HA Sync Errors and Documentation Unclear

boomi · Nov 27, 2021, 3:31 PM

I've resolved my issue but wanted to clarify a few questions, if only for future reference in case someone else does the same thing. Both firewalls are on whatever 2.5.2-RELEASE I was able to download yesterday.

1- Can you not use link local 169.254.0.0/16 for the sync interface? I picked 169.254.55.0/30, and prior to changing this to a different subnet (10.10.55.0/24), I repeatedly got the following:

Nov 27 09:46:11 fw1-a php-fpm[336]: /rc.filter_synchronize: Beginning XMLRPC sync data to https://169.254.55.2:443/xmlrpc.php.
Nov 27 09:46:21 fw1-a php-fpm[336]: /rc.filter_synchronize: A communications error occurred while attempting to call XMLRPC method host_firmware_version:
Nov 27 09:46:21 fw1-a php-fpm[336]: /rc.filter_synchronize: New alert found: A communications error occurred while attempting to call XMLRPC method host_firmware_version:
Nov 27 09:46:21 fw1-a php-fpm[336]: /rc.filter_synchronize: Beginning XMLRPC sync data to https://169.254.55.2:443/xmlrpc.php.
Nov 27 09:46:32 fw1-a php-fpm[336]: /rc.filter_synchronize: A communications error occurred while attempting to call XMLRPC method host_firmware_version:
Nov 27 09:46:32 fw1-a php-fpm[336]: /rc.filter_synchronize: New alert found: A communications error occurred while attempting to call XMLRPC method host_firmware_version:
Nov 27 09:46:32 fw1-a php-fpm[336]: /rc.filter_synchronize: XMLRPC versioncheck:  -- 21.7
Nov 27 09:46:32 fw1-a php-fpm[336]: /rc.filter_synchronize: The pfSense software configuration version of the other member could not be determined. Skipping synchronization to avoid causing a problem!

A packet capture did show bidirectional traffic. There's nothing in between the firewalls, they're just two VM's on an ESXi host at home.

2 - Does the default 'admin' have rights that are not itemized on the user manager page? I clearly (now) see and understand the comment in the guide stating "This must be admin, or the same user on both nodes with the “System - HA node sync” privilege".

What's surprising is that when I created my 'fwsyncuser' and assigned it to the 'admins' group, it does NOT have the same rights as 'admin'. I had to manually assign the 'System - HA node sync' privilege. I don't think it was unreasonable to assume that mimicking the group membership of the admin user would grant the same privileges. I would like the guide to specifically state that I have to manually make this assignment.

Without the sync privilege, I got the following, which is expected:

Nov 27 10:05:52 fw1-a php-fpm[337]: /rc.filter_synchronize: Beginning XMLRPC sync data to https://10.10.55.3:443/xmlrpc.php.
Nov 27 10:05:52 fw1-a php-fpm[337]: /rc.filter_synchronize: Exception calling XMLRPC method host_firmware_version #-2 : Authentication failed: not enough privileges
Nov 27 10:05:52 fw1-a php-fpm[337]: /rc.filter_synchronize: New alert found: Exception calling XMLRPC method host_firmware_version #-2 : Authentication failed: not enough privileges
Nov 27 10:05:52 fw1-a php-fpm[337]: /rc.filter_synchronize: Beginning XMLRPC sync data to https://10.10.55.3:443/xmlrpc.php.
Nov 27 10:05:52 fw1-a php-fpm[337]: /rc.filter_synchronize: Exception calling XMLRPC method host_firmware_version #-2 : Authentication failed: not enough privileges
Nov 27 10:05:52 fw1-a php-fpm[337]: /rc.filter_synchronize: New alert found: Exception calling XMLRPC method host_firmware_version #-2 : Authentication failed: not enough privileges
Nov 27 10:05:52 fw1-a php-fpm[337]: /rc.filter_synchronize: XMLRPC versioncheck:  -- 21.7
Nov 27 10:05:52 fw1-a php-fpm[337]: /rc.filter_synchronize: The pfSense software configuration version of the other member could not be determined. Skipping synchronization to avoid causing a problem!