Carp Maintenance mode + reboot = bug?



  • While testing my pfsync setup I noticed a strange behavior:

    Reboot primary = seamless failover
    Unplug primary = seamless failover
    enter carp maintenance mode (then disable carp maintenance mode) = seamless failover

    but

    enter carp maintenance mode on primary (then reboot primary) = sessions lost on secondary node

    Does this happen to anyone else?
    is it the expected behavior?

    if not, any idea what is causing it?

    I don't really care about this specific scenario happening,
    Just testing my nodes in all the possible ways, and want to make sure I didn't miss anything.

    Thanks!
    Justin

    EDIT: This is on the lastest 2.4.5 release.



  • @Justinjja said in Carp Maintenance mode + reboot = bug?:

    enter carp maintenance mode on primary (then reboot primary) = sessions lost on secondary node
    I don't really care about this specific scenario happening,

    That's a usual scenario through, when upgrading the primary.
    If the primary machine is in CARP maintenance mode a reboot should not influence the traffic flow.

    Maybe something wrong with your network configuration? Are the pfSense machines run on bare metal or are thy virtualized?
    Some hints in the logs?



  • @viragomann
    That's why I brought it up, maybe some kind of bug causing it to leave maintenance mode while rebooting?

    I can't think of any network config that would matter here?
    Considering failover has already successfully happened.

    They are physical machines w/ i350 nic's.

    Also further testing revealed this only happens occasionally,
    so going to be hard to track down.


  • LAYER 8 Rebel Alliance

    I just tried to reproduce this but it is not happening to me.
    How exactly are you checking for traffic flow? What happens ins Status > CARP on your secondary node after switching the primary to maintenance mode and reboot?

    -Rico



  • In case anyone finds this in the future,
    I was just missing an outbound nat rule.

    Without that your outbound connections are just using the firewall IP, rather than the carp IP.


Log in to reply