CARP and OpenVPN not stable
-
I have 2 bare metal PFSense boxes configured with CARP and PFsync along with a PFSense VM that connects a remote office back to us via a P2P shared key Open VPN tunnel.
Everything works fine until I need to save something on the primary firewall. (Such as something as simple as saving my email address for notifications etc.)
Then my remote office PFSense decides to connect to the secondary and will not fail back to the primary PFSense unless I take down or reboot the secondary PFSense box. (After a reboot of the secondary PFSense everything is once again up and stable?)
When this happens the secondary PFSense thinks his Wan VIP is now Primary and the remote office starts getting these Open VPN errors in the logs:
openvpn[20819]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #378 / time = (1364333243) Tue Mar 26 14:27:23 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
PFSense v 2.0.2
Any Ideas?
Please help!
Thanks!
-
Make sure you have the CARP VIP selected as the 'interface' for the VPN and not the actual interface (e.g. 'WAN')
When set that way, pfSense 2.0.2 and later will disable the VPN on the backup node until it becomes a CARP master.