It does for example if you fail over to your secondary node and the restart the ovpns on the primary (inactive) node, but only on the first restart of the service. I have tried this on Pfsense 2.6.0 and 2.7.0 and 2.7.2 always the same issueĪny Help is It does not break connections consistently when just restarting the ovpns. The Clients behind the firewalls get all states killed and need to rebuild them (NOT seamless anymore )Īlso all the State creator IDs are also the same on both nodesĬan anyone with a HA cluster and OpenVPN reproduce this? I trigger the "enter persistent carp maintenance mode on FWL01 (the master)" and the Firewall fails overįWL02 becomes the master and the Clients behind the firewalls retain all their states and no connection gets killed (downloads are not interrupted, RDP session to Clients also does not get interrupted)Įverything works as expected: Clients can connect to the OpenVPN Server and clients behind the Firewall can reach the internet.įWL02 becomes the master and the OpenVPN clients get disconnected and reconnect after 5 seconds automatically (expected behavior) I have also setup Outbound NAT so the local Clients initiate connections with the public VIPĬlients behind the Firewall can reach the internet. I have then a firewall rule on the WAN to allow traffic to these 3 IPs (.130. I have the interface of the OpenVPN server set to the public CARP VIP Just to make sure I am not missing something obvious with the OpenVPN setup: I have not enabled the State killing in Sys -> Adv -> Misc How are these two settings related and why are they interfering with each other? If I then disable the OpenVPN server again and try again, the Failover works again as expected without any outage. When I then do the same download test on the client behind the Firewalls, it disconnects and has to rebuild all connections.Īlso the VPN Server correctly gets restarted on the second node and the client automatically reconnects (so expected behavior) However as soon as I start the OpenVPN server which I have setup on the carp VIP of the WAN (so it also fails over) the regular Failover does not work as expected anymore. If I open a few connections on a client behind the firewalls (like a download), and then trigger the carp maintenance mode, the firewall fails over correctly within 1-2 seconds and the download on the client does not even disconnect (which is amazing). I have 3 Addresses available on all interfaces (also on the WAN.) So I have setup Outbound NAT for my CARP VIP and it works great. I have setup 2 identical pfSense instances and setup Failover with carp.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |