CARP Died after upgrade from 2.3.3 to 2.4.3
-
I have read almost every post regarding this I was about to resurrect this thread because the same applies to me https://forum.pfsense.org/index.php?topic=139097.0
I have checked and rechecked all of my settings and have done fresh installs and restored the config and Carp stops working
I can ping the master and slave from each other and the slave can connect to the master on the webgui 443 port but I can not access port 443 from the Master to the slave… just to test I can connect to port 80 from the master to the slave so there is something going on with the port
1. The HA is on it's own interface
2. Sames version of PF on each
3. No gateway configured
4. Completely open Firewall on this interface (All ports open)
5. Both have the same port configured for the WebInterface HTTPS (443)
6. The routers are connected directly together for the OPT1/Interface used just for Sync
7. I have tried changing the Ip address (Master is 172.16.0.1/29 and Slave is 172.16.0.2/29.... recently tried changing it to 172.16.0.4/29)
8. THere isn't any authentication errors and I am using the Admin root to connect. The MAster has the XMLRPC Sync filled in to the slave IP 172.16.0.4. The Slave only has the State Synchronization Settings set.
9. This was all working fine up until the upgradeThe exact error is:
A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://172.16.0.2:443. Error: Operation timed out @ 2018-04-10 14:30:56
Thanks for any suggestions!
-
It can't connect to the secondary.
Can you ping it?
Can you use Diagnostics > Test port on TCP/443 to it? Does it respond?
Is the web gui on the secondary configured to listen on that port?
-
Yes I thought that was clear, I can ping but I can not access the port from the master to teh slave but can from the slave to the master. I can access any other port from the master to the slave. Yes both are on the same GUI port 443
-
I am talking about that specific sync address:
172.16.0.2
If you can ping that but cannot connect TCP/443 then you need to figure out why. Such as firewall rules on the secondary or webgui configuration on the secondary.
I suppose it could also be something somewhere else that is responding to the pings. You need to consider all other possibilities since if it was correct it would be working.
Another mistake people make is having an incorrect username and password between the two and getting the primary added to the sshlockout table on the secondary. You can look for that on Diagnostics > Tables on the secondary (Or the firewall logs). Clear the table and fix the problem. That only blocks TCP connections so ping will still work but XMLRPC sync will not.
-
Yes I can ping that specific IP. I have checked the firewall and it is completely open. I even created specific rules along with everything open, Tried copying the same rule that was there before the upgrade (completely open) it seems to be just that port since I can connect/test port 80 but I don;t want to change the GUI connection from being unsecure. I checked the tables and no lockouts either.
Thanks for the help/suggestions
