pfBlocker 3.0.0_16 / pfSense 2.5.1 / HA / CARP / LAN NIC loses IP and reverts to 0.0.0.1/8!
-
Hi all,
I have been trying to figure out why the above happens (I also posted a thread in the CARP section thinking it was a CARP problem with 2.5.1 but the issue is directly related to the pfBlocker CARP VIP interface only).To sum it up briefly, I have several HA / CARP / pfBlocker installations running fine on 2.5.0. I upgraded first my office HA setup and immediately after the upgrade to 2.5.1 I noticed DNS requests failing. After investigation and several tests I realized that unbound was no longer listening to the CARP VIP LAN address and that the second pfSense lost it's main LAN IP (!) reverting to 0.0.0.1/8 as show in here:
For whatever unknown reason the "real" LAN IP of em0 is being assigned a VHID and it's IP is being removed. This is probably a script error at this point as all the other CARP VIPs work fine when entering maintenance end exiting, even the 192.168.0.254 CARP VIP on this same interface remains.Is there any way to investigate possibly the scripts or actions done by pfBlocker when failing over? Apparently it does not fail immediately after failover but after 2-3 seconds indicating there could be a script or cronology issue.
Any insight is appreciated!
-
I finally found what was causing the backup interface IPs to fail: the pfBlocker XMLRPC SYNCs the SKEW value of 0 instead of ignoring it and maintaining 100 as should be set on the SECOND node. Even if you set the SKEW to 100 on the second node, once a RELOAD and SYNC update completes this is overwritten to 0. Hence the CARP VIP craps out as soon as it becomes 0 (during the update) creating all kinds of havoc.
I know this value was specifically NOT synched as stated by the same BBcan in the Changelog to 3.0.0.x (-> * XMLRPC Sync Tab - Remove the CARP HA Skew from being sync'd) but somehow it is in this version.
I hope this will be fixed to avoid unwanted CARP VIPs crashing (and main associated IPs!).
-
Our data center is still on 2.4.5 so thanks for the heads up on this issue.
I changed the update frequency on one of the feeds (2 hours to 4 hours), ran an Update, and that one change didn't get synced to the backup node.
For posterity, here is Viktor's redmine entry for your bug from the HA forum.