• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SSH connection state not preserved during failover

Scheduled Pinned Locked Moved HA/CARP/VIPs
8 Posts 4 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    supratiksekhar
    last edited by Jun 25, 2014, 6:06 AM

    I have two Linux box running PFsense, one of them is a master and the other one is a backup. The master is having IP 192.168.1.2 and backup is having IP 192.168.1.3. I have created a VIP 192.168.1.1 which is the default gateway for all the systems in the LAN.

    In both master and backup I have two interfaces WAN1 and WAN2 which connects to two other Linux machines (not running PFSense) which in turn connects to the ISP's. I have created gateway groups for load-balancing and failover.

    All the systems in LAN is able to access internet even if any of the ISP system or the firewall system (PFSense) goes down. The below architecture works great for load-balancing between ISP's and failover.

    The problem happens with SSH connections. If any of the system goes down the SSH connection breaks, so I have to restart the connection.

    What change is required in the architecture so that the SSH connections does not get interrupted even when any of the systems goes down?

    NetworkDiagram.png
    NetworkDiagram.png_thumb

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by Jun 25, 2014, 6:37 AM

      Either you're not syncing states between them, or not NATing to CARP IPs.

      1 Reply Last reply Reply Quote 0
      • S
        supratiksekhar
        last edited by Jun 25, 2014, 10:28 AM

        @cmb:

        Either you're not syncing states between them, or not NATing to CARP IPs.

        I have checked on the following

        Synchronize rules
        Synchronize NAT
        Synchronize Virtual IPs

        Is there any other option I have enable apart from the above?

        I have created VIP using CARP for the LAN interface, but there are no VIP for both WAN interface.

        Can you please tell what else I need to do?

        1 Reply Last reply Reply Quote 0
        • W
          whoknowswhoiswho
          last edited by Feb 8, 2015, 3:40 AM

          Facing the same issue here. Not sure what I am missing. The failover basically works, which means my CARP works. However, any existing SSH connections break at failover, which means the States are not being maintained. Is there something apart from enabling SYNC that needs to be done to push states into StateTable at failover?

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Feb 8, 2015, 6:47 AM

            You need three public IP addresses on each WAN provider.  One for each node in the failover pair and one for CARP.  This means a /29 from each provider or some other means of getting those IPs assigned to the WAN interfaces.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • W
              whoknowswhoiswho
              last edited by Feb 9, 2015, 2:15 PM

              I agree, this is my setup so far: (for tests)

              Interfaces -
              FW-master:
                WAN: 172.16.0.10/23
                WAN-Carp: 172.16.0.1/23 _LAN: 192.168.0.10/23
                LAN-Carp: 192.168.0.1/23

              Sync: 172.16.2.1/23

              FW-Slave:
                WAN: 172.16.0.20/23
                LAN: 192.168.0.23/23

              Sync: 172.16.2.2/23

              Any ping tests I do, have no issues, the failover is pretty seamless, however, if I run a SSH session running, at a failover [Master -> Slave or vice-versa], the SSH session fails.

              Since the ping tests works I am inclined to say the Failover works, but the states are not being maintained at failover hence SSH fails. Any insight on what I might be missing. I followed instructions outlined here to get this up:
              https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

              I am not sure if there is anything apart from setup itself that would cause this behavior. Both nodes are running on dedicated hardware._

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Feb 9, 2015, 4:49 PM

                And the outbound NAT rule that is matching the ssh session says what?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • W
                  whoknowswhoiswho
                  last edited by Feb 9, 2015, 4:58 PM

                  Outbound NAT rule maps all LAN connections to the WAN CARP IP: 172.16.0.1

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    [[user:consent.lead]]
                    [[user:consent.not_received]]