Slow IPsec / internet when using CARP
-
Hi mates, by taking example from this schema:
Firewall 1 is a vm in Vmware
Firewall 2 is a physical HWThey are connected with a HP 4208 VL
Vmware vswitches are configured correctly (https://www.netgate.com/docs/pfsense/highavailability/troubleshooting-high-availability-clusters.html)
Problems:
Clients pointing LAN CARP IP as default gateway are browsing slowly, while they point primary LAN IP or backup LAN IP they browse faster
Every IPSec VPN staring from WAN CARP IP is slow, while using primary WAN IP or backup WAN IP it works.
Slow means that the tunnel is up, but I cannot transfer anything.I have already 3 installations like this that work, this won't go. I have also a Netgate support opened, but maybe here someone have an idea...
What can be wrong?
Ah, tried a lot of IPs, NAT configurations, bla bla...
Thank you -
Mismatched hardware HA is pretty much unsupported. If the physical interface names do not match you are going to have trouble.
If your layer 2 between the virtual environment and the physical node is not perfect, you are going to have trouble.
I would:
Turn off config XMLRPC Sync and pfsync.
Power down the secondary node.
Does the problem persist?
Packet capture and analyze what is slow and see if you can determine why.
-
@derelict said in Slow IPsec / internet when using CARP:
Mismatched hardware HA is pretty much unsupported. If the physical interface names do not match you are going to have trouble.
It is an already tested and working configuration. I have 3 clusters that work with the same configuration
If your layer 2 between the virtual environment and the physical node is not perfect, you are going to have trouble.
I would:
Turn off config XMLRPC Sync and pfsync.
Power down the secondary node.
Does the problem persist?
Yep, the problem persist in both situations (with only primary node working or with secondary node working)
Packet capture and analyze what is slow and see if you can determine why.
What I must look at?
Thanks
Andrea -
Have you configured the Outbound NAT to use the WAN CARP VIP?
-
@viragomann said in Slow IPsec / internet when using CARP:
Have you configured the Outbound NAT to use the WAN CARP VIP?
YEP