4. Slow IPsec / internet when using CARP

Slow IPsec / internet when using CARP

  • P

    Hi mates, by taking example from this schema:
    0_1549027432820_0e16aa25-14cd-4c75-9d85-e43f451a1296-image.png

    Firewall 1 is a vm in Vmware
    Firewall 2 is a physical HW

    They are connected with a HP 4208 VL

    Vmware vswitches are configured correctly (https://www.netgate.com/docs/pfsense/highavailability/troubleshooting-high-availability-clusters.html)

    Problems:
    Clients pointing LAN CARP IP as default gateway are browsing slowly, while they point primary LAN IP or backup LAN IP they browse faster
    Every IPSec VPN staring from WAN CARP IP is slow, while using primary WAN IP or backup WAN IP it works.
    Slow means that the tunnel is up, but I cannot transfer anything.

    I have already 3 installations like this that work, this won't go. I have also a Netgate support opened, but maybe here someone have an idea...

    What can be wrong?
    Ah, tried a lot of IPs, NAT configurations, bla bla...
    Thank you

    0
  • LAYER 8 Netgate

    Mismatched hardware HA is pretty much unsupported. If the physical interface names do not match you are going to have trouble.

    If your layer 2 between the virtual environment and the physical node is not perfect, you are going to have trouble.

    I would:

    Turn off config XMLRPC Sync and pfsync.

    Power down the secondary node.

    Does the problem persist?

    Packet capture and analyze what is slow and see if you can determine why.

    0
    P
     1 Reply
  • P

    @derelict said in Slow IPsec / internet when using CARP:

    Mismatched hardware HA is pretty much unsupported. If the physical interface names do not match you are going to have trouble.

    It is an already tested and working configuration. I have 3 clusters that work with the same configuration

    If your layer 2 between the virtual environment and the physical node is not perfect, you are going to have trouble.

    I would:

    Turn off config XMLRPC Sync and pfsync.

    Power down the secondary node.

    Does the problem persist?

    Yep, the problem persist in both situations (with only primary node working or with secondary node working)

    Packet capture and analyze what is slow and see if you can determine why.

    What I must look at?
    Thanks
    Andrea

    0
  • V

    Have you configured the Outbound NAT to use the WAN CARP VIP?

    0
    P
     1 Reply
  • P

    @viragomann said in Slow IPsec / internet when using CARP:

    Have you configured the Outbound NAT to use the WAN CARP VIP?

    YEP

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy