Secondary Pfsense Crash after CARP Configuration

Mat1987

Also been reading that the WAN has to be on the same NIC interface on backup cluster?

Im using vmware on both boxes so does that mean same vswitch?

Derelict

Also be sure you remove all the calls to the limiters in the rules.

Disable state syncing on both nodes and try again. Does it still crash? If so you might be looking at a different problem.

Also been reading that the WAN has to be on the same NIC interface on backup cluster?

ALL NICs have to be the same on both nodes in the same order. If WAN is igb0 on the primary, WAN has to be igb0 on the secondary, and so on. Generally not the source of a panic however, just "unexpected" behavior.

You might want to start again - small, and get WAN+LAN working in a very basic HA pair before moving on to more advanced configurations. They're VMs. It don't cost nothin'.

Both nodes have to be able to pass multicast between each other.

Inability to do so will not result in a crash, however, but a MASTER/MASTER split brain issue.

Mat1987

Thanks

I think the problem i have is the interfaces arent the same so ill have to try and move stuff around to get same interface names.

so it has to be the same physical nic its not based on virtual nic?

Mat

Derelict

An interface has a physical name (em0, re0, igb0, xn0, igb0.1000, lagg2.1001) and an internal name (wan, lan, opt1, opt2, opt3, optX).

They all have to match exactly on both nodes.

Use Status > Interfaces to verify.

This is all covered in detail here: https://portal.pfsense.org/docs/book/highavailability/index.html

Mat1987

@Derelict:

An interface has a physical name (em0, re0, igb0, xn0, igb0.1000, lagg2.1001) and an internal name (wan, lan, opt1, opt2, opt3, optX).

They all have to match exactly on both nodes.

Use Status > Interfaces to verify.

This is all covered in detail here: https://portal.pfsense.org/docs/book/highavailability/index.html

Painful lol.

Internally they are all named the same but physical there not so ill have to change some bits around.

few more days of playing then.

Mat1987

Ok set up quick test boxes on same host for now.  all HA works however cant ping the LAN Virtual IP until i set the MAC as static on the hosts.

Now i can ping but its up and down like a yoyo.

Any ideas?

Derelict

https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

Mat1987

@Derelict:

https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

I have done the

Enable promiscuous mode on the vSwitch
Enable "MAC Address changes"
Enable "Forged transmits"

I have VM_Prod for VMS

I now have another port group of VM_Prod-PF and changed pfsense LAN to this port group.

Same problem though.

Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Request timed out.
Request timed out.
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Request timed out.
Request timed out.

Derelict

Sorry. Runs great under XenServer. Someone else will have to help with VMware. It's certainly something in your virtual environment.

Moving to Virtualization.

Mat1987

Thanks for your help up to now anyway.

Anyone had this issue?

Cant ping virtual ip until the following is enabled

Enable promiscuous mode on the vSwitch
Enable "MAC Address changes"
Enable "Forged transmits"

Once enabled i start to get ping return but it times out.

Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Request timed out.
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=40ms TTL=64
Reply from 192.168.50.254: bytes=32 time=56ms TTL=64
Reply from 192.168.50.254: bytes=32 time=72ms TTL=64
Reply from 192.168.50.254: bytes=32 time=90ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=2ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
Request timed out.
Request timed out.
Reply from 192.168.50.254: bytes=32 time=1ms TTL=64

Mat1987

Is there anyone who has got this working?