When switching from one node to another connections are resetted !
-
Hello All
I m' driving mad with my carp configuration. Quite simple as it seems
2 pf in CARP mode
2 VIP ( one LAN, one WAN)All CARP events are ok ( switching one to other, tunnels, etc.. ) EXCEPT that all the active sessions seem to be resetted when the CARP is switching to MASTER on the backup node . For instance an rdp session freezes during 10 seconds and reconnects when the switching is done. Idem when I reswitch to the MAIN node
I checked all my config looks good.
My opinion is the states from the MASTER are not well reconducted on the SLAVE but I do not know why at this step.here a capture of one state for an ftp session on the master :
here we see the same state synced to the slave
But I notice that on the slave the interfaces are not correct . It should be LAN or WAN but we have ALL !!
I do not know if this is normal or notThanks for your help
Emmanuel -
@manu77
Update : This old ticket points exactly the same behaviour .
It seems to be a bug not fixed at this day. -
Update : I noticed today that version 2.5.2 is not touched by the pb and everything works as it should. All the states are correctly named on interface on each node . And I do not have states with the named Interface '"all" .
I m wondering if this HA states sync has not been broken with version 2.6 and now 2.7 -
Hello All
With the 2.7.2 version, we still face the prob.If someone could see and fix this bug in the next release, it should be really appreciated.
Switching from one firewall to another with disconnection is so boring for everyoneThanks
-
@manu77 I looked at our router2 and I also see "all" however we've never had a problem with connections dropping.
Did you find:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability.html#state-synchronization-problems-pfsync -
@SteveITS
Thanks for looking at this pb. Of course I checked everything before posting. I have a lot of firewalls in carp mode ( maybe 100) and I lost transparent switchs between the firewalls since 2.6 version but I didn't noticed it just after upgrades. It tooks me some months of tests...If you want see what really happens :
1 open an RDP session outside of your network which will create a TCP session very easy to follow.
2 go to carp on the master node and place it under maintenance.
3 You should loose your session until the firewall which became master recreate it because this state is not well affected from the master to the slave ( firewall) before CARP switching.You also can replay this but at the step 3, you do not wait too long ( 10 secondes) and these steps:
4 go to carp on the master and reset CARP maintenance
5 you should now recover your RDP without any delay. This is possible because the state of your RDP session have been created on the master before switching. So if you do not wait too long, this state is still here and then when you come back on the firewall which has created the states you need, you have no pb!To cut a long story short :
When a CARP switching occurs between 2 nodes , all the states in place on the node which was master before the switch are not exploitable by the node which become the master. So all the states are recreated by this node with cuts and disconnections you can imagine. -
@manu77 I just tested with RDP and did not get dropped at your step 3...