pfSense Nodes Configuration in High Availability and Latency Issue
-
Hi all,
I configured two pfSense nodes (latest version) in High Availability (HA) mode. Everything seemed to be working fine, but I noticed a significant increase in latency when connecting via HTTPS from the outside to one of my sites. With the HA configuration enabled, latency before displaying pages exceeds 1450 ms, whereas it was previously around 45ms without HA.
Upon investigating, I discovered some strange behavior. While performing a packet capture on the WAN interface of the MASTER node, for TCP packets on port 443 coming from my external IP, I observed the following exchanges:
IP 85.xxx.251.xxx.35861 > 87.xxx.15.xxx.443: tcp 0
IP 85.xxx.251.xxx.35861 > 87.xxx.15.xxx.443: tcp 0
IP 85.xxx.251.xxx.35861 > 87.xxx.15.xxx.443: tcp 0
IP 85.xxx.251.xxx.35861 > 87.xxx.15.xxx.443: tcp 0
IP 85.xxx.251.xxx.35861 > 87.xxx.15.xxx.443: tcp 0
...Oddly, there were no return packets.
To my surprise, the responses were being sent from the node in BACKUP mode, as shown in the sequence below:
IP 87.xxx.xxx.88.443 > 85.xxx.251.220
IP 87.xxx.xxx.88.443 > 85.xxx.251.220
IP 87.xxx.xxx.88.443 > 85.xxx.251.220
IP 87.xxx.xxx.88.443 > 85.xxx.251.220
IP 87.xxx.xxx.88.443 > 85.xxx.251.220
...This situation is abnormal and I suspect it is causing the observed latency.
To resolve this issue and reduce latency, I am forced to disable the CARP protocol on the MASTER node. The BACKUP node then assumes the role of MASTER, and the latency issues disappear.
In advance, many thanks
-
@alkaid
So maybe your backend server is configured to use the secondary node as default gateway.The default gateway on your local devices behind the HA pair should be the CARP VIP of the subnet.