HA failover - FRR needs force service restart on backup firewall otherwise routing never works

nzkiwi68

21.05 and FRR 1.1.0_13

Tested on 2 customers, both have the same issue.

• HA firewall pair XG-1537

• WAN1 and WAN2

• IPSEC VTI interfaces on WAN1 and WAN2 built on the CARP interfaces

• Using OSFP and BFD on the VTI interfaces only

The issue
On failover, after a number of minutes the IPSEC VPN tunnels build on the backup firewall, but, routing never works. In fact, FRR firstly never starts on the backup firewall even though it's set to monitor carp LAN interface.

If you make FRR not monitor CARP but run always, it still doesn't work. Once all the VPN tunnels are up, BFD and OSFP show no neighbours and nothing works until you do a force start FRR.

Ignore IPsec Restart is UNchecked.

nzkiwi68

@nzkiwi68

I see https://forum.netgate.com/topic/162722/frr-doesn-t-follow-carp-after-2-5-0-upgrade

Could it be that I need to apply a system patch?

If yes, is it;
7dbe76cd5756082cbd67db1b93acb606ad84996e
or the later one
99b3a5cb0ef4586222a331045df3cee17bb25d31

from:
https://redmine.pfsense.org/issues/11290#note-12