Dear all,
maybe the following issue has been reported previously, but up to now I was not able to find it. Since several weeks, a strange behavior started to happen on my site-to-site High-Availability openVPN connection. I was first looking at some changes on openVPN, but I then noted that sometimes, both master and backup on client side are telling that they are connected to the master server... which is strange, since I thought that when HA is configured, only 1 VPN connection should be active at a time.
It seems that some weeks ago (with an update of OPNsense probably deployed in March 2025), every time the master is getting synchronized with the backup (I use a cron script for that), the openVPN connection on the backup client is not "restarted", which means that it tries to connect, not taking into account the CARP status. This behavior is strange to me, if the initial statements remain true: the backup client takes over the VPN connection only if the master client is in trouble.
Can somebody confirm if this behavior is wanted? I am on Firmware 25.1.5_5, but the behavior existed on previous versions of the 25.1.5 release. Maybe even before, but this is speculation. I thought all the time that the issue was related to ma change or missconfiguration of openVPN, but it seems now related to the management of the connections only after the synchronization in the HA case.
Interesting detail: If I disconnect the WAN on the master client, wait some short time, then connect it again, the master client takes over the VPN connection and the backup releases its connection. But as soon as I synchronize the states again, both are trying to connect to the server, thus interrupting each other, which makes connection conflicts and reset the connection every 1-2 minutes.
Best regards,
Vincent