.8.0
Plus Target Version set to 24.08

The upcoming pfSense software release includes the upstream patch and the ping works as expected there.

Actions

Copy link

Updated by Jim Pingle 4 months ago

The fix seems to work for IPv4 but not IPv6. With IPv6 the secondary still can't ping the CARP VIP, both for GUA and LL type addresses. Though setting net.inet6.ip6.source_address_validation=0 doesn't help there either so maybe there is something else going on.

Actions

Copy link

#10

Updated by Jim Pingle about 2 months ago

Subject changed from CARP backup node is unable to ping master node CARP VIP address to HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address

Actions

Copy link

#11

Updated by Jim Pingle about 1 month ago

Plus Target Version changed from 24.08 to 24.11

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Regression #14026

HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address

Updated by Jonathan Lee over 1 year ago

Updated by Marcos M over 1 year ago

Updated by Marcos M over 1 year ago

Updated by Jim Pingle about 1 year ago

Updated by Jim Pingle about 1 year ago

Updated by Steven Brown 4 months ago

Updated by Mike Moore 4 months ago

Updated by Marcos M 4 months ago

Updated by Jim Pingle 4 months ago

Updated by Jim Pingle about 2 months ago

Updated by Jim Pingle about 1 month ago