SSH connection state not preserved during failover

supratiksekhar · Jun 25, 2014, 6:06 AM

I have two Linux box running PFsense, one of them is a master and the other one is a backup. The master is having IP 192.168.1.2 and backup is having IP 192.168.1.3. I have created a VIP 192.168.1.1 which is the default gateway for all the systems in the LAN.

In both master and backup I have two interfaces WAN1 and WAN2 which connects to two other Linux machines (not running PFSense) which in turn connects to the ISP's. I have created gateway groups for load-balancing and failover.

All the systems in LAN is able to access internet even if any of the ISP system or the firewall system (PFSense) goes down. The below architecture works great for load-balancing between ISP's and failover.

The problem happens with SSH connections. If any of the system goes down the SSH connection breaks, so I have to restart the connection.

What change is required in the architecture so that the SSH connections does not get interrupted even when any of the systems goes down?

cmb · Jun 25, 2014, 6:37 AM

Either you're not syncing states between them, or not NATing to CARP IPs.

supratiksekhar · Jun 25, 2014, 10:28 AM

@cmb:

Either you're not syncing states between them, or not NATing to CARP IPs.

I have checked on the following

Synchronize rules
Synchronize NAT
Synchronize Virtual IPs

Is there any other option I have enable apart from the above?

I have created VIP using CARP for the LAN interface, but there are no VIP for both WAN interface.

Can you please tell what else I need to do?

whoknowswhoiswho · Feb 8, 2015, 3:40 AM

Facing the same issue here. Not sure what I am missing. The failover basically works, which means my CARP works. However, any existing SSH connections break at failover, which means the States are not being maintained. Is there something apart from enabling SYNC that needs to be done to push states into StateTable at failover?

Derelict · Feb 8, 2015, 6:47 AM

You need three public IP addresses on each WAN provider. One for each node in the failover pair and one for CARP. This means a /29 from each provider or some other means of getting those IPs assigned to the WAN interfaces.

whoknowswhoiswho · Feb 9, 2015, 2:15 PM

I agree, this is my setup so far: (for tests)

Interfaces -
FW-master:
WAN: 172.16.0.10/23
WAN-Carp: 172.16.0.1/23 _LAN: 192.168.0.10/23
LAN-Carp: 192.168.0.1/23

Sync: 172.16.2.1/23

FW-Slave:
WAN: 172.16.0.20/23
LAN: 192.168.0.23/23

Sync: 172.16.2.2/23

Any ping tests I do, have no issues, the failover is pretty seamless, however, if I run a SSH session running, at a failover [Master -> Slave or vice-versa], the SSH session fails.

Since the ping tests works I am inclined to say the Failover works, but the states are not being maintained at failover hence SSH fails. Any insight on what I might be missing. I followed instructions outlined here to get this up:
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

I am not sure if there is anything apart from setup itself that would cause this behavior. Both nodes are running on dedicated hardware._

Derelict · Feb 9, 2015, 4:49 PM

And the outbound NAT rule that is matching the ssh session says what?

whoknowswhoiswho · Feb 9, 2015, 4:58 PM

Outbound NAT rule maps all LAN connections to the WAN CARP IP: 172.16.0.1