Timeouts when accessing slave

  • Hi all,
    I am having frequent issues where I cannot keep an active connection to the current slave. Failover works fine but if I try to access the slave to view error logs or add changes to a cron script, I usually encounter several timeouts between navigation via the web interface. The issue also extends to SSH sessions which seem to hang after 30 seconds.

    I also notice that if I ping the slave from the master, it will not work initially. For some reason, it will drop the first 30-300 packets and then finally start receiving them consistently.

    Is this normal behavior? It would appear as though the master does not have a proper way to communicate with the slave. Thanks!

  • Are you trying to access these locally? Or over a VPN?

  • LAYER 8 Netgate

    Normal depends on how you are connecting to the secondary.

    The primary and secondary should have their own addresses on every interface.

    You will want to access the secondary using its address on the closest interface to you. For instance if you are accessing the secondary from the LAN, you want to connect to the secondary's LAN address.

    If you are trying to route through the primary (which would be your management node's default gateway, so traffic to other subnets will route there) then the secondary has an interface route directly back to you so the TCP state on the primary will not see the reply traffic and will eventually break.

  • @MMapplebeck Locally, I'm trying to tackle this local issue before moving onto the VPN side of things but I am having an issue with the outbound NAT rule. The VPN subnet has been specified with the LAN interface selected and an alias for the CARP addresses for the destination but the secondary is never accessible over VPN.

    @Derelict This may explain it, I am accessing the secondary from OPT5 (vlan) but my DNS record points the LAN interface address not the the one on OPT5. In this case, I would likely be routing through the primary. I will verify this using the OPT5 secondary interface this evening but is there any way to avoid this so that the DNS record is valid across multiple interfaces?

  • LAYER 8 Netgate

    No. DNS will return every A record for the fqdn but you need a specific one.

    You could do it if your DNS was off the firewall using something like BIND views.

    Queries for firewall-b.example.com return if received from
    Queries for firewall-b.example.com return if received from

    But that seems like a lot of work when this is why people manage these things from a specific network.

Log in to reply