OPNsense Forum

English Forums => High availability => Topic started by: valeavin on March 14, 2023, 09:59:49 pm

Title: HA Status stuck after update from 22.7 to 23.1
Post by: valeavin on March 14, 2023, 09:59:49 pm

After update my HA Environment from version 22 to 23 the HA Sync is not working anymore.
I've planned a cron job to perform Sync every 2 minutes and from log it return "OK" but sync not happen.

I've checked credential, update the password and applied HA config again but nothing.
The CARP is working perfectly but configuration not syncing.

on both firewall there's /var/run/booting file but it's empty. if deleted it appear again on reboot.

Going on System > HA > Status the main:
- If firewall 2 is turned off appear immediately the message: "The backup firewall is not accessible or not configured."
- If firewall 2 is on, the interface on FW1 freeze for 1-2 minutes and then appear the same message.

I've checked the reachability on CARP interface:
FW1 ping FW2: ok
FW2 ping FW1: ok

and also ssh connection:
FW1 can ssh to FW2 and viceversa.

#Update 31-03

Both Firewall reinstalled with native ISO 23.1 and updated to 23.1.5_4 and same error.

CARP Active/Backup is working fine on all intefaces and CARP IP but synchronisation is still blocked.
I've tried to specify full path from just IP to "https://<ip>:443/" but without any effects.

what's wrong?

Title: Re: HA Status stuck after update from 22.7 to 23.1
Post by: andrerfa on April 19, 2023, 04:45:56 pm

Sadly I don't have a fix but I have the same problem... Worked fine before and now "The backup firewall is not accessible or not configured." but the VIPs seem to be working fine

Title: Re: HA Status stuck after update from 22.7 to 23.1
Post by: gefilte_fish03 on May 22, 2023, 04:31:14 pm

I was dealing with this issue after some changes I made last week. I finally narrowed it down to firewall rules... but not on the SYNC interface.

I'm using port forwarding for a transparent web proxy with NAT reflection turned on. That's all working. When I changed the rule to an inverse Hosts range (all addresses except those enumerated in the Alias) on the LAN interface, I lost my XMLRPC Sync. When I reverted, I got it back. Tested this twice. I have a separate rule on the SYNC interface to allow all.

Maybe I'm misunderstanding, but I assumed that NAT and firewall rules only apply on the interface specified in the rules, and that XMLRPC Sync is done on the interface selected in System -> Settings -> High Availability. But my LAN redirect rule broke my Sync.

Title: Re: HA Status stuck after update from 22.7 to 23.1
Post by: andrerfa on May 22, 2023, 04:49:29 pm

I actually also managed to fix this a few days ago. It was a stupid mistake which I didn't think about. The manuals etc make you aware of it: I made the webinterface of both OPNs only available on a specific interface, which is not the SYNC interface. After I enabled the webinterface on both the management network and SYNC network, it worked fine. Setting can be found under system > settings > administration > listen interfaces

Hope this helps

Title: Re: HA Status stuck after update from 22.7 to 23.1
Post by: gefilte_fish03 on May 22, 2023, 05:02:54 pm

Interesting, but that makes sense. I never changed it from the default listen on all interfaces setting.

My NAT redirect rule still breaks it when applied on the backup device, so I had to change the way the rule works.