WAN link unplugged, but LAN not failoverto Backup

leiw

Hello,

I am testing WAN disconnect (unplugged cable), but only WAN can failover to Backup, but LAN didn't, can someone help? thanks

viragomann

@leiw
So the LAN is still shown up as backup on the secondary and as master on the primary?

leiw

@viragomann

@viragomann said in WAN link unplugged, but LAN not failoverto Backup:

@leiw
So the LAN is still shown up as backup on the secondary and as master on the primary?

MASTER:
WAN DOWN
LAN UP

BACKUP:
WAN UP
LAN DOWN

viragomann

@leiw
The point is the CARP status, not the interface status.

Check out Status > CARP.
Which status shown up for LAN and WAN on primary and secondary?

leiw

@viragomann said in WAN link unplugged, but LAN not failoverto Backup:

@leiw
The point is the CARP status, not the interface status.

Check out Status > CARP.
Which status shown up for LAN and WAN on primary and secondary?

I am using XCP-NG to test HA, remember I can't ping the WAN CAPR interface in 10.0.11.0/24 network, I don't know is it normal:

Master:

Backup:

Unplugged Master WAN link:

Master:

Backup:

viragomann

@leiw
What do you have in the CARP VIP settings?

What is the underlying hardware? Or is pfSense virtualized?

How are the devices connected to each over?

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?

What is logged regarding the failover?

leiw

@viragomann said in WAN link unplugged, but LAN not failoverto Backup:

@leiw
What do you have in the CARP VIP settings?

What is the underlying hardware? Or is pfSense virtualized?

How are the devices connected to each over?

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?

What is logged regarding the failover?

1. Master VIP
   

Backup VIP

2. I followed this guide: https://xcp-ng.org/blog/2019/08/20/how-to-install-pfsense-in-a-vm/

3. Both VMs WAN connected to XCP-NG nic01 that will get our local lan DHCP 10.0.11.0/24
   Both VMs LAN connected to XCP-NG nic02 that also connected to our local lan, but will change IP subnet to 192.168.1.0/24

4. Both Sync is using Private network connect each other

Master

Backup

Master

Backup

Thanks for helping!

leiw

@leiw said in WAN link unplugged, but LAN not failoverto Backup:

@viragomann said in WAN link unplugged, but LAN not failoverto Backup:

@leiw
What do you have in the CARP VIP settings?

What is the underlying hardware? Or is pfSense virtualized?

How are the devices connected to each over?

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?

What is logged regarding the failover?

1. Master VIP
   

Backup VIP

2. I followed this guide: https://xcp-ng.org/blog/2019/08/20/how-to-install-pfsense-in-a-vm/

3. Both VMs WAN connected to XCP-NG nic01 that will get our local lan DHCP 10.0.11.0/24
   Both VMs LAN connected to XCP-NG nic02 that also connected to our local lan, but will change IP subnet to 192.168.1.0/24

4. Both Sync is using Private network connect each other

Master

Backup

Master

Backup

Thanks for helping!

Can someone help?

leiw

@viragomann said in WAN link unplugged, but LAN not failoverto Backup:

@leiw
What do you have in the CARP VIP settings?

What is the underlying hardware? Or is pfSense virtualized?

How are the devices connected to each over?

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?

What is logged regarding the failover?

Hello viragomaan, can you help, please?

viragomann

@leiw said in WAN link unplugged, but LAN not failoverto Backup:

What do you have in the CARP VIP settings?

The Advertising frequency and skew were the real interesting settings on both nodes here.

Did you disable the 'TX Checksum Offload' as described in the setup tutorial?

Did you also disable 'Hardware Checksum Offloading' in pfSense?
System > Advanced > Networking

On both virtual switches, WAN and LAN you might also have to enable the promiscuous mode, at least for the pfSense interfaces.
I don't know, how this can be done on XCP-ng, but would be essential if there is such option.

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?

What's about this??
This could give important information about, what's going on.

Go through the Troubleshooting High Availability steps in the pfSense docs.

leiw

@viragomann said in WAN link unplugged, but LAN not failoverto Backup:

@leiw said in WAN link unplugged, but LAN not failoverto Backup:

What do you have in the CARP VIP settings?

The Advertising frequency and skew were the real interesting settings on both nodes here.

Did you disable the 'TX Checksum Offload' as described in the setup tutorial?

Did you also disable 'Hardware Checksum Offloading' in pfSense?
System > Advanced > Networking

On both virtual switches, WAN and LAN you might also have to enable the promiscuous mode, at least for the pfSense interfaces.
I don't know, how this can be done on XCP-ng, but would be essential if there is such option.

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?

What's about this??
This could give important information about, what's going on.

Go through the Troubleshooting High Availability steps in the pfSense docs.

Thanks for the help.

Yes, I enabled 'TX Checksum Offload' and enable the promiscuous mode on both WAN and LAN, also I just disabled 'Hardware Checksum Offloading', but no luck.

Also, this problem in VirtualBox.

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?
I just quote, please avoid it.

Thanks

leiw

@leiw said in WAN link unplugged, but LAN not failoverto Backup:

@viragomann said in WAN link unplugged, but LAN not failoverto Backup:

@leiw said in WAN link unplugged, but LAN not failoverto Backup:

What do you have in the CARP VIP settings?

The Advertising frequency and skew were the real interesting settings on both nodes here.

Did you disable the 'TX Checksum Offload' as described in the setup tutorial?

Did you also disable 'Hardware Checksum Offloading' in pfSense?
System > Advanced > Networking

On both virtual switches, WAN and LAN you might also have to enable the promiscuous mode, at least for the pfSense interfaces.
I don't know, how this can be done on XCP-ng, but would be essential if there is such option.

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?

What's about this??
This could give important information about, what's going on.

Go through the Troubleshooting High Availability steps in the pfSense docs.

Thanks for the help.

Yes, I enabled 'TX Checksum Offload' and enable the promiscuous mode on both WAN and LAN, also I just disabled 'Hardware Checksum Offloading', but no luck.

Also, this problem in VirtualBox.

If you sniff the CARP traffic on the secondary, when masters WAN is unplugged, what do your get?
I just quote, please avoid it.

Thanks

Sorry, I can ping the WAN virtual IP, after unplugged WAN on MASTER, but the LAN still on BACKUP status on BACKUP node.

A Former User

@leiw

I've run into this issue, too. I have pfSense in HA on two ESXi hosts. It turned out that CARP and gateway monitoring do not work together. The WAN gateway may be offline, but CARP does not know about it. CARP has its own monitoring that is set up on the network interfaces. When pfSense runs in a VM and its interfaces are connected to a vSwitch, unplugging WAN disconnects the vSwitche's uplink, but the pfSense's WAN is still up. WAN is connected to the vSwitch so it is still happy. The CARP MASTER just doesn't know that the uplink is disconnected. To eliminate this issue, the pfSenses interfaces in VM need to be pass-through. That's not only a VM issue. Netgate's own firewall, SG-7100, that comes with its own switch has the same issue which is even documented in the SG-7100 manual. So, it is what it is.

Phelton

hi everyone,
i have same topology and i have same issue.

release 2.0.7 AMD64

Phelton

i have replicated topology in GNS3 Lab and have same issue: