I leave it enabled at defaults. It shouldn't need DPD to fail to the second node- the secondary should take over the existing IPSec connections.

This issue was fixed in 2.2.3.

One more thing I've noticed - the behaviour seems to be the same when adding new CARP VIPs. When you click save to add a VIP, it is immediately synced and applied to the secondary node, and only gets applied on the primary after clicking 'apply'. It's not so much of a problem in that case of course, because it's a new VIP, and doesn't matter if it's MASTER on the secondary initially.

Ok,…Interface Order was different on the two nodes, so the Virtual IP Synchronization was incorrect, and so it didn't work at all,...same order on both nodes, everything fine.

Just Confirmation. I did the work around and the LAGG setup is working as intended.

There's already a patch for this in 2.2.3.

I have had a similar issue, seemingly out of nowhere, with my master that was running 2.2 and my slave at 2.2.2 for a couple weeks (until Sunday afternoon).  Master affected with very slow performance, both throughput and it's own web interface.  I do not use any limiters, but I do use BGP.  I will also downgrade to 2.1.5.

Figured out my issue. port security was enabled and set to restrict on the switchport that the LAN interfaces were connected to and I could see in the switch logs that it was getting tripped. Disabled port security now all is well.

Hello, Did you find something ? I have a similar configuration and have same troubles. It's quite temporary on my side but sometimes the ping between two systems in two different vlans can go from 0.200ms to 5/15 ms without any reason. Thank you

Change the port on both primary and secondary.  That setting isn't synced.

thank you jimp I already switch to new 2.2.2 with this patch I made a short test but when I switch back to master, bgp remains in ACTIVE for 2 sessions from a total of 4 I wil make more tests on this weekend P.S: attached my old 2.0.2 uptime  8)  

We've seen that before but not lately. What version of pfSense is on both units? And do you have Captive Portal + voucher sync enabled on that cluster?

@jme: That is what i did too. @Jimp: i didn't verified, i'll check this next time and give you the log related to this action

Sorry, you've hit the limit of my knowledge on this subject.  Yes, I believe that the shared WAN IP is a Virtual IP.

IP alias is fine. Some modems aren't happy with just proxy ARP, which sounds like the case for you.

Hello Dotdash, Thanks for your reply. My diagram was not complete, I already had the VIP setup for all interfaces. It's working since this morning. I'm not exactly sure what was wrong. I've setup the DHCP servers as I've already done a few times without success, but this time it worked. I let a few days go by before making my final attempt. I red the chapter about configuring CARP (especially the DHCP part) before proceeding. Maybe I needed the break. Anyway, this issue is solved. Thanks !

Viragomann put me on the right track, though there was a catch.  The original problem was that I wanted to perform CARP firewall rules synchronization between a master and a backup, but the backup had an extra interface (a wireless access point) the master didn't have.  Consequently, the rules for the extra interface were been deleted whenever the rules synchronized.  Viragomann suggested creating a dummy interface on the master for a non-existent VLAN, giving it the same name as the wireless interface on the backup firewall, and putting the rules there.  The basic idea was good, but with a problem. The problem comes in the way that the interfaces are named.  When I created the dummy VLAN on the master, pfSense named it "OPT5".  I then renamed it to "wireless" to match the interface name on the backup.  It seems that renaming OPT5 to "wireless" is a cosmetic change only.  Internally pfSense still calls it "OPT5", and all the rules are associated with "OPT5".  When CARP performs the firewall synchronization, it copied all those wireless rules to the backup firewalls "OPT5", which was some other VLAN.  On the backup, pfSense knows the wireless interface as "OPT4".  I had to delete everything on the master firewall associated with OPT4 and above, and recreate them in the right order so that their internal "OPT" names aligned with the ones on the backup firewall.  Once I did that, synchronization worked great. Thanks, Viragomann, for putting me on the right path.

I appreciate the honesty and I totally see your point.

To switch from CARP back to a stand-alone unit you can remove the sync settings from System > High Avail Sync and from the DHCP server tabs. CARP VIPs and NAT can be left as-is.