Pfsync not syncing states



  • Hey guys,

    I can't seem to get pfsync to work! I see a ton of packets go through the SYNC interface, but the slave backup state table never goes over 100, even though there are close to 30000+ states on the primary. Running v2.2.4

    Here's pics of all my configuration. Any help where to start hunting problems much appreciated!

    1. firewall rules (both)
    2. sync config (master)
    3. sync config (slave)
    4. sync interface config (master)
    5. sync interface config (slave)
    6. packet counter (slave)

    ![Screen Shot 2015-11-04 at 12.06.54 PM.png](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.06.54 PM.png)
    ![Screen Shot 2015-11-04 at 12.06.54 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.06.54 PM.png_thumb)
    ![Screen Shot 2015-11-04 at 12.07.07 PM.png](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.07 PM.png)
    ![Screen Shot 2015-11-04 at 12.07.07 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.07 PM.png_thumb)
    ![Screen Shot 2015-11-04 at 12.07.19 PM.png](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.19 PM.png)
    ![Screen Shot 2015-11-04 at 12.07.19 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.19 PM.png_thumb)
    ![Screen Shot 2015-11-04 at 12.07.28 PM.png](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.28 PM.png)
    ![Screen Shot 2015-11-04 at 12.07.28 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.28 PM.png_thumb)
    ![Screen Shot 2015-11-04 at 12.07.34 PM.png](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.34 PM.png)
    ![Screen Shot 2015-11-04 at 12.07.34 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.34 PM.png_thumb)
    ![Screen Shot 2015-11-04 at 12.07.41 PM.png](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.41 PM.png)
    ![Screen Shot 2015-11-04 at 12.07.41 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-04 at 12.07.41 PM.png_thumb)



    1. Why do you have different IPs for state and config sync?
    2. Just do any any for the sync interface, it's just between the two machines.


    1. Those are the LAN addresses for the machines. I suppose I can send it over the SYNC interface. I'll make the firewall and config changes
    2. Well multicast wasn't working, so I tried that :) I'll change it back


  • I made the changes. Still doesn't work. XMLRPC sync across the SYNC interfaces DOES work however.



  • You can't enable it on the sync interface, then put in an IP on a different interface. Either leave the IP blank on both sides, or put in the opposite side's sync IP on both sides (leaving the sync interface chosen).



  • It's currently blank for both sides and it's not working :(



  • Verify you can ping each box from the other via the sync if. These both physical boxes with matched interfaces?



  • Having the wrong IP in there maybe got it into a weird state that removing didn't undo, try rebooting both of them.



  • @dotdash:

    Verify you can ping each box from the other via the sync if. These both physical boxes with matched interfaces?

    I had this problem too. Mine was the change that pfsense made to require matching interfaces on secondary to match primary unless you hack it with LAGG.
    As dotdash asks above.



  • The reboot didn't help, even though failover worked just fine (minus the state transfer). Still tons of packets arriving on the backup on the SYNC interface. If I disable sync on the master, the traffic dies off :( Makes me think the problem might be on the backup.

    I had this problem too. Mine was the change that pfsense made to require matching interfaces on secondary to match primary unless you hack it with
    LAGG.
    As dotdash asks above.

    AH that's the problem then. They are not matched. How do I "hack this with a LAGG"?


  • Banned

    Well, create a lagg with a single NIC on both boxes. Silly? Yeah, 300%. NFC what's the benefit here. Never got a good explanation why's it good to have states tied to physical NIC names.



  • Do I create a LAGG for the upstream ISP interfaces, or the SYNC interface?



  • All the nics need to match, IIRC. So you'd have to LAGG any nics that weren't physically the same.



  • @j@svg:

    AH that's the problem then. They are not matched. How do I "hack this with a LAGG"?

    If you search the forums, there was a setup type guide on doing this, but I cannot find it quickly to post in here.
    I used it to setup the single interface lag. After that, it pretty much a standard carp setup.



  • Thank you for the help guys! One of the instances is physical, the other is virtual. We were holding up moving to 100% virtualized because of this problem, but we're going to move forward since the interfaces will be named the same after the upgrade.

    Cheers!


Log in to reply