Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sticky connections not working with dual WAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    65 Posts 7 Posters 14.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      I am not saying its not a bug or that there isn't a problem - I just don't know which specifics pfsense is using to know keep a connection sticky.. I made a bit of edit addition - on my previous post.

      You can look at it both ways, I don't know exactly what "Once the states for that source expire" means.. Maybe once there has been a fin, that state is no longer looked at - I am not sure..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • TheCableGuy96T
        TheCableGuy96
        last edited by

        Well I'm at a loss as to what to do next.

        I think it comes down to @Derelict needs to advise what further testing I can do or accept it may be a possible bug?

        I hope he replies!

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          I still think is out for a bit, my understand is he wouldn't be back for a few more days... So his check into the thread was a bit unexpected to me..

          We can see if @jimp has any advice as well.. This is just a bit out of my comfort level, since I do not use multiple wans in a load balancing setup.. I don't really see the point to it to be honest ;) If you need to load balance tells me your connections are undersized ;) hehehe

          I have more experience with this sort of thing on fortinet load balancing to servers behind them, and how their sticky connections work.. And even then its not a day to day sort of thing, only get called into consult on issues - normally they give me sniffs to work with and help them figure out what is going wrong ;)

          If you could show state that is clearly active, and then another state being opened - then I would agree that is not how I would understand sticky to work.

          You know who might be good as well would be @stephenw10

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          TheCableGuy96T 1 Reply Last reply Reply Quote 0
          • TheCableGuy96T
            TheCableGuy96 @johnpoz
            last edited by

            @johnpoz I don't deny my upload is undersized of for my needs... it's the best i can get at the moment though until they upgrade the infrastructure around here. It has many other advantages though such as redundancy.

            Hopefully one of the people you tagged can chip in :)

            I do appreciate all the help so far... thanks pal!

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              Sure failover I get. but that wouldn't need to be a in load balancing setup to do that ;) heheh

              What I would suggest is try and validate if this other connection is being created after original state is closed.. You could just sniff on your client.. Do you see or send a fin at any time?

              And that is when the wan changes.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              TheCableGuy96T 1 Reply Last reply Reply Quote 0
              • TheCableGuy96T
                TheCableGuy96 @johnpoz
                last edited by

                It's getting a bit above me this now which is why I was hoping I could let you teamviewer in and maybe take a look?

                You'd have all the answers in 5 minutes rather than going back and forth through this monkey ;)

                N 1 Reply Last reply Reply Quote 0
                • N
                  netblues @TheCableGuy96
                  last edited by

                  @Daskew78 You shouldnt really care about states being closed when you have a stickiness of 1200.

                  As documentation says, if you have stickiness 0, then load balancing path is re evaluated when connectios are closed. (and we could discuss if this means fin wait etc)
                  But stickiness of 1200 Means 1200 seconds AFTER connections is closed, if a new request comes from the same ip to the same host it will leave from the same gateway.

                  I insist. stickiness works fine on multiwan ssl load balancing scenario.
                  And consider this workaround too
                  https://redmine.pfsense.org/issues/6025

                  quoting
                  Also of note, when the weights differ, even though the gateways have a specific order with repetition in the rule, pf seems to still flip back and forth, though the general ratio of the weights is respected. For example with WAN1=3, WAN2=2:

                  I had the same issues as you do until I made 2 the default weight on both load balancing connections.

                  Deeper issues are suspected, as redmine says.
                  Please consider testing the workaround.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Yeah sure seems that issue is exactly what your seeing... I would do what @netblues says and that should fix up your issue I would hope.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • TheCableGuy96T
                      TheCableGuy96
                      last edited by

                      @netblues @johnpoz

                      Thanks guys... I've had a read through but it's all a little confusing to me.

                      Can you just clarify you are suggesting setting both connections to "Tier 2" instead of "Tier 1" on the LoadBalancing profile?

                      Cheers.

                      N 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Yup..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • TheCableGuy96T
                          TheCableGuy96
                          last edited by

                          Well if that's the case it is a bug then. But at least there appears to be a workaround.

                          I'll test it now, cheers again :)

                          1 Reply Last reply Reply Quote 0
                          • N
                            netblues @TheCableGuy96
                            last edited by

                            @Daskew78 nope
                            We suggest to put a weight of 2 on both gateways and load balance them as both tier 1.
                            with a stickiness of 2500

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              As you see yes there is a redmine on it ;)

                              Currently targeted at 2.5 - but its been pushed many times already.. So wouldn't expect... This thread could get added to that redmine I would think.. Might put a bit more weight on looking into it.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • TheCableGuy96T
                                TheCableGuy96
                                last edited by

                                Sorry I spoke a little too soon.... should I also set the sticky connections back to "0"?

                                N 1 Reply Last reply Reply Quote 0
                                • N
                                  netblues @TheCableGuy96
                                  last edited by netblues

                                  @Daskew78 NO, it won't work on web banking sites

                                  1 Reply Last reply Reply Quote 0
                                  • TheCableGuy96T
                                    TheCableGuy96
                                    last edited by

                                    Sorry I was replying too fast and missed your update about setting the states to 2500.

                                    I have set it to 2500 and set each gateway to Tier 1 but I can't see where I set a weight of 2? Where is the weight setting?

                                    1 Reply Last reply Reply Quote 0
                                    • RicoR
                                      Rico LAYER 8 Rebel Alliance
                                      last edited by

                                      System > Routing > Edit Gateway > Display Advanced > Weight

                                      -Rico

                                      1 Reply Last reply Reply Quote 0
                                      • TheCableGuy96T
                                        TheCableGuy96
                                        last edited by

                                        ahhh thank you.... i'm testing now... will update shortly :)

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          netblues
                                          last edited by

                                          Remember to clear states and source tracking.

                                          1 Reply Last reply Reply Quote 0
                                          • TheCableGuy96T
                                            TheCableGuy96
                                            last edited by

                                            Yeah I cleared both, closed all browsers and tried again on 2 personal servers with single IPs and banking but it's still happening.

                                            I must admit it doesn't seem to be happening as much but it is still happening.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.