How seamless is HA Failover in Pfsense
-
Hello,
I have 2 identical pfSense Boxes setup in my lab and the failover works quite well. if I disconnect one interface on the primary it correctly fails over to the secondary. However I don't know how seamlessly the transition should be. If a download is running on a client behind the 2 firewalls and the primary fails, shouldn't then the download on the client continue without disconnecting as the failover should transfer all the states? because it does not in my setup. Am I missing something? when I try a ping test to lets say the google DNS, a failover only loses one to two pings.
Any help is appreciated
Thanks -
Yes, normally a TCP connection like that should continue. The states are sync'd between the nodes.
-
Thanks @stephenw10. I have setup all of the interfaces with carp VIPs, including the WAN, and have also adapted the outbound NAT config according to the docs. However, when I test it on a client, the download stops and does not even resume itself. If I look into the pftop, I see that the states are correctly copied over. What could be the issue here?
-
The CARP VIPs must all failover. The states must be via the CARP VIPs so they are valid on both nodes. The interfaces must line up between the nodes so the states are valid.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability.html
Steve
-
Thank you @stephenw10
Turned out to be a config issue on my site which I missed. (forgot to add the sync states checkbox on the secondary node)
