HA SYNC Question



  • hello

    I've wondering how to configure dedicated link for HA SYNC
    I have a few 10G and 1G adapters and I also have 2 more expatiation slots available What if I put 2 adapters 1 to each server and direct attach them to dedicate this link for HA SYNC only

    any suggestions how to configure it or just plug them and give that link a static IP with the same subnet

    My HA SYNC is currently on the VLAN there is not much traffic yet because is still in the LAB environment, but when I plug it into production it might consume some traffic witch I thing won't be much of problem because I have 2x40G in LACP but still for security dedicated link to HA can be useful

    thank you



  • I agree, a dedicated physical link is best for HA. The traffic is minimal, just put matching adapters in each box, put them on the same subnet (you could use a /30), and add rules to allow traffic.



  • We just plug them together with a patch cable also. Plus that way if the switch in the middle fails the backup router won't try to become master Having a switch in the middle is an unnecessary point of failure.


  • LAYER 8 Netgate

    Plus that way if the switch in the middle fails the backup router won't try to become master.

    The SYNC interface has no bearing on who is master and who isn't. There aren't CARP VIPs on it so it doesn't factor into that decision.

    See the sticky I wrote on all of this up there in the category ^.



  • @derelict said in HA SYNC Question:

    he SYNC interface has no bearing on who is master

    d'oh! of course not sure what I was thinking. Still, we just use a patch cable as it is still one less thing to fail. :)


  • LAYER 8 Netgate

    So do I. ;)



  • @derelict it is not about failing it more about security Of what I know HA is syncing with none encrypted traffic and all of that traffic flowing around my core switch it is not a good idea

    Thank you



  • @xlameee In general even an unmanaged switch should only be sending traffic to the correct ports so unless someone's spoofing IPs (while guessing your sync subnet) or spoofing the routers' MAC addresses I'm not sure it's really much of an issue...and if they are doing that then there are other issues on your network 😀. A direct patch cable connection would remove any concern.


  • LAYER 8 Netgate

    I might be foolish but I trust VLANs.

    The states that are represented by the pfsync traffic are running around in your switch already.



  • Hello

    I just setup direct attached line for SYNC interface and I am getting this error

    Communications error occurred

    A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://10.250.0.3:443. Error: Operation timed out @ 2019-01-03 07:49:15
    

    any idea Why?

    The card I've installed on both nodes is Chelsio CC2-N320E-SR I dedicated 1 link to each node (cxgb0) to pfSync

    Interface name : HA_SYNC
    NODE 1 : IP 10.250.0.2/28
    NODE 2 : IP 10.250.0.3/28

    All I did was to change System/High Avail.Sync

    Synchronize interface to HA_SYNC
    NODE 1
    pfsync Synchronize Peer IP : 10.250.0.3
    Synchronize Config to IP : 10.250.0.3
    NODE 2
    pfsync Synchronize Peer IP : 10.250.0.2

    Then I stopped the DHCP Service on both nodes and started first the Master



  • OK Never mind I solved it

    I had to add manually rule ANY ANY on the BACKUP node in order to sync
    actually I added IPv4 Protocol ANY - HA_SYNC to HA_SYNC any port

    Thank you

    I am not sure if this is the best to go but I will increase the MTU to 9000 and see if all goes well :)


  • LAYER 8 Netgate

    I am not sure if this is the best to go but I will increase the MTU to 9000 and see if all goes well :)

    That is the last thing I would do if I was in your position.

    I would get everything working perfectly and leave jumbo frames out of the picture.


Log in to reply