Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Timeouts when accessing slave

    HA/CARP/VIPs
    3
    5
    631
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Elegant
      last edited by Elegant

      Hi all,
      I am having frequent issues where I cannot keep an active connection to the current slave. Failover works fine but if I try to access the slave to view error logs or add changes to a cron script, I usually encounter several timeouts between navigation via the web interface. The issue also extends to SSH sessions which seem to hang after 30 seconds.

      I also notice that if I ping the slave from the master, it will not work initially. For some reason, it will drop the first 30-300 packets and then finally start receiving them consistently.

      Is this normal behavior? It would appear as though the master does not have a proper way to communicate with the slave. Thanks!

      1 Reply Last reply Reply Quote 0
      • MMapplebeckM
        MMapplebeck
        last edited by

        Are you trying to access these locally? Or over a VPN?

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Normal depends on how you are connecting to the secondary.

          The primary and secondary should have their own addresses on every interface.

          You will want to access the secondary using its address on the closest interface to you. For instance if you are accessing the secondary from the LAN, you want to connect to the secondary's LAN address.

          If you are trying to route through the primary (which would be your management node's default gateway, so traffic to other subnets will route there) then the secondary has an interface route directly back to you so the TCP state on the primary will not see the reply traffic and will eventually break.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • E
            Elegant
            last edited by Elegant

            @MMapplebeck Locally, I'm trying to tackle this local issue before moving onto the VPN side of things but I am having an issue with the outbound NAT rule. The VPN subnet has been specified with the LAN interface selected and an alias for the CARP addresses for the destination but the secondary is never accessible over VPN.

            @Derelict This may explain it, I am accessing the secondary from OPT5 (vlan) but my DNS record points the LAN interface address not the the one on OPT5. In this case, I would likely be routing through the primary. I will verify this using the OPT5 secondary interface this evening but is there any way to avoid this so that the DNS record is valid across multiple interfaces?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by Derelict

              No. DNS will return every A record for the fqdn but you need a specific one.

              You could do it if your DNS was off the firewall using something like BIND views.

              Queries for firewall-b.example.com return 192.168.1.3 if received from 192.168.1.0/24
              Queries for firewall-b.example.com return 192.168.2.3 if received from 192.168.2.0/24
              Etc.

              But that seems like a lot of work when this is why people manage these things from a specific network.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.