Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP Died after upgrade from 2.3.3 to 2.4.3

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lambodad
      last edited by

      I have read almost every post regarding this I was about to resurrect this thread because the same applies to me https://forum.pfsense.org/index.php?topic=139097.0

      I have checked and rechecked all of my settings and have done fresh installs and restored the config and Carp stops working

      I can ping the master and slave from each other and the slave can connect to the master on the webgui  443 port but I can not access port 443 from the Master to the slave…  just to test I can connect to port 80 from the master to the slave so there is something going on with the port

      1. The HA is on it's own interface
      2. Sames version of PF on each
      3. No gateway configured
      4. Completely open Firewall on this interface (All ports open)
      5. Both have the same port configured for the WebInterface HTTPS (443)
      6. The routers are connected directly together for the OPT1/Interface used just for Sync
      7. I have tried changing the Ip address (Master is 172.16.0.1/29 and Slave is 172.16.0.2/29.... recently tried changing it to 172.16.0.4/29)
      8. THere isn't any authentication errors and I am using the Admin root to connect.  The MAster has the XMLRPC Sync filled in to the slave IP 172.16.0.4.  The Slave only has the  State Synchronization Settings set.
      9. This was all working fine up until the upgrade

      The exact error is:

      A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://172.16.0.2:443. Error: Operation timed out @ 2018-04-10 14:30:56

      Thanks for any suggestions!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It can't connect to the secondary.

        Can you ping it?

        Can you use Diagnostics > Test port on TCP/443 to it? Does it respond?

        Is the web gui on the secondary configured to listen on that port?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • L
          lambodad
          last edited by

          Yes I thought that was clear, I can ping but I can not access the port from the master to teh slave but can from the slave to the master. I can access any other port from the master to the slave. Yes both are on the same GUI port 443

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I am talking about that specific sync address:

            172.16.0.2

            If you can ping that but cannot connect TCP/443 then you need to figure out why. Such as firewall rules on the secondary or webgui configuration on the secondary.

            I suppose it could also be something somewhere else that is responding to the pings. You need to consider all other possibilities since if it was correct it would be working.

            Another mistake people make is having an incorrect username and password between the two and getting the primary added to the sshlockout table on the secondary. You can look for that on Diagnostics > Tables on the secondary (Or the firewall logs). Clear the table and fix the problem. That only blocks TCP connections so ping will still work but XMLRPC sync will not.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • L
              lambodad
              last edited by

              Yes I can ping that specific IP. I have checked the firewall and it is completely open. I even created specific rules along with everything open, Tried copying the same rule that was there before the upgrade (completely open) it seems to be just that port since I can connect/test port 80 but I don;t want to change the GUI connection from being unsecure. I checked the tables and no lockouts either.

              Thanks for the help/suggestions

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.