The pertinent mangle rules on the primary router (RB493) are as such:
And the outbound routes:[admin@router] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=pcicomp passthrough=no
protocol=tcp src-address=10.0.0.134 <-------------- Not part of the policy for http, something different for PCI compliance
1 chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no
protocol=tcp src-address=10.0.0.0/24 dst-address=!10.0.0.0/22
dst-address-list=!Public-IP-Block dst-port=80
2 chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no
protocol=tcp src-address=10.0.0.0/24 dst-address=!10.0.0.0/22
dst-address-list=!Public-IP-Block dst-port=443
And then the routes from the RB433 handling the 80/433 traffic:[admin@router-Main] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=x.x.x.1
gateway-status=x.x.x.1 reachable via ether1 distance=0
scope=30 target-scope=10 vrf-interface=ether1
1 S dst-address=0.0.0.0/0 gateway=10.0.2.250
gateway-status=10.0.2.250 inactive distance=1 scope=30
target-scope=10 routing-mark=HTTP
2 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=ether2
gateway-status=ether2 reachable distance=0 scope=10
<output cut>
8 ADC dst-address=10.0.2.248/30 pref-src=10.0.2.249 gateway=ether3
gateway-status=ether3 reachable distance=0 scope=10
I can ping between the two, the mangle rule counters are going up, and before the upgrade this was all configured exactly the same (The RB493 was at 5.11, the RB433 was at 5.9, I think), and all web traffic was routing properly. Any ideas what is wrong here? I see that the gateway-status for the route from the RB493 to the RB433 is inactive, although not unreachable, and if it's just that route that is misconfigured, any help would be greatly appreciated.[admin@router-web] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=x.x.x.1
gateway-status=x.x.x.1 reachable via ether1 distance=0
scope=30 target-scope=10 vrf-interface=ether1
1 A S dst-address=10.0.0.0/24 gateway=10.0.2.249
gateway-status=10.0.2.249 reachable via ether2 distance=1 scope=30
target-scope=10
2 ADC dst-address=10.0.2.248/30 pref-src=10.0.2.250 gateway=ether2
gateway-status=ether2 reachable distance=0 scope=10