I've got a Cisco ASA[0] with a pair of Linux boxes in the DMZ running Keepalived and HAproxy acting as a load-balancing failover pair for another pair of Windows servers, also in the DMZ. I'm convinced Keepalived is working properly. I can successfully ping the virtual address (10.0.1.8) from another host in the DMZ; when I stop Keepalived on the master (10.0.1.6) a few pings fail before the backup (10.0.1.7) takes over the virtual address. A similar few failures happen when I restart Keepalived on the master. This other host can see web pages hosted on the two Windows servers via HAProxy when either the primary or the secondary is active.
The virtual IP address has a static NAT mapping to an external address (say, 1.2.3.8). When I try a similar test from outside the firewall, pings to 1.2.3.8 only work when the primary is active - when I stop the Keepalived service on the primary, pings from outside the firewall fail while pings from inside the DMZ succeed.
I can see that the MAC address entry for the virtual IP address changes when I stop and restart Keepalived on the primary, so the ASA seems to know when the primary and secondary are active. It appears to refuse to NAT the inbound traffic when the secondary os active, though. My best guess is that the ASA is attempting to prevent the address from being spoofed, but in this case I'd really like the ASA to allow it. I can't figure out how to accomplish this (or where to start, really). Any suggestions?
[0] - It's actually a pair of them in a failover configuration, but I don't think that's relevant.
