Upgrade to 2.2 from 2.1.5



  • Hy,

    I have 2 pfsense 2.1.5 in master / slave with 34 CARP IP on ESX 5.5 cluster (hardware is not a problem).

    Is it safe to upgrade ?

    What is the best way ?

    Slave first, then master ?

    Thanks

    Guldil



  • Its covered here.
    https://doc.pfsense.org/index.php/UpgradeGuide

    Have not done it myself yet.
    Waiting for others to report back :)



  • We've done this upgrade on 3 of our Clouds and all 3 are experiencing the same issue.

    Basically the web configurator is hanging and timing out on the backup firewall when accessing it on the Lan IP from outside the network.
    Internal access to the web interface works fine and access to the web interface via the Wan ip of the backup firewall works fine.

    Rolling one of the backup firewal VMs back to a snapshot of 2.1.5 fixes the issue so it seems that when master and backup are both o 2.2 there are some routing issues causing issues accessing the web configurator on the backup firewall.

    If we reboot a master firewall and let the backup assume master role then the issue goes away and the web configurator is accessible by the Lan ip but once it gets demoted to backup the web interface breaks and hangs again.

    Like I said, we have reproduced this on 3 clusters so it's not a one off.



  • @craggy:

    Basically the web configurator is hanging and timing out on the backup firewall when accessing it on the Lan IP from outside the network.

    That would have never worked reliably (minus sloppy state and any flags TCP rules workaround but that's kind of ugly). The asymmetric routing makes that fall apart with normal state keeping. You should source NAT in that case so the secondary doesn't reply back directly via its WAN, so it sees the connections coming from the interface IP of the primary on LAN. Same source NAT for the opposite scenario, for when the secondary is master and you want to hit the primary on a LAN IP.

    That or only use IPs for management that aren't routed only in one direction through one of the firewalls.



  • That's interesting that it should not have worked in the past as it has been the primary means of us accessing all our firewalls for several years until the 2.2 update.

    I forgot to mention that we don't use NAT anywhere, everything is in a fully routed configuration if that makes any difference?



  • @Heimire:

    Its covered here.
    https://doc.pfsense.org/index.php/UpgradeGuide

    https://doc.pfsense.org/index.php/UpgradeGuide#Upgrading_High_Availability_Deployments

    Nothing about 2.1.5 to 2.2

    I'll try the procedure like i did before (slave first, carp off on master, then master).



  • @Guldil:

    https://doc.pfsense.org/index.php/UpgradeGuide#Upgrading_High_Availability_Deployments

    Nothing about 2.1.5 to 2.2

    I'll try the procedure like i did before (slave first, carp off on master, then master).

    I've just finished upgrading my CARP set based on 2 DELL R220II as recommended there and at the end it works great.
    However, upgrading the backup box at first, messed my outbound NAT settings. Automatic mode was activated and therefore it used the WAN address instead of CARP VIP. In result, connections which were made from inside to web services secured by IP authorization were rejected.

    Upgrade of master worked as expected.
    I am happy now.  :)