Incorrect definition of CARP roles
-
There are two servers, version 2.7.2. The main server is deployed on hyper v and the backup server is on kvm. High availability (Pfsync, XMLRPCSync) has been configured on the main server and a carp address has been created. No high availability settings have been made on the backup server. After configuring the main server, I made sure that the configuration is replicated to the backup server. I created a user on the main server, and it instantly appeared on the backup server. However, the backup server takes on the role of master, and the main server takes on the role of backup. Skew is set to 0 on the main server, and it takes over the backup role. On the backup server, the Skew is 100, but it becomes the master server. I log in via ssh to the main server via ssh and enter ipconfig hn1||||. I get the output carp: BACKUP vhid 1 advbase 100 advskew 254. Note that ssh and web advskew are different. What is the problem?
-
@Xando have you followed the High Availability Configuration Example? You create the interfaces in the exact same order, created the necessary firewall rules on the sync interface, and so on?
Can you share a few screen shots of the HA/CARP config? -
@patient0
in the firewall on the sync interfaces, both hosts allowed any protocol to enter and exit.
master
backup
-
@Xando the firewall rules are ok, any reason you have not set anything under 'State Synchronization Settings (pfsync) on the backup. To quote, the docu I mentioned:
"Configure State Synchronization (pfsync)
State synchronization using pfsync must be configured on both the primary and secondary nodes to function."You don't enter anything under 'Configuration Sync...' but you have to fill in the first part, 'State Sync...'
-
@patient0
is it configured correctly on the backup server?
-
@Xando said in Incorrect definition of CARP roles:
is it configured correctly on the backup server?
That looks ok, yes.
-
@patient0
Anyway, the roles are not distributed correctly( -
@Xando but from your fist post, why do you set 'Advertising frequency' to 100? The doc says '1'. That value is how often, in seconds!, a CARP heartbeat is send you. You set to to 100 seconds, a heardbeat every 1 minute and 40 seconds.
Set it to '1' and let's see how it works.
-
@patient0
master server
backup server
-
@Xando mmmh, das does look ok, indeed.
I assume you can ping the LAN IP of the backup from the master and the other way around? And the same or the SYNC interface?
How are the two pfSense instances connected?
-
@patient0 Or maybe the hypervisors have a problem?
Pings from LAN -> LAN; SYNC -> SYNC interfaces pass. Pfsense is connected via a switch. -
@Xando said in Incorrect definition of CARP roles:
Or maybe the hypervisors have a problem?
But then you wouldn't be able to ping. Well, CARP does use multicast, if multicast get's blocked that may be an issue.
Can you try to set the backup node, which is Master right now, to 'Temporarily Disable CARP' (Status / CARP) and see if it does fail over and the master changes from 'Backup' to 'Master?
-
@patient0 Yes, I'm disabling CARP on the backup node. The machine with the address 192.168.200.17 becomes the MASTER as it should be. And I'm enabling the CARP role on the backup. The backup server becomes the master.
-
@Xando that's confusing, I'm out of ideas at the moment, it looks correct. I'll have breakfast and maybe something comes to mind.
Hopefully someone else can see what could be the issue.
-
@patient0 The time is correct on both machines. maybe version 2.7.2 has a bug?
-
@Xando said in Incorrect definition of CARP roles:
The time is correct on both machines. maybe version 2.7.2 has a bug?
It could be but it's such a simple setup, the only thing unusual is the Hyper-V <-> KVM situation. And I have not knowledge about Hyper-V and it's quirks.
I assume if you change the skew on .200.17 to 100 and to 0 on .200.18, nothing changes? Or is then .200.17 the Master?
Edit: An (old) thread from 2016 mentioned:
"For Hyper-V, all you have to do is allowing mac address spoofing and you're good to go."
You set that?
-
@patient0 Enabled mac spoofing on hyperv. It didn't help. Even on kvm, I changed the type of network adapters in virtio to e1000
-
@Xando what happens when you:
"I assume if you change the skew on .200.17 to 100 and to 0 on .200.18, nothing changes? Or is then .200.17 the Master?"
If I do that on my test cluster (but both pfSense's on one Proxmox node) they switch the Master<->Slave right away.
-
@patient0 I cheated on Skew, but it didn't help. What is your version of pfsense?
-
@Xando said in Incorrect definition of CARP roles:
What is your version of pfsense?
It does run on 2.7.2 CE, I really suspect Hyper-V - QEMU combination.
Do you have the patients and/or time to setup the backup node on Hyper-V (export the config of the backup node, import on another Hyper-V machine)?
Add: Or a package capture, although I haven't done that for CARP and don't know what to expect.
