Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    When switching from one node to another connections are resetted !

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    7 Posts 2 Posters 930 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      manu77
      last edited by

      Hello All

      I m' driving mad with my carp configuration. Quite simple as it seems
      2 pf in CARP mode
      2 VIP ( one LAN, one WAN)

      All CARP events are ok ( switching one to other, tunnels, etc.. ) EXCEPT that all the active sessions seem to be resetted when the CARP is switching to MASTER on the backup node . For instance an rdp session freezes during 10 seconds and reconnects when the switching is done. Idem when I reswitch to the MAIN node
      I checked all my config looks good.
      My opinion is the states from the MASTER are not well reconducted on the SLAVE but I do not know why at this step.

      here a capture of one state for an ftp session on the master :
      Master.png

      here we see the same state synced to the slave
      Slave.png

      But I notice that on the slave the interfaces are not correct . It should be LAN or WAN but we have ALL !!
      I do not know if this is normal or not

      Thanks for your help
      Emmanuel

      M 1 Reply Last reply Reply Quote 0
      • M
        manu77 @manu77
        last edited by

        @manu77
        Update : This old ticket points exactly the same behaviour .
        It seems to be a bug not fixed at this day.

        1 Reply Last reply Reply Quote 0
        • M
          manu77
          last edited by

          Update : I noticed today that version 2.5.2 is not touched by the pb and everything works as it should. All the states are correctly named on interface on each node . And I do not have states with the named Interface '"all" .
          I m wondering if this HA states sync has not been broken with version 2.6 and now 2.7

          M 1 Reply Last reply Reply Quote 0
          • M
            manu77 @manu77
            last edited by

            Hello All
            With the 2.7.2 version, we still face the prob.

            If someone could see and fix this bug in the next release, it should be really appreciated.
            Switching from one firewall to another with disconnection is so boring for everyone

            Thanks

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @manu77
              last edited by

              @manu77 I looked at our router2 and I also see "all" however we've never had a problem with connections dropping.

              Did you find:
              https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability.html#state-synchronization-problems-pfsync

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              M 1 Reply Last reply Reply Quote 0
              • M
                manu77 @SteveITS
                last edited by

                @SteveITS
                Thanks for looking at this pb. Of course I checked everything before posting. I have a lot of firewalls in carp mode ( maybe 100) and I lost transparent switchs between the firewalls since 2.6 version but I didn't noticed it just after upgrades. It tooks me some months of tests...

                If you want see what really happens :

                1 open an RDP session outside of your network which will create a TCP session very easy to follow.
                2 go to carp on the master node and place it under maintenance.
                3 You should loose your session until the firewall which became master recreate it because this state is not well affected from the master to the slave ( firewall) before CARP switching.

                You also can replay this but at the step 3, you do not wait too long ( 10 secondes) and these steps:
                4 go to carp on the master and reset CARP maintenance
                5 you should now recover your RDP without any delay. This is possible because the state of your RDP session have been created on the master before switching. So if you do not wait too long, this state is still here and then when you come back on the firewall which has created the states you need, you have no pb!

                To cut a long story short :
                When a CARP switching occurs between 2 nodes , all the states in place on the node which was master before the switch are not exploitable by the node which become the master. So all the states are recreated by this node with cuts and disconnections you can imagine.

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @manu77
                  last edited by

                  @manu77 I just tested with RDP and did not get dropped at your step 3...

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.