OpenVPN restarts on slave after XMLRPC sync

HA/CARP/VIPs
Log in to reply
  • S

    Hello everyone,

    We're experiencing issues with XMLRPC sync. When we do a change in master (for example, adding a new user), OpenVPN resyncs in slave, causing network problems to users connected to that OpenVPN instances.

    We're running 2.4.5 version on both master and slave hosts.

    I'm referencing this old post as seems to be experiencing the same issue:
    Re: issues with xmlrpc sync after upgrade from 2.4.3 to 2.4.4-RELEASE-p2

    On High Availability Sync settings we're syncing these options:

    fwsync2.png

    Logs on slave pfSense:

    Dec 29 08:52:35	check_reload_status		Starting packages
Dec 29 08:52:35	check_reload_status		Reloading filter
Dec 29 08:52:35	php-fpm		/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> 10.110.236.1 - Restarting packages.
Dec 29 08:52:35	php-fpm		/rc.newwanip: rc.newwanip called with empty interface.
Dec 29 08:52:35	php-fpm		/rc.newwanip: rc.newwanip: on (IP address: 10.110.236.1) (interface: []) (real interface: ovpns2).
Dec 29 08:52:35	php-fpm		/rc.newwanip: rc.newwanip: Info: starting on ovpns2.
Dec 29 08:52:34	check_reload_status		Starting packages
Dec 29 08:52:34	check_reload_status		Reloading filter
Dec 29 08:52:34	php-fpm		/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> 10.110.244.1 - Restarting packages.
Dec 29 08:52:34	php-fpm		/rc.newwanip: rc.newwanip called with empty interface.
Dec 29 08:52:34	php-fpm		/rc.newwanip: rc.newwanip: on (IP address: 10.110.244.1) (interface: []) (real interface: ovpns1).
Dec 29 08:52:34	php-fpm		/rc.newwanip: rc.newwanip: Info: starting on ovpns1.
Dec 29 08:52:34	php-fpm		OpenVPN PID written: 94356
Dec 29 08:52:34	check_reload_status		rc.newwanip starting ovpns2
Dec 29 08:52:34	kernel		ovpns2: link state changed to UP
Dec 29 08:52:33	kernel		ovpns2: link state changed to DOWN
Dec 29 08:52:33	php-fpm		OpenVPN terminate old pid: 85457
Dec 29 08:52:33	php-fpm		OpenVPN PID written: 76872
Dec 29 08:52:33	check_reload_status		rc.newwanip starting ovpns1
Dec 29 08:52:33	kernel		ovpns1: link state changed to UP
Dec 29 08:52:33	check_reload_status		Reloading filter
Dec 29 08:52:33	kernel		ovpns1: link state changed to DOWN
Dec 29 08:52:33	php-fpm		OpenVPN terminate old pid: 67395
Dec 29 08:52:33	php-fpm		/xmlrpc.php: Resyncing OpenVPN instances.
Dec 29 08:52:33	php-fpm		/xmlrpc.php: Gateway, none 'available' for inet6, use the first one configured. ''
Dec 29 08:52:33	check_reload_status		Reloading filter
Dec 29 08:52:33	check_reload_status		Syncing firewall

    Anyone have any idea if this behavior is normal and if it is not, how to fix it?

    Many thanks

    P 1 Reply 0
  • P

    @saymeeeow said in OpenVPN restarts on slave after XMLRPC sync:

    pfSense package system has detected an IP change or dynamic WAN reconnection - -> 10.110.236.1 - Restarting packages.

    Hey @saymeeeow it seems the appliance is receiving a new IP address on its WAN interface and thus restarting the OpenVPN daemon even though the OpenVPN configuration is not sync'd.

    S 1 Reply 0
  • S

    Hi @pcosta,

    You're right, it seems the WAN interface is reconnecting and thus, restarting all the packages.
    We think that's because our WAN interface is configured to use DHCP instead of having a static IP.

    As our pfSenses are running in AWS, we're not sure if configuring a static IP in the pfSense interface is a good practice, so we're going to ask AWS support if it's OK to do that. If it is, we'll change the interface configuration and see if it fixes the problem.

    We'll keep you updated.

    Thanks

    S 1 Reply 0
  • S

    Well... so AWS answered us and there's no problem with changing the WAN IP address to static.

    We've done that on both pfSense and forced a sync, but the problem still persists...

    Any other thoughts?

    Thanks!

    viktor_g 1 Reply 0
  • viktor_g

    @saymeeeow this is a know bug: https://redmine.pfsense.org/issues/11082

    you could try to replace xmlrpc.php on slave with this file:
    xmlrpc.php.zip

    be careful, it's not 100% tested

    1
  • S

    Hi @viktor_g,

    First of all thanks for sharing this information with us, we didn't know it was a known bug.
    We've been comparing the XMLRPC.php file from our pfSense with yours and we see too much differences, so we prefer to wait for an official update that hopefully fixes this issue.

    Many thanks

    N 1 Reply 0
  • N

    @saymeeeow This is as official as it gets.

    Redmine says its scheduled after version 2.5
    So its gonna take a while.

    I'm also experiencing issues with openvpn
    Used as a client, when secondary node restarts, even though isn't master, openvpn client starts, causing havoc to main instance.

    Straight forward to replicate.

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2021 Rubicon Communications, LLC | Privacy Policy