Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade secondary from 2.0.3 to 2.1.5 and ipsec status shows yellow but working

    Scheduled Pinned Locked Moved
    IPsec
    1
    3
    812
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adam65535
      last edited by

      I upgraded the backup member of a HA cluster using carp and I did first disable the config sync by removing the IP from 'Configuration Synchronization Settings' in the Carp settings.  I then disabled carp on the primary to force the backup to take over.  Everything transitioned over to the backup firewall and the tunnels are working but the status shows yellow for all of them.  Everything looks good in the IPsec logs.  I see that all the tunnels that were active before have renegotiated just fine within a minute of the backup taking over.

      Has anyone experienced this?  It has been about an hour since the backup member took over and they are still showing yellow in the IPsec status page.  I don't see how ipsec can be showing yellow when they have established just fine.

      I haven't upgraded the primary yet so I still have carp disabled on that until I verify everything is functional on the backup.

      1 Reply Last reply Reply Quote 0
      • A
        adam65535
        last edited by

        Looking at the backup config before and after the upgrade I see that the interface assigned to the ipsec tunnels and the interfaced assigned to the IP Alias is called 'vip1' in 2.0.3.  In 2.1.5 they are all assigned to 'wan_vip1' .  Which seems to be consistent with just an internal config reference name change.

        The problem is that somehow in 2.1.5 the carp status is showing the IP alias (.39) on the left hand side of the (EDIT) OVERVIEW status page instead of the Carp IP (.36).  The SAD status page shows the correct Carp IP.  The actual established tunnels are using the Carp IP correctly so they established and worked just fine.  Since the status page is using the IP Alias though when it searches for tunnel status it will not match the real tunnels.  I am just glad the problem is just displaying and not the other way around :).

        Is this a bug in 2.1.5 that if you have IP Aliases on a carp IP the status page uses the wrong IP when displaying and searching for the tunnel status or is this an upgrade bug where the interface assigned to the ipsec tunnels should have been changed to something else to get the Carp IP during the upgrade?

        The gui shows that it is assigned to the correct Carp IP interface.

        On 2.0.3 the status page worked just fine with the config (I haven't made any changes since the upgrade).

        1 Reply Last reply Reply Quote 0
        • A
          adam65535
          last edited by

          I corrected an important mistake in my last post.  It is the overview ipsec page that shows the incorrect IP (shows the IP Alias instead of the Carp IP).  The SAD page shows the correct IP (Carp IP).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post