Move config to new server
Because of high traffic we tried moving our config to a much more powerful server. Most things worked fine. I could download from behind it for example, but the inbound rules did not work (web sites).
When I restored the config to the new server the only message I received was a mis-match in interface names. The old server was bge0 and bge1 for LAN and WAN, the new server was bce0 and bce1. It asked me to re-assign interfaces to these new ones, which I did.
Here's the errors/warnings I see in the logs:
slbd: TCP poll failed to start to x.x.x.x:x in default (Operation now in progress)
slbd: Switching to sitedown for VIP x.x.x.x:x
We have around a dozen VIP's. Currnetly I've had to resort to the old server, and I have this new one up, with a different LAN IP, and the external is not plugged in. Any suggestions would be most appreciated.
Run it on an ESXi server and test it, before it goes live. Move PFSense onto a virtual machine and see how easy things get all of a sudden. ;)
Restoring the config should be enough to make it work. I've done just this many times and haven't had issues. Once you reassign the interfaces, it should remap everything properly.
Perhaps the load balanced servers are looking for the old server's MAC address? You could try cloning the MAC on LAN and see if it gets you any farther.
I thought it would be easy as well. I've done it several times before with no issues. I moved it from an old dell PE1750 to a new Dell r610. I was thinking of moving our test environment behind the new box, it's config is much smaller and I don't have to worry about taking production down.
I was thinking of rebuilding config from scratch, but I'd rather not because it's rather large.
Rebuilding the configuration should be unnecessary.
I'd check for things like cached/static arp and perhaps even switch config first. Something may be looking for the old server in that way. If it's just a MAC address, you should be able to clone that in the pfSense GUI.
I did reuse the same switch port for the external; we have a VLAN for the firewalls external ports. We have around 20 firewalls.
I was thinking that might be an issue, I had that happen to me once before. We had the new firewall up for around 75 minutes while we were trouble shooting it. Also it seemed strange that outbound traffic was fine, while inbound rules didn't work.
Thanks for your suggestions.
I moved our dev site over to this new server and didn't have an issue…maybe the config from the production site was corrupt? I think what I will try is importing portions of the config to see it works that way.
I tried again today to move config to the new server and had the same problem. None of the rules to the web sites worked.
I tried it two ways.
The first was I set the new box to factory default and configured the network. Then I imported the aliases, then NAT, and then the rules. Same problem.
Then I tried editing the full config by changing just the interface ID's (old server they are bge0 and bge1, new server is bce0 and bce1). This did not work either.
The main thing I see repeated over and over is:
TCP poll failed to start to INERNAL IP:81 in default (Operation > now in progress)
This happens for the majority of the rules.
We're not load balancing though. We are just moving from a weaker server to a real strong one.
I've moved configs many times like this and I've not had an issue before which is why this so strange to me. I may just have to rewite config from scratch…didn't want to because it is rather large.