OpenVPN restarts on slave after XMLRPC sync

saymeeeow

Hello everyone,

We're experiencing issues with XMLRPC sync. When we do a change in master (for example, adding a new user), OpenVPN resyncs in slave, causing network problems to users connected to that OpenVPN instances.

We're running 2.4.5 version on both master and slave hosts.

I'm referencing this old post as seems to be experiencing the same issue:
Re: issues with xmlrpc sync after upgrade from 2.4.3 to 2.4.4-RELEASE-p2

On High Availability Sync settings we're syncing these options:

Logs on slave pfSense:

Dec 29 08:52:35	check_reload_status		Starting packages
Dec 29 08:52:35	check_reload_status		Reloading filter
Dec 29 08:52:35	php-fpm		/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> 10.110.236.1 - Restarting packages.
Dec 29 08:52:35	php-fpm		/rc.newwanip: rc.newwanip called with empty interface.
Dec 29 08:52:35	php-fpm		/rc.newwanip: rc.newwanip: on (IP address: 10.110.236.1) (interface: []) (real interface: ovpns2).
Dec 29 08:52:35	php-fpm		/rc.newwanip: rc.newwanip: Info: starting on ovpns2.
Dec 29 08:52:34	check_reload_status		Starting packages
Dec 29 08:52:34	check_reload_status		Reloading filter
Dec 29 08:52:34	php-fpm		/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> 10.110.244.1 - Restarting packages.
Dec 29 08:52:34	php-fpm		/rc.newwanip: rc.newwanip called with empty interface.
Dec 29 08:52:34	php-fpm		/rc.newwanip: rc.newwanip: on (IP address: 10.110.244.1) (interface: []) (real interface: ovpns1).
Dec 29 08:52:34	php-fpm		/rc.newwanip: rc.newwanip: Info: starting on ovpns1.
Dec 29 08:52:34	php-fpm		OpenVPN PID written: 94356
Dec 29 08:52:34	check_reload_status		rc.newwanip starting ovpns2
Dec 29 08:52:34	kernel		ovpns2: link state changed to UP
Dec 29 08:52:33	kernel		ovpns2: link state changed to DOWN
Dec 29 08:52:33	php-fpm		OpenVPN terminate old pid: 85457
Dec 29 08:52:33	php-fpm		OpenVPN PID written: 76872
Dec 29 08:52:33	check_reload_status		rc.newwanip starting ovpns1
Dec 29 08:52:33	kernel		ovpns1: link state changed to UP
Dec 29 08:52:33	check_reload_status		Reloading filter
Dec 29 08:52:33	kernel		ovpns1: link state changed to DOWN
Dec 29 08:52:33	php-fpm		OpenVPN terminate old pid: 67395
Dec 29 08:52:33	php-fpm		/xmlrpc.php: Resyncing OpenVPN instances.
Dec 29 08:52:33	php-fpm		/xmlrpc.php: Gateway, none 'available' for inet6, use the first one configured. ''
Dec 29 08:52:33	check_reload_status		Reloading filter
Dec 29 08:52:33	check_reload_status		Syncing firewall

Anyone have any idea if this behavior is normal and if it is not, how to fix it?

Many thanks

pcosta

@saymeeeow said in OpenVPN restarts on slave after XMLRPC sync:

pfSense package system has detected an IP change or dynamic WAN reconnection - -> 10.110.236.1 - Restarting packages.

Hey @saymeeeow it seems the appliance is receiving a new IP address on its WAN interface and thus restarting the OpenVPN daemon even though the OpenVPN configuration is not sync'd.

saymeeeow

Hi @pcosta,

You're right, it seems the WAN interface is reconnecting and thus, restarting all the packages.
We think that's because our WAN interface is configured to use DHCP instead of having a static IP.

As our pfSenses are running in AWS, we're not sure if configuring a static IP in the pfSense interface is a good practice, so we're going to ask AWS support if it's OK to do that. If it is, we'll change the interface configuration and see if it fixes the problem.

We'll keep you updated.

Thanks

saymeeeow

Well... so AWS answered us and there's no problem with changing the WAN IP address to static.

We've done that on both pfSense and forced a sync, but the problem still persists...

Any other thoughts?

Thanks!

viktor_g

@saymeeeow this is a know bug: https://redmine.pfsense.org/issues/11082

you could try to replace xmlrpc.php on slave with this file:
xmlrpc.php.zip

be careful, it's not 100% tested

saymeeeow

Hi @viktor_g,

First of all thanks for sharing this information with us, we didn't know it was a known bug.
We've been comparing the XMLRPC.php file from our pfSense with yours and we see too much differences, so we prefer to wait for an official update that hopefully fixes this issue.

Many thanks

netblues

@saymeeeow This is as official as it gets.

Redmine says its scheduled after version 2.5
So its gonna take a while.

I'm also experiencing issues with openvpn
Used as a client, when secondary node restarts, even though isn't master, openvpn client starts, causing havoc to main instance.

Straight forward to replicate.