Preventing UCARP from taking over on boot

  • Greetings all,

    We have a pair of pfSense firewalls running 2.1.5 in an HA configuration (via UCARP) that need upgraded to 2.4.2P1.  I have been testing the upgrade procedure in the lab, and learned we need three separate upgrade cycles to get from 2.1.5 to 2.4.2P1 (first 2.1.5 to 2.3.5, then 2.3.5 to 2.4.2, then 2.4.2 to 2.4.2P1).  Upgrading the standby is no problem as the primary will continue to hold the VIPs until the complete upgrade is done.

    However, once the primary is upgraded from 2.1.5 to 2.3.5, it will reboot and acquire the VIPs again.  This causes a small IP outage until I go and disable the VIPs in the WebGUI.  The same event happens when going from 2.3.5 to 2.4.2.

    Is there a (hidden) option somewhere to prevent UCARP from running on boot?  I would like to completely disable UCARP on the primary until all the upgrades are complete, then allow it to take over the VIPs.  I tried adding "net.inet.carp.allow=0" to /etc/sysctl.conf file on the master but it still started UCARP and grabbed the VIPs on boot.

    For what it's worth, the "Enter Persistent CARP Maintenance Mode" option is NOT available on 2.1.5, thus the primary will take over the VIPs on boot.


  • LAYER 8 Netgate

    Then get upgraded and you will have persistent maintenance mode. Sorry it doesn't exist on that ancient version.

    You could take a configuration backup, take the node offline (as in unplugged from the network), reinstall fresh using the 2.2.6 LiveCD or memstick image from here:

    (This would be a GREAT opportunity to switch to amd64 if you are on i386)

    Restore the backup config

    Set CARP Maintenance mode (It was introduced in 2.2)

    Reconnect the node.

    From there you can use maintenance mode for the remaining upgrades.

  • Thanks for the suggestion!  I thought about your idea the other day (config backup; fresh install with 2.3.5; config restore) but was hoping there was an easier way.

    Really appreciate the fast reply.

  • LAYER 8 Netgate

    In all honesty, I would go to 2.2.6 first.

    It is much more tolerant of being installed with the WAN disconnected.

    After you can do it in Maintenance mode with the WAN connected the other upgrades will go a lot smoother.

Log in to reply