HA Cluster - Backup problem

xlameee

Hello

I have a very unusual problem, well .. for me

My backup webGUI is loading very very slow and come times i have to reload the page few time to load and sometimes the page is loaded but the pfsense logo is in the whole screen the menu is like one under an other the page images are missing links are not clickable complete mess

any cure for that?

Services are shutting down by themselves like unbound, openvpn

See what I am talking about when I try to startup a service witch is down

and the service openvpn does not starting !!!!!!

Derelict

Sounds like the backup node cannot resolve names when it is not CARP MASTER.

Does it have its own public IP address for the WAN interface?

Are you performing outbound NAT to the CARP VIP that matches traffic from the firewall itself? (usually source any or source 127.0.0.0/8 (localhost). Those sources should not NAT to the CARP VIP but to the interface address.

xlameee

@derelict

Hello

Thank you for a quick response

currently this is my downstream network connected to my upstream private network

MASTER 192.168.10.3
BACKUP 192.168.10.4
both on VIP 192.168.10.5

localhost NAT is set to "Interface address" not to VIP IP

and By the way do I need that ISAKMP and What is this for?

Derelict

It is a static outbound port for outgoing IPsec client connections. If you are not doing that you don't need it, but it won't hurt to have it there either.

So when you are on the secondary and try to resolve a name using Diagnostics > DNS Lookup what happens? How does that look compared to the same action on the primary?

xlameee

@derelict They both working fine !!!

I still can't start the openvpn service!!!!

Derelict

You generally don't run OpenVPN on the backup node. It starts when it fails over.

How about posting the DNS results so we can be the judge of what is working fine and what isn't?

xlameee

@derelict Master is dark theme Backup is light

192.168.10.1 is the upstream pfsense unbound

I set the downstream pfsense to forwarding mode

Derelict

How about names out on the internet? Like files00.netgate.com?

You rattled off about 6 different problems in your initial post. What, specifically, is your priority to fix?

xlameee

@derelict

both have the same output

Derelict

OK. It looks like that webgui is functioning fine.

So what is the problem you are having? Please be as complete and specific as possible.

xlameee

@derelict

It looks yes, but before I started this post it was very very slow loading any page on the backup's web GUI and the web gui was unresponsive when you try to go to any page on the webgui. Even now sometimes when I hit the link on the menu browser is loading and then stopped like nothing happen and when I hit the same link again on the menu the page is loading fine. If the problem was the unbound Yes the unbound service was down on the backup and I started it so far I don't have any problems I just walked around the webgui's menu going to different pages without any issues

I just put the master into CARP Maintenance Mode as you said openvpn service came up

I have tested the SYNC after I put the master into CARP Maintenance Mode the master becomes a backup. When backup becomes a master and I make some changes like adding aliases to it they don't sync to the backup is that how it should be? If you can understand what I am trying to say!!!! Everything else seems to work fine

Derelict

If it is having trouble syncing settings it really depends. Does the system log show successful XMLRPC sync when you make a change?

If not that will have to be fixed.

If sync is working but changes to firewall rules don't appear to be syncing, you might have mismatched interfaces between the two nodes.

If you are having GUI problems, the first thing I would do is eliminate the custom theme. I would also try another browser. I have not heard of any issues like that with the dark theme, and all major browsers work fine with the firewall, but that is where I would start.

I would also check for any logs that state something like "X is using my ip address" or something of that nature.

xlameee

@derelict hello

My SYNC Interfaces are Direct attached 10G Fiber between both nodes no switch/hub between them.

My question was is the syncing process one way ?

When my MASTER NODE failed and my BACKUP NODE become a MASTER is not actually a MASTER - MASTER it was design to pass a traffic until the MASTER is back online right ? or to test some settings before you put them into the MASTER NODE

That's why this clustering system is design when new update came up you update the BACKUP NODE to see if everything is working fine before you UPDATE the MASTER NODE

Derelict

Yes. You make changes to the primary node. It doesn't matter which one is master at the time.

If something happens and you have to run on the secondary node for any length of time, it is incumbent upon you to log any necessary changes so they can be duplicated when the primary node is back online.

xlameee

@derelict Understand thank you