Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Webconfigurator slow after setting up CARP/pfsync/HA

    HA/CARP/VIPs
    4
    5
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ajrg
      last edited by

      I've had a poke around the forums and on IRC, but haven't been able to figure this out.

      Since enabling CARP/pfsync/HA, webconfigurator on the master pfSense machine is very slow, but is absolutely fine on the backup machine.

      I had initially thought this was due to Avahi or Snort (avahi-daemon was pegged at 100% since enabling CARP, but I think this is another issue), but disabling these hasn't changed anything.

      Strangely, if I ssh to the box, it responds as you'd expect, and top shows that there is only around 10% CPU at 25% RAM in use at any one time.

      I haven't set up a CARP IP for every interface yet, as two of the WAN interfaces are just /30, so there can only be an IP on the master until our ISP  gives us a bigger subnet.

      The other interfaces are;

      LAN > Untagged to switch stack, one NIC per box (CARP IP)
      LAGG0 > Tagged VLANs to switch stack, three NICs per box
      OPT1 - OPT101 > Sitting on LAGG0, some VLANs have CARP IPs, some don't yet

      The primary WAN (Tier 1, default gateway) is a /29 with a CARP VIP.

      The other WANs are enabled and have IPs on the master, and are enabled but with no IP configured on the backup.

      Browsing to different pages on the primary's webconfigurator can take anything from 1 to 15 minutes - I don't get timeouts.

      Everything that passes through the firewall works absolutely fine. As far as I can see, there are no conflicting IPs, and the switches aren't complaining about anything.

      Has anyone seen anything like this before?

      1 Reply Last reply Reply Quote 0
      • J
        jasonlshelton
        last edited by

        I'm seeing the exact same thing. I don't have any answers for you, but as soon as I do, I'll post them here.

        Anyone else have any ideas?

        1 Reply Last reply Reply Quote 0
        • awebsterA
          awebster
          last edited by

          Apparently in 2.2.4 and above you can have 1 public IP shared between CARP members whilst the real interface's IP is on a private subnet. (search forum for how to set this up)
          If you require external management, this means you can never reach a specific box directly from outside, but other than that it works as you'd expect.

          As far as slowness is concerned, if you disable CARP does speed come back?

          Check for conflicts between CARP VHID and VRRP IDs.
          See this msg about how to do that: https://forum.pfsense.org/index.php?topic=102133.msg570666#msg570666

          –A.

          1 Reply Last reply Reply Quote 0
          • J
            jasonlshelton
            last edited by

            Actually, as it turns out, I had it set to authenticate against active directory, but it could not bind to the server. Once I changed it to local database, the webgui was back to normal speed. Now I just need to troubleshoot the AD integration. I have a feeling it's more to do with my domain controller than my pfsense, but we'll see.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              The source IP on the auth requests would change after switching to CARP since they'll come from the new LAN IP (absent configuring source NAT otherwise), that's probably why.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.