The pfSense Store

Author Topic: Testing High Availability  (Read 238 times)

0 Members and 1 Guest are viewing this topic.

Offline rafel.amer

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Testing High Availability
« on: November 16, 2017, 10:46:37 am »
Hello!

I have installed a High Availability Cluster of PfSense firewalls like the attached diagram. The version installed is 2.4.1
I have followed  the document https://portal.pfsense.org/docs/guides/highavailability/ha-on-sg-4860.html and it
seems to work fine. XMLRPC Sync and CARP are working.

I have also setup manual outbpound NAT and set the Translation Address to the WAN VIP address in the primary node
and the rules are reflected in the secondary node.

But, if I start downloading a file, for example with wget, from a computer in the LAN and then I Enter Persistent CARP
Maintenance Mode in the primary node, the download stops.

I don't know why it happens? It's problem related to the pfSense configuration or maybe is related to the WAN switch?

Thanks.

Offline mgiammarco

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Re: Testing High Availability
« Reply #1 on: November 21, 2017, 02:58:06 am »
I have the same problem in one installation.
Remember that pfsync must also work to transfer tcp states.
Gui is misleading because in master you should enable xmlrpc sync AND pfsync.
In slave you never enable xmlrpc sync but you must enable pfsync!
Mario

Offline rafel.amer

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Testing High Availability
« Reply #2 on: November 21, 2017, 10:05:53 am »
Hi!

I have State Synchronization Settings (pfsync) in both firewalls, primary and secondary,
and XMLRPC Sync only in the primary.

But, the connections are not maintained when  I Enter Persistent CARP
Maintenance Mode in the primary node.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: Testing High Availability
« Reply #3 on: November 21, 2017, 12:27:21 pm »
Look at Diagnostics > States. See what is actually happening. Post them from both nodes.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline mgiammarco

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Re: Testing High Availability
« Reply #4 on: November 22, 2017, 08:14:10 am »
Hello,
I have the same problem and I have done the same things. In diagnostics states there are so many states and they are different in each firewall.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: Testing High Availability
« Reply #5 on: November 22, 2017, 08:21:15 am »
Filter them on what you are interested in.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline rafel.amer

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Testing High Availability
« Reply #6 on: November 22, 2017, 11:25:33 am »
In my system, the Diagnostics -> States are the same in the primary and secondary firewalls (with very few differences).

Offline mgiammarco

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Re: Testing High Availability
« Reply #7 on: November 22, 2017, 12:54:52 pm »
I have checked states too and I see in slave the same states of master.
I exclude other problems because I can do this test:
- start a tcp connection on master, disable master, tcp connection does not work, reenable master and tcp starts exchanging packets again;
- exchange master with slave, do the same test, I obtain the same result.

So master and slave have the same behaviour and the same configuration.
I have other pfsense installations with ha and only in this one I have this problem.

Thanks again,
Mario

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: Testing High Availability
« Reply #8 on: November 22, 2017, 01:25:58 pm »
Post the states. Detail which address is which (interface, CARP, etc)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline mgiammarco

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Re: Testing High Availability
« Reply #9 on: November 23, 2017, 02:52:52 am »
On master I have:

VDSL200   udp   yyy.183.73.74:53634 (192.168.0.4:5060) -> xxx.97.59.76:5060   MULTIPLE:MULTIPLE   13.985 K / 32.303 K   8.46 MiB / 9.34 MiB

on slave:

vdsl200 udp yyy.183.73.74:53634 (192.168.0.4:5060) -> xxx.97.59.76:5060 MULTIPLE:MULTIPLE 34 / 50 23KiB/18KiB


In this case I used a voip call that is udp (so it should not have states). The voip call "stays" on master.

I forgot to say an important thing: icmp "works". I mean if  I ping from inside to 8.8.8.8 and I put down master ping packets continue to flow.

Mario

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: Testing High Availability
« Reply #10 on: November 23, 2017, 03:48:02 am »
Is yyy.183.73.74 the CARP VIP?

Is 192.168.0.4 set to use the CARP VIP on the firewall on that interface as its default gateway?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline mgiammarco

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Re: Testing High Availability
« Reply #11 on: November 23, 2017, 06:22:37 am »
Yes yyy.183.73.74  is the public ip carp vip. Nat is on that ip.
Private subnet  carp ip is 192.168.0.254. Yes dhcp gives 192.168.0.254 as gateway to computers.

I explain again tests I have done (please rafel do these tests too):

1) ping from an internal pc (e.g. 192.168.0.55) to 8.8.8.8. Ping works. Fence master. Slave becomes master. Ping continue to work! It means that nat/dhcp/carp/... is all ok, right?
2) telnet from 192.168.0.55 to internet server xx.yy.aa.bb. Telnet works. Fence master. Slave becomes master. Telnet stops working!!!

After test 2) someone can say me: in your setup obviously master configuration is different from slave. Perhaps some firewall settings.
OK! so I exchange master with slave and I do again test 2. I obtain the same result!

How can I debug it?
Is there someone that with 2.4.1 has HA working?
Thanks,
Mario

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: Testing High Availability
« Reply #12 on: November 23, 2017, 06:28:18 am »
Yes. Me.

I have tried to duplicate several of these reports and the only case I can find where there might be a problem is described here:

https://redmine.pfsense.org/issues/8100

Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM