On 26-Dec-08, at 6:31 PM, Scott Ullrich wrote:
On Fri, Dec 26, 2008 at 6:06 PM, Jason Lixfeld
<[email protected]> wrote:
Ok, so just so I'm not chasing a wild good, the failover is
supposed to be
stateful, right? Sessions in or out of a pfSense cluster shouldn't
be
disconnected or need to be reconnected, right? I don't think that
part of
my question was actually answered.
Yes, that is correct if you have pfsync activated to sync the states.
Firewall -> Virtual IP's -> Settings.
Thanks. Ok, so the Synchronize Enabled checkbox is checked. I'm
syncing on a dedicated PFSync interface (in VMWare with promiscuous
mode enabled on the vswitch). I'm syncing rules, NAT, Static Routes,
IPSec, VIPs, DNS forwarders to the far end of the PFSync interface
which I can ping and have rules enabled to allow all traffic in and
out of the pfsync interface.
I have made a firewall rule change on the master, and it has
replicated over to the secondary.
I have made an OpenVPN change, on the master, but that rule has not
been replicated to the secondary. I know it's not IPSec, but there
was no option to sync OpenVPN settings, so I thought maybe IPsec was
mislabeled as something for any VPN configuration. Alas, it appears
that OpenVPN configs do not sync??!
Outbound NAT is configured to use the WAN VIP. DHCP hands out the LAN
VIP as the default gateway.
On the master, the state table is 58 entries. On the backup, it's 11
entries.
If I fail the master by shutting the machine down, the test session I
have running which is an inbound ssh session via a NAT port mapping on
the pfsense box hangs and needs to be reconnected.
The funny thing is that the state table on the backup seems to have
the state info for the session that was initiated through the master:
10.1.11.251:22 <- aaa.bbb.ccc.210:22 <- ddd.eee.fff.67:53791
I'm ddd.eee.fff.67, aaa.bbb.ccc.210 is the VIP, 10.1.11.251 is the
real server on the receiving end of the port forwarding.
When I bring the master back up and it takes over for the backup
again, the above ssh session is nowhere to be found in the state table.
Anyone have any idea what's going on here?!
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
