Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    High Availibility Failover stops SSH Session

    HA/CARP/VIPs
    2
    5
    437
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User last edited by A Former User

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        @vadim1 said in High Availibility Failover stops SSH Session:

        On the Backup Firewall pfsync is activated and the IP of Primary is there.

        Assumed to be active on the primary as well?

        How about you post the actual states on the backup instead of saying has the same output.

        If those are private addresses there is zero reason to obfuscate.

        Are both hosts set to use the CARP VIP as their default gateways?

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User last edited by

          @derelict said in High Availibility Failover stops SSH Session:

          @vadim1 said in High Availibility Failover stops SSH Session:

          On the Backup Firewall pfsync is activated and the IP of Primary is there.

          Assumed to be active on the primary as well?

          How about you post the actual states on the backup instead of saying has the same output.

          If those are private addresses there is zero reason to obfuscate.

          Are both hosts set to use the CARP VIP as their default gateways?

          Hi Derelict,

          sorry for the delay, i was in holiday.

          1. Yes, pfsync is active on the primary.
          2. I changed the post so you can see the actual states.
          3. Yeah, you are right, i am not sure, why i was obfuscating them.
          4. On the DHCP Server the CARP VIP is set as the gateway, also the hosts have a route, but running traceroute from the host to e.g. google.com, it shows me the IP of the Firewall not the CARP VIP.
          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by Derelict

            @vadim1 said in High Availibility Failover stops SSH Session:

            VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
            VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 619.731 K / 619.733 K 34.29 MiB / 34.29 MiB

            Those states are DHCP failover connections between the two firewalls and don't show anything about the SSH problems you are reporting.

            If the DHCP servers are both set correctly (that setting should sync from primary to secondary), what do the clients report as their default gateway?

            Generally, with pfsync running, if the clients are set to use the CARP VIP as their default gateway and outbound NAT for that client network uses the WAN CARP VIP for outbound NAT, then they will have synced states and a failover will not break the client connections.

            Looking at the states will not show the default gateway used but will show the outbound NAT used (if it is necessary to NAT).

            ? 1 Reply Last reply Reply Quote 0
            • ?
              A Former User @Derelict last edited by

              @derelict said in High Availibility Failover stops SSH Session:

              @vadim1 said in High Availibility Failover stops SSH Session:

              VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
              VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 619.731 K / 619.733 K 34.29 MiB / 34.29 MiB

              Those states are DHCP failover connections between the two firewalls and don't show anything about the SSH problems you are reporting.

              before failover
              Primary
              VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 180 / 116 14 KiB / 14 KiB
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.598 K / 11.597 K 657 KiB / 657 KiB
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B

              BackUp

              VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.439 K / 11.438 K 648 KiB / 648 KiB

              after failover

              Primary

              VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 180 / 116 14 KiB / 14 KiB
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.765 K / 11.764 K 667 KiB / 667 KiB
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B

              BackUp

              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B
              VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.758 K / 11.757 K 666 KiB / 666 KiB

              If the DHCP servers are both set correctly (that setting should sync from primary to secondary), what do the clients report as their default gateway?

              default via 10.10.231.254 dev ens160 proto dhcp metric 100
              but using traceroute it is going through 10.10.231.253, is it the way it should work or does it has to go through 10.10.231.254?
              traceroute to google.com (172.217.17.238), 30 hops max, 60 byte packets
              1 localhost (10.10.231.253) 0.129 ms 0.157 ms 0.183 ms

              Generally, with pfsync running, if the clients are set to use the CARP VIP as their default gateway and outbound NAT for that client network uses the WAN CARP VIP for outbound NAT, then they will have synced states and a failover will not break the client connections.

              Looking at the states will not show the default gateway used but will show the outbound NAT used (if it is necessary to NAT).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy