1. Home
  2. pfSense® Software
  3. HA/CARP/VIPs
  4. Timeouts when accessing slave

Timeouts when accessing slave

  • E

    Hi all,
    I am having frequent issues where I cannot keep an active connection to the current slave. Failover works fine but if I try to access the slave to view error logs or add changes to a cron script, I usually encounter several timeouts between navigation via the web interface. The issue also extends to SSH sessions which seem to hang after 30 seconds.

    I also notice that if I ping the slave from the master, it will not work initially. For some reason, it will drop the first 30-300 packets and then finally start receiving them consistently.

    Is this normal behavior? It would appear as though the master does not have a proper way to communicate with the slave. Thanks!

    0
  • MMapplebeck

    Are you trying to access these locally? Or over a VPN?

    0
  • Derelict
    LAYER 8 Netgate

    Normal depends on how you are connecting to the secondary.

    The primary and secondary should have their own addresses on every interface.

    You will want to access the secondary using its address on the closest interface to you. For instance if you are accessing the secondary from the LAN, you want to connect to the secondary's LAN address.

    If you are trying to route through the primary (which would be your management node's default gateway, so traffic to other subnets will route there) then the secondary has an interface route directly back to you so the TCP state on the primary will not see the reply traffic and will eventually break.

    0
  • E

    @MMapplebeck Locally, I'm trying to tackle this local issue before moving onto the VPN side of things but I am having an issue with the outbound NAT rule. The VPN subnet has been specified with the LAN interface selected and an alias for the CARP addresses for the destination but the secondary is never accessible over VPN.

    @Derelict This may explain it, I am accessing the secondary from OPT5 (vlan) but my DNS record points the LAN interface address not the the one on OPT5. In this case, I would likely be routing through the primary. I will verify this using the OPT5 secondary interface this evening but is there any way to avoid this so that the DNS record is valid across multiple interfaces?

    0
  • Derelict
    LAYER 8 Netgate

    No. DNS will return every A record for the fqdn but you need a specific one.

    You could do it if your DNS was off the firewall using something like BIND views.

    Queries for firewall-b.example.com return 192.168.1.3 if received from 192.168.1.0/24
    Queries for firewall-b.example.com return 192.168.2.3 if received from 192.168.2.0/24
    Etc.

    But that seems like a lot of work when this is why people manage these things from a specific network.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy