Sync not working

jeffsmith82 · Nov 2, 2023, 7:19 PM

I have two server both running "2.6.0-RELEASE (amd64)" recently it appears as though the sync has broken when it was working before.

I have created a heartbeat interface on both machines and there is a single cable connecting them both together each with these IP addresses

fire01 = 192.168.199.11/24
fire02 = 192.168.199.12/24

A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://192.168.199.12:443. Error: Operation timed out @ 2023-11-01 21:03:16

Both servers have allow all IPv4 traffic on the Heartbeat interface so shouldn't be that. I also cant ping between the IP's from one to other in both directions. They are both showing as UP on the UI.

The secondary firewall wont allow me to connect remotely over the WAN or ping either though the LAN interface works fine so i can connect to the UI. There are rules inplace to allow this.

This was all working until recently, any suggestions on how to diagnose whats wrong here?

viragomann · Nov 2, 2023, 7:19 PM

@jeffsmith82
Did you change the password of the Sync user?
If so you have to update it on both devices.

To ensure that the rule for the sync is applied, enable logging in its settings.

jeffsmith82 · Nov 2, 2023, 9:30 PM

@viragomann The sync password was changed. It has been updated on both devices and in the HA settings.

Not sure what logging your saying to switch on can you point us at it.

SteveITS · Nov 3, 2023, 7:30 AM

@jeffsmith82 said in Sync not working:

cant ping

Can or can't?

When I've set it up I use LAN to sync the config and leave the sync interface for only states. Also of note in my experience even though pfSense has a field for a sync username it only actually ever uses "admin." At least, last I tried.

viragomann · Nov 2, 2023, 10:40 PM

@jeffsmith82
Ensure that the password is correct on both. Update it at first on the secondary, then on the primary.

I was talking about logging the filter rule on the secondary's sync interface. So you can see if the packets even reach the interface.

jeffsmith82 · Nov 3, 2023, 7:30 AM

@SteveITS It cant ping. We change the admin username every time someone leaves which became a bit of a pain with syncing. It used to force you to use the admin account until a relativity recent version of pfsense. I have the sync user on it's own interface working on other machines running 2.6 as well.

Will switch on logging and see if any traffic is being sent across the interface.

viragomann · Nov 3, 2023, 11:42 AM

@jeffsmith82 said in Sync not working:

We change the admin username every time someone leaves which became a bit of a pain with syncing. It used to force you to use the admin account until a relativity recent version of pfsense.

Yeah, you should rather use a special sync user for doing the sync. Just need to grant him the "System - HA node sync" privilege.
There would not be any need to change his password then.

It cant ping.

However, if you can't ping the secondary even it is allowed it might not be due to user authentication. So I would rather check the firewall rules (and enable logging as mentioned, also enable logging of the default deny rule in the log settings), a misconfigurated network or a hardware issue (cable).
Maybe you can post screens of your rules and some more related log lines.

jeffsmith82 · Nov 3, 2023, 12:56 PM

@viragomann Think the pfsense setup is fine. The 2 interfaces that are not working are on the same nic so assuming the nic is borked and will replace it.

SteveITS · Nov 3, 2023, 2:13 PM

@jeffsmith82 said in Sync not working:

used to force you to use the admin account until a relativity recent version

Oh, good to know, thanks.