Sticky connections not working with dual WAN

johnpoz

Sure failover I get. but that wouldn't need to be a in load balancing setup to do that ;) heheh

What I would suggest is try and validate if this other connection is being created after original state is closed.. You could just sniff on your client.. Do you see or send a fin at any time?

And that is when the wan changes.

TheCableGuy96

It's getting a bit above me this now which is why I was hoping I could let you teamviewer in and maybe take a look?

You'd have all the answers in 5 minutes rather than going back and forth through this monkey ;)

netblues

@Daskew78 You shouldnt really care about states being closed when you have a stickiness of 1200.

As documentation says, if you have stickiness 0, then load balancing path is re evaluated when connectios are closed. (and we could discuss if this means fin wait etc)
But stickiness of 1200 Means 1200 seconds AFTER connections is closed, if a new request comes from the same ip to the same host it will leave from the same gateway.

I insist. stickiness works fine on multiwan ssl load balancing scenario.
And consider this workaround too
https://redmine.pfsense.org/issues/6025

quoting
Also of note, when the weights differ, even though the gateways have a specific order with repetition in the rule, pf seems to still flip back and forth, though the general ratio of the weights is respected. For example with WAN1=3, WAN2=2:

I had the same issues as you do until I made 2 the default weight on both load balancing connections.

Deeper issues are suspected, as redmine says.
Please consider testing the workaround.

johnpoz

Yeah sure seems that issue is exactly what your seeing... I would do what @netblues says and that should fix up your issue I would hope.

TheCableGuy96

@netblues @johnpoz

Thanks guys... I've had a read through but it's all a little confusing to me.

Can you just clarify you are suggesting setting both connections to "Tier 2" instead of "Tier 1" on the LoadBalancing profile?

Cheers.

johnpoz

Yup..

TheCableGuy96

Well if that's the case it is a bug then. But at least there appears to be a workaround.

I'll test it now, cheers again :)

netblues

@Daskew78 nope
We suggest to put a weight of 2 on both gateways and load balance them as both tier 1.
with a stickiness of 2500

johnpoz

As you see yes there is a redmine on it ;)

Currently targeted at 2.5 - but its been pushed many times already.. So wouldn't expect... This thread could get added to that redmine I would think.. Might put a bit more weight on looking into it.

TheCableGuy96

Sorry I spoke a little too soon.... should I also set the sticky connections back to "0"?

netblues

@Daskew78 NO, it won't work on web banking sites

TheCableGuy96

Sorry I was replying too fast and missed your update about setting the states to 2500.

I have set it to 2500 and set each gateway to Tier 1 but I can't see where I set a weight of 2? Where is the weight setting?

Rico

System > Routing > Edit Gateway > Display Advanced > Weight

-Rico

TheCableGuy96

ahhh thank you.... i'm testing now... will update shortly :)

netblues

Remember to clear states and source tracking.

TheCableGuy96

Yeah I cleared both, closed all browsers and tried again on 2 personal servers with single IPs and banking but it's still happening.

I must admit it doesn't seem to be happening as much but it is still happening.

netblues

I also see that you have default gateway on a load balancing group.
Try to put default gateway to a failover group, (or just one of the lines).

It is not recommended to do that.

Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)
So as to make sure https traffic is not mixed with anything else and retest.

TheCableGuy96

Okay i'll have to get back to you tomorrow as I have to go out now.

Thanks buddy :)

TheCableGuy96

@netblues Sorry for the delay I was busy yesterday...

I just want to check we are on the same page here:
"I also see that you have default gateway on a load balancing group. Try to put default gateway to a failover group, (or just one of the lines)."

Are you referring to the firewall rules defining the gateway for each vLAN or the section in "System > Routing > Default Gateway"?

Also, I'm sorry but I don't understand what you mean when you say:
"Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)"

Please could you elaborate a little more what you are suggesting?

Many thanks pal :)

netblues

@Daskew78 said in Sticky connections not working with dual WAN:

@netblues Sorry for the delay I was busy yesterday...

I just want to check we are on the same page here:
"I also see that you have default gateway on a load balancing group. Try to put default gateway to a failover group, (or just one of the lines)."

Are you referring to the firewall rules defining the gateway for each vLAN or the section in "System > Routing > Default Gateway"?

Yes..

Also, I'm sorry but I don't understand what you mean when you say:
"Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)"

Please could you elaborate a little more what you are suggesting?

see here

Many thanks pal :)

ssl failover load balances first and failovers if both lines are not availabie

so we just make sure https traffic is handled by policy rule.
You can also log packets if needed.