HA sync results in Interface not found: '_vip577745067c45c' on backup
-
Per https://docs.netgate.com/pfsense/en/latest/highavailability/ipsec.html if I set up IPSec using the CARP/shared WAN IP, and check the box to sync "IPsec configuration," on the backup router the config shows up but the selected interface is:
Interface not found: '_vip577745067c45c'
On the primary it is correct/valid. The shared IP is of course on the backup router, and if I edit the tunnel on the backup router I can select that shared IP. I noticed in the Interface dropdown the value for that IP is "_vip57772fa53342c" not "_vip577745067c45c." In fact no interfaces on the routers have the same value.
How should I correct this? Or do I just turn off IPSec sync and set them independently?
-
Has anyone set up IPSec using a shared CARP IP, successfully?
-
This post is deleted! -
I've been informed, "If you have XMLRPC sync the VIPs that would work as the IDs would match on both. VIPs have to be tracked by ID, not IP address. Thus you have an unsupported configuration if you are managing the VIPs by hand but expecting other areas of the configuration to sync via XMLRPC."
It's been years since it was set up, but if I go back I do see "Virtual IPs" is unchecked in the HA sync settings. I had to dig into deep areas of my brain but looking at the config, I think it's because we have one IP alias that isn't on the WAN or LAN CARP ranges and that needed to be different on the two, so the VIPs couldn't be synced. I didn't play with that though.
What I did was edit the <uniqid>xxxx</uniqid>values in the backup router to match those on the primary router, and restore. That seems to have resolved this error message.