HA Configuration, secundary Device blocks packets in recovery mode
-
Hello,
I configured a pfsense cluster with 2 x Netgate 7100 Devices.
They have a CARP-VIP in USERLAN and a CARP VIP in WAN.
The NAT Outbound rule is set with the VIP of the WAN.
When I test the failover - the Clients losses Connection an I can see blocked Packets in the Firewall.I checked the Sync (is is working) and all rules are synced
on both devices - all TCP/UDP is allowed to the internet and is running in normal mode.I double checked all settings - where or how can I detect the Problem? Any Ideas?
Best regards
Martin -
Do you also syncing the states?
Do you devices use the USERLAN CARP VIP as their default gateway?
-
Hello viagomann,
thanks for your question:
- yes the states are synced - but: State sync is checked at the Master - not at the Backup-Device
- yes the USERLAN CARP VIP ist exposed as the default GW (Checked at the Client ipconfig)
Best regards
Martin -
The states should be synced in both directions, otherwise you get out of state block when the first node takes over the master again.
@mmichael said in HA Configuration, secundary Device blocks packets in recovery mode:
When I test the failover - the Clients losses Connection an I can see blocked Packets in the Firewall.
On master or backup? Please post a screenshot.
-
Hi,
now I activated sync on both Devices. Now I noticed, that the SyncBlocks (Status->CARP) got identical ID's and Blocks (thats good).
Then I cuted "LanLink" from the USERLAN. and all my connections where lost again.
Here are the screenshots:Here are the loss
Master is left / Backup right
"Backup-Device" ist master in USERLAN (Master is disconnected)
Sync Konfig
Best regards
Martin -
I meant a screenshot of the pfSense firewall log, which is showing the blocks. Status > System Logs > Firewall
On most systems you can take a screenshot by hitting the Print-key.
@mmichael said in HA Configuration, secundary Device blocks packets in recovery mode:
"Backup-Device" ist master in USERLAN (Master is disconnected)
When the master is offline, the backup must be master on all shared CARP interfaces, not only LAN.
Seems there is a problem in CARP communication.
Ensure that each CARP interface can talk to its partner. -
good morning,
first of all - thank you for your replys! I teststed again - but to be more precise here are some additional details:
- I activated Sync Status now on both devices
- the messages about blocked V4 Packet didn't come again
So now - I guess there is (maybe) a missleading idea in my testcase or a missing function - I dont't know:
- Case: Diconnecting USERLAN (Cutting cable):
- Backup device went in Master State with Interface USERLAN
- WAN Interface remains as BACKUP
- Internet connection is losst and didn't return until the cable is plugt in again
- Case: Powering off the Master Device:
- Backup device went in Master State with ALL Interfaces
- Internet connection is working as expected
My guess is now - maybe the case of a "broken" cable is not covered of the pfsense HA Cluster? Or do I have to dig deeper and there is a missconfiguration on my site?
Best regards
Martin