Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High Avail secondary node IPs - How to find it

    Scheduled Pinned Locked Moved General pfSense Questions
    45 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Hey folks,
      Im taking over a pfsense High Availability installation at a remote site.
      There isn't a lot of good documentation unfortunately so I'm trying to see what the secondary pfSense IPs are. Is there a way to get that information?
      You would think that the IPs are assigned in order , .1 for the VIP .2 for the primary .3 for the secondary but I'm quickly finding that it isn't the case.

      Maybe there's a cli way to get that info because the GUI status page isn't really reflective of who the peer is.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @michmoor
        last edited by

        @michmoor
        Log into the secondary's Web GUI and check out Status > Interfaces.

        If you don't know any of the secondary's interface IPs go to System > High Availability on the primary and pick the sync IP.
        Ensure that the sync subnet is routed over your VPN. If it isn't add a route for it. Also ensure that there is an outbound NAT rule in place on the sync interface as described in Troubleshooting VPN Connectivity to a High Availability Secondary Node and that access to the sync IP is allowed by firewall rules

        Then you should be able to connect to the secondary's sync IP.

        M 1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yup the primary will reference the secondary sync IP and you may be able to access it using that. That does depend on what the sync interface allows, though a lot of users will allow anything there if it's a direct connection.

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @stephenw10
            last edited by

            @stephenw10 @viragomann
            Thank you both you are correct!
            Now the secondary isn’t responding to ssh or https. Yet there are no errors when syncing. Weird. .

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @michmoor
              last edited by

              @michmoor
              Did you check the outbound NAT and firewall rules on the sync interface?

              1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @viragomann
                last edited by

                @viragomann hmm

                Maybe thats the problem? I am trying to access the secondary node over VPN.

                Here are the outbound rules i am using

                f706a02c-bf57-4ae3-a353-8a59d55c17a9-image.png

                Source - My office LAN address that goes over the VPN
                Destination - pfSync address of the backup node
                NAT Address - That is the LAN address of the master (not the VIP lan address)

                Is this accurate?

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @michmoor
                  last edited by michmoor

                  Ok...That fixed it. It was the outbound NAT rule requirement

                  Backup node is accessible over VPN and boy..........does not look good.

                  I also see packages not synced over - such as SUDO, OpenVPN client export, mtr...
                  Firewall rules are there but things appear missing.

                  d83be4bd-6b91-476c-b239-25829104ee87-image.png

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @michmoor
                    last edited by

                    @michmoor I was going to say, disconnect the primary and log in using the shared IP. :)

                    Package installs do not automatically install on the secondary. Package config may sync if the package supports it.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @SteveITS
                      last edited by

                      @SteveITS Full disclousre. This is my second time working on a HA configuration on pfsense so the nuances I'm not familiar with namely package sync.

                      So on the standby node i have to manual install the same set of packages? Thats no problem i just wanted to be clear.

                      And get this....The secondary had the pfSync interface using WAN while the primary had the pfSync interface using the dedicated interface labeled HA

                      So clearly this can work but its so weird.

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @michmoor
                        last edited by

                        @michmoor yeah…agree with your label.

                        https://docs.netgate.com/pfsense/en/latest/highavailability/settings.html

                        There is state sync and one-way config sync. The latter I’d think could be allowed on WAN by firewall rules, but why???

                        Yes install packages yourself.

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote 👍 helpful posts!

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          michmoor LAYER 8 Rebel Alliance @SteveITS
                          last edited by

                          @SteveITS
                          One last thing. Im using IPsec here and I'm testing failover. So far it does failover to the Backup node but i noticed the firewall rules are not syncing to my VTI interface.

                          According to the documentation i must create the interface manually which i understand but shouldn't the firewall rules come over as well?

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          V 1 Reply Last reply Reply Quote 0
                          • V
                            viragomann @michmoor
                            last edited by

                            @michmoor
                            Yes, presumed you have configured the VTI interface on the backup node as well.

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              michmoor LAYER 8 Rebel Alliance @viragomann
                              last edited by

                              @viragomann yep. Same interface assignment

                              Firewall: NetGate,Palo Alto-VM,Juniper SRX
                              Routing: Juniper, Arista, Cisco
                              Switching: Juniper, Arista, Cisco
                              Wireless: Unifi, Aruba IAP
                              JNCIP,CCNP Enterprise

                              M 1 Reply Last reply Reply Quote 0
                              • M
                                michmoor LAYER 8 Rebel Alliance @michmoor
                                last edited by

                                Im really not understanding why my VTI interfaces are not syncing up.
                                The interface assignments are the exact same

                                Master
                                49472093-4e44-4359-9ff3-c9c625924dce-image.png

                                Backup
                                6e4bb5ba-48eb-4626-8525-7cffd66eed28-image.png

                                de6128e4-e354-463c-8a36-6e6ca7b4fbc6-image.png

                                Yet the only interface with firewall rules not syncing is the VTI. Very strange behavior.

                                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                Routing: Juniper, Arista, Cisco
                                Switching: Juniper, Arista, Cisco
                                Wireless: Unifi, Aruba IAP
                                JNCIP,CCNP Enterprise

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Is it ipsec1 on the primary too or ipsec0?

                                  Yeah sync can work between any interfaces but it's much better to use a dedicated sync interface if you can.

                                  M 1 Reply Last reply Reply Quote 0
                                  • M
                                    michmoor LAYER 8 Rebel Alliance @stephenw10
                                    last edited by

                                    @stephenw10 ipsec1 on both. I shared pictures above

                                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                    Routing: Juniper, Arista, Cisco
                                    Switching: Juniper, Arista, Cisco
                                    Wireless: Unifi, Aruba IAP
                                    JNCIP,CCNP Enterprise

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Is the IPSec filter option set to VTI mode on both nodes?

                                      M 1 Reply Last reply Reply Quote 0
                                      • M
                                        michmoor LAYER 8 Rebel Alliance @stephenw10
                                        last edited by

                                        @stephenw10 Yep it sure is.

                                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                        Routing: Juniper, Arista, Cisco
                                        Switching: Juniper, Arista, Cisco
                                        Wireless: Unifi, Aruba IAP
                                        JNCIP,CCNP Enterprise

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Hmm, well it's possible to set individual rules to not sync. That might have been done for some reason.

                                          M 1 Reply Last reply Reply Quote 0
                                          • stephenw10S stephenw10 referenced this topic on
                                          • M
                                            michmoor LAYER 8 Rebel Alliance @stephenw10
                                            last edited by

                                            @stephenw10

                                            I thought the same as well but the "No XMLRPC Sync" checkbox is unchecked.

                                            Logs show no errors. I even tried re-creating the interface and still no luck

                                            081b3fcf-0b63-4561-b86b-af67a9d7492c-image.png

                                            Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                            Routing: Juniper, Arista, Cisco
                                            Switching: Juniper, Arista, Cisco
                                            Wireless: Unifi, Aruba IAP
                                            JNCIP,CCNP Enterprise

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.