@moosport said in HA between physical and vm: Does need to be identical NIC or if identical NIC chipset will suffice It has to use the same driver. Otherwise CARP will work for failover but firewall states won't sync so connections will drop. There is a discussion in that area of the book about using LAGG groups across different hardware, but LAGGs have other down sides like not working with traffic shaping.

Thanks for your reply! We are using mutliple VLANS and the access of the Firewall was only allowed via their management VLAN. As soon as i created a rule to allow access via the IP of the Interface of the VLAN I'm connected to it worked fine.

I have faced this same issue. Please check if Sync account has Effective Privileges; System - HA node sync It worked in my case.

The steps to resolve this issue... Created Maintenance Interface class 3 address dhcp enabled on master (got sync with slave node) Backup Full Configuration of Slave Node unplug all interfaces (LAN, Wan, Sync) Restored Slave config to Master node using maintenance interface Changed all interface IP addresses of all wan, lan, vlan (Previous master node's Addresses) Changed all virtual IP's Skew from 100 to 0 Changed all DHCP enabled Failover peer IP addresses Reboot Enter persistent carp maintenance mode Plugged-in lan (Lagg) interface to check note: It worked and all carp interface status changed from INIT to Backup. Plugged-in all cabled wan, sync Master node's H.A enabled and cinfigured Note: sync wasn't working not with admin account may be because i have changed sync password (for sync account). So changed Sync account password on both master and slave. rebooted Master node and it worked. Tested. All is Good now. I'm still not sure what went wrong while upgrading Master node whereas slave node worked perfectly after upgrade. Clean installation and restoring previous saved configuration has also failed. Anyways. Thank you very much pfSense and netgate team for making such a wonderful firewall and keeping it open source.

Many times it is something like switch port security only allowing one MAC address per port or other similar things.

Start the usual elimination process ;-) Try other vNICS, other hardware (best pfSense bare metal), try another Switch, and so on. -Rico

@viragomann The outbound nat is the same on both as it NAT's to the VIP, and alias includes all the subnets of my LAN. Even with only allowing a single ping the secondary box is able to eventually do updates and what not so issue resolved for now. Thank you

Forget to say that all NAT is setup correct and i have looked over this forum for any way to fix it :) BR

Yes, I think that makes the most sense. Change outbound NAT address from interface to CARP IP, then replace all primary IPs and create old primary as CARP VIP; apply all at once. Outage should be brief to none, then firewall B can be configured as backup.

Ok thanks, raised a freature request: https://redmine.pfsense.org/issues/10504

Thank you very much! That works, I'm most grateful.

Great. Thanks for the clarity.

I found the problem. I was using Hybrid NAT. After switching to Manual NAT and set all NAT Address to "CARP VIP" the problem is solved. ============== Update: Still not working... Getting Random Disconnect again... Update 2: If I Enable CARP Maintenance Mode, connect Fortinet SSLVPN, and disable CARP Maintenance Mode, the VPN will stay stable and no drop of connection.

How about a specific source IP address please?

Anyway you would consider making a Video tutorial of how you got this to work ? trying to achieve the same thing but video guide exists for those of us with a single dynamically assigned IP address