Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Secondary Pfsense Crash after CARP Configuration

    Scheduled Pinned Locked Moved
    Virtualization
    5
    21
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      Also be sure you remove all the calls to the limiters in the rules.

      Disable state syncing on both nodes and try again. Does it still crash? If so you might be looking at a different problem.

      Also been reading that the WAN has to be on the same NIC interface on backup cluster?

      ALL NICs have to be the same on both nodes in the same order. If WAN is igb0 on the primary, WAN has to be igb0 on the secondary, and so on. Generally not the source of a panic however, just "unexpected" behavior.

      You might want to start again - small, and get WAN+LAN working in a very basic HA pair before moving on to more advanced configurations. They're VMs. It don't cost nothin'.

      Both nodes have to be able to pass multicast between each other.

      Inability to do so will not result in a crash, however, but a MASTER/MASTER split brain issue.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • M
        Mat1987
        last edited by

        Thanks

        I think the problem i have is the interfaces arent the same so ill have to try and move stuff around to get same interface names.

        so it has to be the same physical nic its not based on virtual nic?

        Mat

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          An interface has a physical name (em0, re0, igb0, xn0, igb0.1000, lagg2.1001) and an internal name (wan, lan, opt1, opt2, opt3, optX).

          They all have to match exactly on both nodes.

          Use Status > Interfaces to verify.

          This is all covered in detail here: https://portal.pfsense.org/docs/book/highavailability/index.html

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • M
            Mat1987
            last edited by

            @Derelict:

            An interface has a physical name (em0, re0, igb0, xn0, igb0.1000, lagg2.1001) and an internal name (wan, lan, opt1, opt2, opt3, optX).

            They all have to match exactly on both nodes.

            Use Status > Interfaces to verify.

            This is all covered in detail here: https://portal.pfsense.org/docs/book/highavailability/index.html

            Painful lol.

            Internally they are all named the same but physical there not so ill have to change some bits around.

            few more days of playing then.

            1 Reply Last reply Reply Quote 0
            • M
              Mat1987
              last edited by

              Ok set up quick test boxes on same host for now.  all HA works however cant ping the LAN Virtual IP until i set the MAC as static on the hosts.

              Now i can ping but its up and down like a yoyo.

              Any ideas?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  Mat1987
                  last edited by

                  @Derelict:

                  https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

                  I have done the

                  Enable promiscuous mode on the vSwitch
                  Enable "MAC Address changes"
                  Enable "Forged transmits"

                  I have VM_Prod for VMS

                  I now have another port group of VM_Prod-PF and changed pfsense LAN to this port group.

                  Same problem though.

                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Request timed out.
                  Request timed out.
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                  Request timed out.
                  Request timed out.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Sorry. Runs great under XenServer. Someone else will have to help with VMware. It's certainly something in your virtual environment.

                    Moving to Virtualization.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mat1987
                      last edited by

                      Thanks for your help up to now anyway.

                      Anyone had this issue?

                      Cant ping virtual ip until the following is enabled

                      Enable promiscuous mode on the vSwitch
                      Enable "MAC Address changes"
                      Enable "Forged transmits"

                      Once enabled i start to get ping return but it times out.

                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Request timed out.
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=40ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=56ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=72ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=90ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=2ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64
                      Request timed out.
                      Request timed out.
                      Reply from 192.168.50.254: bytes=32 time=1ms TTL=64

                      1 Reply Last reply Reply Quote 0
                      • M
                        Mat1987
                        last edited by

                        Is there anyone who has got this working?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post