communications-interrupted in Failover group



  • hello

    My current setup have 2x pfsense in HA

    I got something that I don't know if it is normal or not in Status--DHCP Leases --- Pool Status

    0_1543269006428_2018-11-26_15-45-21.jpg

    Any suggestion !!!!

    EDIT :
    Communications error occurred

    A communications error occurred while attempting to call XMLRPC method restore_config_section: @ 2018-11-28 12:43:41
    A communications error occurred while attempting to call XMLRPC method restore_config_section: @ 2018-11-28 12:44:41


  • anyone?



  • Not normal, as 'My State' suggests.
    Verify the settings- they should be the same, except for the failover peer, which should be the ip of the other box, on the listening interface. If everything looks good, stop the dhcp service on both boxes, start on the master, then start on the backup.



  • @dotdash Hello
    I did as you suggested all was looking normal
    my VIP is xx.xx.xx.1
    my Master is xx.xx.xx.2
    my Backup is xx.xx.xx.3

    each interface have following config
    DNS servers because I use pfSense unbound all the same xx.xx.xx.1
    Gataway also xx.xx.xx.1
    Failover peer IP Master xx.xx.xx.3
    Failover peer IP Backup xx.xx.xx.2

    Then I stopped and started the DHCP service as you suggested and I am still getting the same in "My State"

    I have tested by adding rules on the Master seems the rule appear on Backup as well
    Don't see any problem there

    Thank you



  • OK it is all back to normal now I don't know what I did exactly but "My State" is normal

    Some how when I disconnect the master all traffic should go trough the backup with almost not notable by the hosts, but it is not happening

    Here is what I did for NAT-Outbound

    I put all interfaces except the loopback into my WAN VIP address like so

    0_1543761259180_2018-12-02_8-30-59.jpg


  • Netgate

    You'll probably need to post the DHCP Server pages on both nodes.

    The communications between the DHCP servers occurs on the interface DHCP is running on. It has nothing to do with outbound NAT, the sync interface, or anything like that.

    There are automatic rules placed in the firewall to pass this traffic between the nodes on that interface on ports TCP/UDP 519 and 520:

    # allow access to DHCP failover on LAN from 172.25.236.3
    pass in  quick on $LAN proto { tcp udp } from 172.25.236.3 to 172.25.236.2 port = 519 tracker 1000002644 label "allow access to DHCP failover"
    pass in  quick on $LAN proto { tcp udp } from 172.25.236.3 to 172.25.236.2 port = 520 tracker 1000002645 label "allow access to DHCP failover"
    

    I have seen people place floating rules that ended up blocking this traffic in the outbound direction.