HA XMLRPC error
-
Aye, we have quite some cluster customers, but never seen that on a Sync interface. The original error is one we have on 1-2 locations, too, though, but nothing with that kind of OOS traffic
-
What not make sense, is i think i have found the problem.
Under System/Routing/Gateways if i disable the Gateway Monitoring the problem gone...What the f**k.
At the sync he checks the interfaces states?I have only 1 public ip, so on my wan interface i have a private ip.
The problem could came from this?
-
I have no idea how you would be getting outbound blocking? It does not do that out of the box - you must of put in a floating rule.
And you prob had something setup to flush states on gateway loss? Not sure why you would setup a gateway on your sync interface?? That makes no sense to do such a thing. What would you even set it too?
-
There are no gw on the sync interface.
I have no floating rule set up.
So this is a big question how realy this ha workes, beacause now i feel the outdate-ed netgate video and setup is a crap. -
Very odd to be sure... I would hope someone with more HA experience could chime in.. While I have setup a HA for play in vm.. Never ran into such blocks..
Is this the video your talking about?
https://www.slideshare.net/NetgateUSA/high-availability-on-pfsense-24-pfsense-hangout-march-2017 -
Nothing magical about XMLRPC sync. It's just a TCP/HTTPS connection to the webgui port on the secondary.
I suppose on the sending node that could happen if something has killed the state.
Do you have state killing on gateway failure enabled in System > Advanced, Miscellaneous?
-
But how/why would it be an outbound block?
-
Sorry I updated ^
-
But I still don't get how it could be an outbound block - that is what the little black arrow thing means.. I have to think there is some setting that are done that are not default..
I don't run HA setup, nor do I have it that setting set.. But seems odd that there could be outbound blocking even on a state kill?
-
If the primary has an open https connection to the secondary and is trying to send the config changes and something kills the state out from under it, it will continue to try to send the data until it times out and quits.
It will be out-of-state like anything else in that case.
# default deny rules block in log inet all tracker 1000000103 label "Default deny rule IPv4" block out log inet all tracker 1000000104 label "Default deny rule IPv4"1000000104 is the outbound default deny so that would log like that.
-
Yeah I get that it is out of state, but it would be logged as an outbound block?? This is what is confusing me..
-
Sorry. updated again lol
-
Ah that is why its block as outbound.. Then..
block out log inet all tracker 1000000104 label "Default deny rule IPv4"
Normally never see outbound blocks.. But if its pfsense itself doing the talking, and the state goes away then that rule would block it since the state is missing. Until the process on pfsense creates a new state by sending syn.
-
Yeah. Everything that was initially set up by the TCP handshake starting with a SYN going out has been blown away so...
-
Ok that makes sense then - thanks. Even though there is a rule that allows pfsense to talk out, it still needs a valid state.
-
So if they are seeing this block - how do they restart the sync process so there is a new state created? I really need to play more with the HA stuff.. Time to fire up some vms and play with the HA setup ;) My understanding of the inner works of that is very lacking - I just have not had need to play with it.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz It will kick off another sync when another change is made or there's a button in Status > Filter Reload (of all places).
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
hehe - that image just got better, I was thinking man derelict must be blind if has fonts/resolution set like that ;) Now it looks normal.. Before it was HUGE ;)
-
@johnpoz It plays pretty nice in VMs. If you decide to lab it and have any questions just shout. Nothing special needed in proxmox.
-
But if the sync is having issues talking to the other side, wouldn't it auto send a new syn?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11
