Carp Failover not smooth....
-
I have carp setup, states syncing etc.
but when I do a traceroute to the natted IP, it hits the router ip first. so when I do a carp failover it doesn't use the states and it drops a few packets.
So what am I missing here? at this point we stopped syncing states becuase there really isnt much point the failover works all the same.
from an external machine, you can see the ip change for the hop just before, which is the wan interface of the router.
I missing something but not sure what!
-
@Kevin-S-Pare A traceroute shows the router it talks to not the shared/CARP IP. Because that router answers.
The states should sync. Do you have the same hardware and order in both?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability.html#state-synchronization-problems-pfsync
-
@SteveITS One router is a Netgate 8200, the other is a Netgate 6100.
Makes no difference if I sync states or not when I ping the ip of the webserver, the packet loss is the same.
Ironically, when I fail back, it comes back smoothly.Both routers are running 24.11
We host alot of citrix connections and thats where we notice it most.
-
@Kevin-S-Pare said in Carp Failover not smooth....:
I have carp setup, states syncing etc.
but when I do a traceroute to the natted IP, it hits the router ip first. so when I do a carp failover it doesn't use the states and it drops a few packets.
So what am I missing here? at this point we stopped syncing states becuase there really isnt much point the failover works all the same.
from an external machine, you can see the ip change for the hop just before, which is the wan interface of the router.
I missing something but not sure what!
I'm a little unclear on your exact configuration here. Your first statement was when doing a traceroute (I assume you are doing this from a host outside the router's LAN network, ie, across an internet connection) you're seeing the packets go to the WAN address of the router (the WAN address, NOT the CARP address) then the final hop after the router's WAN address is to the CARP address. Is my perception here correct?
@Kevin-S-Pare said in Carp Failover not smooth....:
@SteveITS One router is a Netgate 8200, the other is a Netgate 6100.
Makes no difference if I sync states or not when I ping the ip of the webserver, the packet loss is the same.
Ironically, when I fail back, it comes back smoothly.Both routers are running 24.11
We host alot of citrix connections and thats where we notice it most.
Typically it is not recommended to run two different pieces of hardware in a CARP/HA cluster. Sometimes you can get away with it, sometimes you can't, and sometimes it kind of works but has issues.
-
@bp81 said in Carp Failover not smooth....:
@Kevin-S-Pare said in Carp Failover not smooth....:
I have carp setup, states syncing etc.
but when I do a traceroute to the natted IP, it hits the router ip first. so when I do a carp failover it doesn't use the states and it drops a few packets.
So what am I missing here? at this point we stopped syncing states becuase there really isnt much point the failover works all the same.
from an external machine, you can see the ip change for the hop just before, which is the wan interface of the router.
I missing something but not sure what!
I'm a little unclear on your exact configuration here. Your first statement was when doing a traceroute (I assume you are doing this from a host outside the router's LAN network, ie, across an internet connection) you're seeing the packets go to the WAN address of the router (the WAN address, NOT the CARP address) then the final hop after the router's WAN address is to the CARP address. Is my perception here correct?
@Kevin-S-Pare said in Carp Failover not smooth....:
@SteveITS One router is a Netgate 8200, the other is a Netgate 6100.
Makes no difference if I sync states or not when I ping the ip of the webserver, the packet loss is the same.
Ironically, when I fail back, it comes back smoothly.Both routers are running 24.11
We host alot of citrix connections and thats where we notice it most.
Typically it is not recommended to run two different pieces of hardware in a CARP/HA cluster. Sometimes you can get away with it, sometimes you can't, and sometimes it kind of works but has issues.
Its primarily two different network cards. but they are the same card. I've tested it with identical devices and the same issue happens.
anyway, big picture, we walked away from this. in the event of a router failure we will have packet loss anyway and it will failover. the only advantage was to fail the router live during the day for maintenance. We really dont need to do this. the goal of a redundant router has been fulfilled. if we really need to do a firmware upgrade we can just failover at night when usage/imact is low. not a big deal.
-
@Kevin-S-Pare You might consider that in case of a failover event to BACKUP unit, the BACKUP unit's ARP cache table is basically empty. So if the states are synced that is great, you will not experience complete session breaks, because of the failover but the BACKUP unit needs a few secs to build up the ARP cache for the local IP/MAC pairs from the active sessions.
-
@RobertK-1 You know...I had not considered that, you may be right. either way. it doesnt switch smooth without some drop, so i've just accepted that, and it does work well as it is. I was just chasing the possibility if a fail over with no network loss..pretty hard.