Can't Upgrade from 2.2.6 in HA environment?

  • This is my first upgrade since purchasing this HA pair - currently running 2.2.6.  Everything works as expected with CARP so I decided that it was time to update to the latest.

    According to this doc:  I should upgrade the secondary unit first, then once it comes up, disable CARP and run on the secondary just to make sure it's ok, then upgrade the primary and let CARP takeover once its' online.  While my primary unit shows "Update available. Click here to view.", my secondary unit does not - it just says "unable to check for updates".  When I go to system->firmware->auto update, I get more of the same:

    Downloading new version information…done
    Unable to check for updates.
    Could not contact pfSense update server


  • Rebel Alliance Developer Netgate

    The most common slip-up with HA in that case is an improper outbound NAT rule. If you made an outbound NAT rule with a source of Any/* to NAT to the CARP VIP on WAN that would also match traffic from the firewall itself. In the case of the secondary, it means it cannot receive any reply traffic since it will NAT to the CARP VIP and the replies would go to the primary.

    There are a few ways around that, or alternate possible causes, but that is the #1 suspect given the symptoms.

  • I do have a NAT rule with the LAN source (firewall IP's included) to go out via the CARP VIP.  So does that mean I need to change this every time I do an upgrade or should I just put in a static rule for the real LAN IP of each firewall to use the appropriate WAN IP?

  • Rebel Alliance Developer Netgate

    It should only affect things if it matches the WAN IP address, not LAN

    Maybe you don't have DNS setup on the secondary? Or maybe no gateway selected on the WAN interface?

  • I have both.  I think I know what's going on - my provider (upstream) is pointing all traffic at the WAN CARP VIP so while it goes outbound, it's return path is sending it back to the WAN CARP VIP rather than secondary unit.  Since this is what's recommended per the HA documentation, what is the workaround for this?

  • Rebel Alliance Developer Netgate

    Normally each unit has its own separate WAN IP Address, plus the shared CARP address. The secondary should still be able to reach outbound from its own WAN IP address, it's not usually a problem.

  • They do - Primary is at .203, Secondary is at .205 - CARP is at .204 and I have the provider sending all traffic to the .204 address.

  • Rebel Alliance Developer Netgate

    Can the secondary ping out to an Internet host by IP address at all? Maybe or

  • No it can't, but I wouldn't expect it to since all replies destined for the WAN address would be routed to the CARP VIP which isn't active when it's backup mode?

  • Rebel Alliance Developer Netgate

    No. Its own IP address has nothing to do with CARP directly and should always have connectivity.

  • I checked with my host and everything is routed correctly.  Am I not seeing something in my NAT setup (hybrid mode):

    ![8-24-2016 11-42-16 AM.jpg](/public/imported_attachments/1/8-24-2016 11-42-16 AM.jpg)
    ![8-24-2016 11-42-16 AM.jpg_thumb](/public/imported_attachments/1/8-24-2016 11-42-16 AM.jpg_thumb)

  • Anybody?

  • LAYER 8 Netgate

    Pretty much impossible to say with you obfuscating all the addresses. Details matter when you're asking for help.

    You seem to have a fundamental misunderstanding about how things work.

    Your ISP should not care if connections outbound come from either node's WAN address or the CARP VIP. They should all be equally-routable as far as they are concerned. If that is not the case you should take it up with your ISP.

  • I mask the addresses for a reason - I have been in IT for nearly 20 years now and I've seen my share of script kiddies and wanna-be's who troll sites like this looking for "inside information".  This is the first forum that I've ever seen it be a problem in solving an issue.  So here is the information you're looking for…you can tell me if it helps, but I'm guessing probably not?

    I apologize for my mis-explanation of the routing - the WAN is a single block of 3 usable IP's consisting of each WAN IP and the CARP VIP.  Then I have a ton of 1 to 1 mappings going on for several other IP blocks, and all of those are routed to the CARP VIP...the 3 IP's on the WAN side are routed to themselves (Primary to Primary, Secondary to Secondary and CARP VIP to CARP VIP).  I have not only confirmed this routing with my host, but they also told me they are getting no ARP replies from the secondary box either...

    ![8-24-2016 11-42-16 AM.jpg](/public/imported_attachments/1/8-24-2016 11-42-16 AM.jpg)
    ![8-24-2016 11-42-16 AM.jpg_thumb](/public/imported_attachments/1/8-24-2016 11-42-16 AM.jpg_thumb)

Log in to reply