Many times it is something like switch port security only allowing one MAC address per port or other similar things.

Start the usual elimination process ;-)
Try other vNICS, other hardware (best pfSense bare metal), try another Switch, and so on.

-Rico

@viragomann The outbound nat is the same on both as it NAT's to the VIP, and alias includes all the subnets of my LAN. Even with only allowing a single ping the secondary box is able to eventually do updates and what not so issue resolved for now. Thank you

Forget to say that all NAT is setup correct and i have looked over this forum for any way to fix it :)

BR

Yes, I think that makes the most sense. Change outbound NAT address from interface to CARP IP, then replace all primary IPs and create old primary as CARP VIP; apply all at once. Outage should be brief to none, then firewall B can be configured as backup.

Ok thanks, raised a freature request:

https://redmine.pfsense.org/issues/10504

Thank you very much! That works, I'm most grateful.

Great. Thanks for the clarity.

I found the problem.

I was using Hybrid NAT. After switching to Manual NAT and set all NAT Address to "CARP VIP" the problem is solved. 😓

==============
Update: Still not working... Getting Random Disconnect again...☹

Update 2: If I Enable CARP Maintenance Mode, connect Fortinet SSLVPN, and disable CARP Maintenance Mode, the VPN will stay stable and no drop of connection.

How about a specific source IP address please?

Anyway you would consider making a Video tutorial of how you got this to work ? trying to achieve the same thing but video guide exists for those of us with a single dynamically assigned IP address

It was much better before browsers started lowering the life of the cert.. You could set the cert to be good for 10 years or something and never have to worry about it again..

Now they want to have longest life of 398 days - uggghhhh.. Glad all my certs grandfathered in, hehehe And good for the 10 some years ;)

cert.jpg

Look at /etc/rc.carpbackup and /etc/rc.carpmaster which get run when a VIP transitions to the state matching the name of the script.

Hi!

I still very much have the same problem, is there anything I can provide to help get it fixed?

Can anyone confirm/infirm what the following errors would cause, is my problem consistent with it?

Mar 31 15:58:04 check_reload_status rc.newwanip starting pppoe0 Mar 31 15:58:05 php-fpm 30436 /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. Mar 31 15:58:05 php-fpm 30436 /rc.newwanipv6: rc.newwanipv6: No IPv6 address found for interface WAN [wan]. Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: rc.newwanip: Info: starting on pppoe0. Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: rc.newwanip: on (IP address: ddd.eee.fff.ggg) (interface: WAN[wan]) (real interface: pppoe0). Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.200'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.201'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet ' aaa.bbb.ccc.202'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.203'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.204'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.205'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.206'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.207'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:06 php-fpm 30436 /rc.newwanip: Default gateway setting Interface WAN_PPPOE Gateway as default. Mar 31 15:58:06 php-fpm 30436 /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. '' Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Ignoring IPsec reload since there are no tunnels on interface wan Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Creating rrd update script Mar 31 15:58:23 php-fpm 30436 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - ddd.eee.fff.ggg -> ddd.eee.fff.ggg - Restarting packages.

It looks like every server which has a virtual IP has an issue of some kind after my Internet connection is reestablished..

There is a ticket open about this but it has not received any love in 2 years... 😞 😞 😞

See: https://redmine.pfsense.org/issues/8413

Thank you and have a nice day,

Nick

Hooray! I got it working.
Listening to music over VPN, through RDP, you only hear the sound cut out for maybe 0.5 seconds after a failover now.

Was just an issue with the way I was testing my Public IP's offline. (Spoofing them internally + double nat lol)