Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Slow IPsec / internet when using CARP

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 3 Posters 916 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pama
      last edited by

      Hi mates, by taking example from this schema:
      0_1549027432820_0e16aa25-14cd-4c75-9d85-e43f451a1296-image.png

      Firewall 1 is a vm in Vmware
      Firewall 2 is a physical HW

      They are connected with a HP 4208 VL

      Vmware vswitches are configured correctly (https://www.netgate.com/docs/pfsense/highavailability/troubleshooting-high-availability-clusters.html)

      Problems:
      Clients pointing LAN CARP IP as default gateway are browsing slowly, while they point primary LAN IP or backup LAN IP they browse faster
      Every IPSec VPN staring from WAN CARP IP is slow, while using primary WAN IP or backup WAN IP it works.
      Slow means that the tunnel is up, but I cannot transfer anything.

      I have already 3 installations like this that work, this won't go. I have also a Netgate support opened, but maybe here someone have an idea...

      What can be wrong?
      Ah, tried a lot of IPs, NAT configurations, bla bla...
      Thank you

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Mismatched hardware HA is pretty much unsupported. If the physical interface names do not match you are going to have trouble.

        If your layer 2 between the virtual environment and the physical node is not perfect, you are going to have trouble.

        I would:

        Turn off config XMLRPC Sync and pfsync.

        Power down the secondary node.

        Does the problem persist?

        Packet capture and analyze what is slow and see if you can determine why.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        P 1 Reply Last reply Reply Quote 0
        • P
          pama @Derelict
          last edited by

          @derelict said in Slow IPsec / internet when using CARP:

          Mismatched hardware HA is pretty much unsupported. If the physical interface names do not match you are going to have trouble.

          It is an already tested and working configuration. I have 3 clusters that work with the same configuration

          If your layer 2 between the virtual environment and the physical node is not perfect, you are going to have trouble.

          I would:

          Turn off config XMLRPC Sync and pfsync.

          Power down the secondary node.

          Does the problem persist?

          Yep, the problem persist in both situations (with only primary node working or with secondary node working)

          Packet capture and analyze what is slow and see if you can determine why.

          What I must look at?
          Thanks
          Andrea

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Have you configured the Outbound NAT to use the WAN CARP VIP?

            P 1 Reply Last reply Reply Quote 0
            • P
              pama @viragomann
              last edited by

              @viragomann said in Slow IPsec / internet when using CARP:

              Have you configured the Outbound NAT to use the WAN CARP VIP?

              YEP

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.