keepalived no route to host, firewall issue?

I have a simple two server config of keepalived. The master/backup selection is working fine but I can't connect to the VIP from the backup server. When I try connecting, on the master I can see ARP requests from the backup server and responses from the master; on the backup server I only see the requests (i.e., I don't see the ARP responses from the master). Master keepalived.conf:

vrrp_script haproxy-check {
    script "/usr/bin/pgrep python"
    interval 5
}
 
vrrp_instance haproxy-vip {
    state MASTER
    priority 101
    interface eth0
    virtual_router_id 47
    advert_int 3
 
    unicast_src_ip 192.168.122.4
    unicast_peer {
        192.168.122.9
    }
 
    virtual_ipaddress {
        192.168.122.250
    }
 
    track_script {
        haproxy-check weight 20
    }
}

Backup keepalived.conf:

vrrp_script haproxy-check {
    script "/usr/bin/pgrep python"
    interval 5
}

vrrp_instance haproxy-vip {
    state BACKUP
    priority 99
    interface eth0
    virtual_router_id 47
    advert_int 3

    unicast_src_ip 192.168.122.9
    unicast_peer {
        192.168.122.4
    }

    virtual_ipaddress {
        192.168.122.250
    }

    track_script {
        haproxy-check weight 20
    }
}

ip addr on master:

2: eth0:  mtu 1458 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:9e:e8:18 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.4/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0
       valid_lft 55567sec preferred_lft 55567sec
    inet 192.168.122.250/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::571a:df5f:930c:2b57/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

And on backup:

2: eth0:  mtu 1458 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:2e:59:3d brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.9/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0
       valid_lft 79982sec preferred_lft 79982sec
    inet6 fe80::f816:3eff:fe2e:593d/64 scope link 
       valid_lft forever preferred_lft forever

tcpdump from master:

# tcpdump -nni eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:44:06.299398 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:06.299435 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:07.298939 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:07.298985 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:08.300920 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:08.300954 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:09.303039 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:09.303062 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28

And from the backup:

# tcpdump -nni eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:44:39.430367 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:40.431810 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:41.433847 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:42.435979 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:43.437814 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28

I don't believe it's a firewall issue (iptables -L | grep -i arp doesn't show anything), is there a kernel setting that could be causing an issue? Any suggestions for debugging? OS is Centos 7, keepalived is 2.1.5.