HA Restrictions XG-7100-U

joelt

Recently received a pair of XG-7100-U's. I wanted to set up HA on them but there is a warning in the I/O Port section:

*High Availability (HA) can be used, but currently there is one restriction when it comes to configuring switchports for HA. Because the uplinks from the switch to the SoC are always up, failover is only effective in scenarios where a system completely dies. If a single switch interface goes down, CARP will not be able to detect this properly so the PRIMARY will remain PRIMARY on any switch interfaces that drop link.

The SECONDARY will also consider itself PRIMARY of the network associated to the switch link that dropped. In this situation, LAN clients will likely go through the SECONDARY but will not be able to get online if NAT is utilized with a WAN CARP IP. It’s possible to NAT to the WAN interface IP to get around this but it can cause state issues during failover.*

Is it possible to use the non-switchport (SFP) interfaces as my WAN and LAN links and 1 of the 'switchport' links as my failover between the 2? Will this configuration be a workaround for the restriction? I need the secondary pfsense to fail over if an interface goes down and not the whole system. Or is this just a bug in the 7100-U and there is nothing we can do?

SteveITS

Interesting, wasn't aware of that warning.

It looks like the 7100 has two fiber ports plus an 8 port switch?

Generally the interfaces on pfSense can be configured however you want. So if I'm following this correctly, you could have one fiber WAN, one fiber LAN, and the use the switched ports for the pfSync interface.

jimp

@joelt said in HA Restrictions XG-7100-U:

Is it possible to use the non-switchport (SFP) interfaces as my WAN and LAN links and 1 of the 'switchport' links as my failover between the 2? Will this configuration be a workaround for the restriction? I need the secondary pfsense to fail over if an interface goes down and not the whole system. Or is this just a bug in the 7100-U and there is nothing we can do?

We are working on ways of making the 7100 and 3100 switch ports more compatible with HA. 2.4.4 gets closer as it can tie the status of an interface to the status of a switch port, but it does not yet also trigger a CARP event when doing so.

joelt

@teamits
this is what support has suggested and i will be doing that. THANKS!

From support:
%(#000000)[ix0 and ix1 will sense interface down/up as they are discrete router interfaces.

SYNC on the switchport will not, but as it is not a CARP interface used to determine MASTER/BACKUP status (No CARP VIP on it) that will not affect the performance of the HA pair and it will failover normally. You would not want a failover event if the SYNC interface is disconnected anyway.

If you reassign the LAN interface to one of the ix interfaces, you should simply be able to create a new interface for SYNC using the lagg0.4091 interface that should be available for use/assignment after reassigning LAN to ix0 or ix1.

Then just number and add the firewall rules to SYNC interfaces on each side as usual. The default switch configuration should be adequate.]