HA SYNC Question
-
hello
I've wondering how to configure dedicated link for HA SYNC
I have a few 10G and 1G adapters and I also have 2 more expatiation slots available What if I put 2 adapters 1 to each server and direct attach them to dedicate this link for HA SYNC onlyany suggestions how to configure it or just plug them and give that link a static IP with the same subnet
My HA SYNC is currently on the VLAN there is not much traffic yet because is still in the LAB environment, but when I plug it into production it might consume some traffic witch I thing won't be much of problem because I have 2x40G in LACP but still for security dedicated link to HA can be useful
thank you
-
I agree, a dedicated physical link is best for HA. The traffic is minimal, just put matching adapters in each box, put them on the same subnet (you could use a /30), and add rules to allow traffic.
-
We just plug them together with a patch cable also.
Plus that way if the switch in the middle fails the backup router won't try to become masterHaving a switch in the middle is an unnecessary point of failure. -
Plus that way if the switch in the middle fails the backup router won't try to become master.
The SYNC interface has no bearing on who is master and who isn't. There aren't CARP VIPs on it so it doesn't factor into that decision.
See the sticky I wrote on all of this up there in the category ^.
-
@derelict said in HA SYNC Question:
he SYNC interface has no bearing on who is master
d'oh! of course not sure what I was thinking. Still, we just use a patch cable as it is still one less thing to fail. :)
-
So do I. ;)
-
@derelict it is not about failing it more about security Of what I know HA is syncing with none encrypted traffic and all of that traffic flowing around my core switch it is not a good idea
Thank you
-
@xlameee In general even an unmanaged switch should only be sending traffic to the correct ports so unless someone's spoofing IPs (while guessing your sync subnet) or spoofing the routers' MAC addresses I'm not sure it's really much of an issue...and if they are doing that then there are other issues on your network
. A direct patch cable connection would remove any concern. -
I might be foolish but I trust VLANs.
The states that are represented by the pfsync traffic are running around in your switch already.
-
Hello
I just setup direct attached line for SYNC interface and I am getting this error
Communications error occurred
A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://10.250.0.3:443. Error: Operation timed out @ 2019-01-03 07:49:15any idea Why?
The card I've installed on both nodes is Chelsio CC2-N320E-SR I dedicated 1 link to each node (cxgb0) to pfSync
Interface name : HA_SYNC
NODE 1 : IP 10.250.0.2/28
NODE 2 : IP 10.250.0.3/28All I did was to change System/High Avail.Sync
Synchronize interface to HA_SYNC
NODE 1
pfsync Synchronize Peer IP : 10.250.0.3
Synchronize Config to IP : 10.250.0.3
NODE 2
pfsync Synchronize Peer IP : 10.250.0.2Then I stopped the DHCP Service on both nodes and started first the Master
-
OK Never mind I solved it
I had to add manually rule ANY ANY on the BACKUP node in order to sync
actually I added IPv4 Protocol ANY - HA_SYNC to HA_SYNC any portThank you
I am not sure if this is the best to go but I will increase the MTU to 9000 and see if all goes well :)
-
I am not sure if this is the best to go but I will increase the MTU to 9000 and see if all goes well :)
That is the last thing I would do if I was in your position.
I would get everything working perfectly and leave jumbo frames out of the picture.