[Answered] Secondary node is very slow to update package repository, install packages, etc.



  • I have a new HA cluster of two nodes.

    The secondary node is very slow in the Web GUI...things like updating the package repository prior to installing a package takes many many minutes.

    Additionally, if I ping out (say to 8.8.8.8) from the LAN interface on the secondary, I get 100% packet loss. However, if I ping out from the LAN interface on the primary, I get 0% packet loss.

    So I believe the slowness has to do with a NAT issue on the secondary.

    If I manually change the outbound NAT entry for my LAN to use the WAN Interface Address instead of the WAN VIP on the secondary, everything works fine.


  • LAYER 8 Moderator

    @vbman213 said in Secondary node is very slow to update package repository, install packages, etc.:

    If I manually change the outbound NAT entry for my LAN to use the WAN Interface Address instead of the WAN VIP on the secondary, everything works fine.

    Did you only change it for your LAN or for all NAT entries to do it via WAN VIP instead of IP? How was your NAT setup with VIP (screenshot)?


  • LAYER 8 Netgate

    Do not outbound NAT to the CARP VIP for traffic sourced from the firewall itself. Only set outbound NAT for the inside addresses that actually need NAT.

    A common mistake is setting outbound NAT for 127.0.0.0/8 and/or any sources to the CARP VIP.

    That won't work on the node that is BACKUP because that address does not exist on that node at that time.

    If I manually change the outbound NAT entry for my LAN to use the WAN Interface Address instead of the WAN VIP on the secondary, everything works fine.

    It should not matter for LAN sources, but for traffic sourced from the firewall itself.

    If this isn't making sense you'll need to post your outbound NAT rules.



  • Thanks for the tips! This resolved the issue!


Log in to reply