Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High Availibility Failover stops SSH Session

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    5
    876
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by A Former User

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @vadim1 said in High Availibility Failover stops SSH Session:

        On the Backup Firewall pfsync is activated and the IP of Primary is there.

        Assumed to be active on the primary as well?

        How about you post the actual states on the backup instead of saying has the same output.

        If those are private addresses there is zero reason to obfuscate.

        Are both hosts set to use the CARP VIP as their default gateways?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          @derelict said in High Availibility Failover stops SSH Session:

          @vadim1 said in High Availibility Failover stops SSH Session:

          On the Backup Firewall pfsync is activated and the IP of Primary is there.

          Assumed to be active on the primary as well?

          How about you post the actual states on the backup instead of saying has the same output.

          If those are private addresses there is zero reason to obfuscate.

          Are both hosts set to use the CARP VIP as their default gateways?

          Hi Derelict,

          sorry for the delay, i was in holiday.

          1. Yes, pfsync is active on the primary.
          2. I changed the post so you can see the actual states.
          3. Yeah, you are right, i am not sure, why i was obfuscating them.
          4. On the DHCP Server the CARP VIP is set as the gateway, also the hosts have a route, but running traceroute from the host to e.g. google.com, it shows me the IP of the Firewall not the CARP VIP.
          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            @vadim1 said in High Availibility Failover stops SSH Session:

            VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
            VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 619.731 K / 619.733 K 34.29 MiB / 34.29 MiB

            Those states are DHCP failover connections between the two firewalls and don't show anything about the SSH problems you are reporting.

            If the DHCP servers are both set correctly (that setting should sync from primary to secondary), what do the clients report as their default gateway?

            Generally, with pfsync running, if the clients are set to use the CARP VIP as their default gateway and outbound NAT for that client network uses the WAN CARP VIP for outbound NAT, then they will have synced states and a failover will not break the client connections.

            Looking at the states will not show the default gateway used but will show the outbound NAT used (if it is necessary to NAT).

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            ? 1 Reply Last reply Reply Quote 0
            • ?
              A Former User @Derelict
              last edited by

              @derelict said in High Availibility Failover stops SSH Session:

              @vadim1 said in High Availibility Failover stops SSH Session:

              VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
              VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 619.731 K / 619.733 K 34.29 MiB / 34.29 MiB

              Those states are DHCP failover connections between the two firewalls and don't show anything about the SSH problems you are reporting.

              before failover
              Primary
              VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 180 / 116 14 KiB / 14 KiB
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.598 K / 11.597 K 657 KiB / 657 KiB
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B

              BackUp

              VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.439 K / 11.438 K 648 KiB / 648 KiB

              after failover

              Primary

              VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 180 / 116 14 KiB / 14 KiB
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.765 K / 11.764 K 667 KiB / 667 KiB
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B

              BackUp

              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.758 K / 11.757 K 666 KiB / 666 KiB

              If the DHCP servers are both set correctly (that setting should sync from primary to secondary), what do the clients report as their default gateway?

              default via 10.10.231.254 dev ens160 proto dhcp metric 100
              but using traceroute it is going through 10.10.231.253, is it the way it should work or does it has to go through 10.10.231.254?
              traceroute to google.com (172.217.17.238), 30 hops max, 60 byte packets
              1 localhost (10.10.231.253) 0.129 ms 0.157 ms 0.183 ms

              Generally, with pfsync running, if the clients are set to use the CARP VIP as their default gateway and outbound NAT for that client network uses the WAN CARP VIP for outbound NAT, then they will have synced states and a failover will not break the client connections.

              Looking at the states will not show the default gateway used but will show the outbound NAT used (if it is necessary to NAT).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post