Connection dropped on CARP failover
-
Hi all,
I've configured CARP failover on two pfSense virtual appliances which appears to be working great!
However, one issue I have noticed is that if I am downloading a file, or pinging an external IP address, and then reboot the master firewall, the connections are dropped and do not continue when the slave firewall takes over. Whilst the the slave firewall is active, I can browse the Internet and do everything I need to, however the ping I have going and the download running do not recover until the master takes over again. I've tried restarting the ping (i.e. to 8.8.8.8), and it simply does not receive a reply until the master is back on.
Is this expected behaviour with the firewalls?
Kind Regards,
Jason.
-
Check your pfsync / state sync settings. Connections shouldn't be dropped on failover if the configuration is proper/correct.
-
Hi jimp,
Thanks for the reply.
I've confirmed all the settings and it looks OK. It's a little weird that the download stops when the slave firewall kicks in, but as soon as the primary comes back online, the download resumes without any problems at all. Could this be something to do with the router?
Kind Regards,
Jason.
-
If your state tables actually do sync (Check Status > CARP, pfsync nodes should be nearly identical and then check Diag > States, states should exist on both units), check your outbound NAT. You should be doing manual outbound NAT to a CARP VIP, or else you'll also get cut off like you see there.
-
Hi jimp,
check your outbound NAT. You should be doing manual outbound NAT to a CARP VIP, or else you'll also get cut off like you see there.
Thanks for your help, this one did it! I was NATing using the firewall IP instead of the virtual IP. Once I did a manual outbound NAT as suggested, the problem is fixed and the downloads continue through the failover with only a few packets dropped in between.
Enjoy your weekend and thanks again!
Kind Regards,
Jason.
