Messages

Hi there,

Today by updating my FWs to the latest version (25.1.10), I noticed that I had my web console certificates expired (on both nodes as one certificate is shared)
Nothing to worry about, I've a configured internal CA, I created a new GUI certificate on the master with the same parameters (SAN are valid for both nodes/IPs)

Issue is: when I wanted to sync the configuration, I was not able to find the new certificate on the backup node.

I've tried to reboot both nodes and also to activate/deactivate certificates sync (saving & hitting sync each time) - Didn't help.
I've also the exact same issue on a second pair of FWs (remote backup site - same version but VMs)

I can't figure out if it is a recent issue or not, so I'll need some help to troubleshoot and solve it.

Thanks in advance!😉

PS: I DID find the new sync button... 😇 but I would really appreciate a full sync status panel if possible.
(ref: https://github.com/opnsense/core/issues/8301)

Hi there,

Same issue for me, fixed with the hotfix.
Thanks a lot for the quick reaction!👌

PS: Live view was also broken and fix solved it too.

It's not my prerogative to consider or not consider change requests - I am just an OPNsense user and Deciso customer like most people on this forum.

Oups, but the more we are, the chances are greater! 😊

I did open a feature request in the meantime (not really a bug IMHO)

I agree. The wording could be more helpful. Would you open an issue on Github about that?

Sure I will, thanks for considering it! 👌

[system: migrate HA status page to MVC/API]

I indeed read system: migrate HA status page to MVC/API in the release notes, but it didn't really made me understand what it means.

So if it is the Synchronize and reconfigure all, it is not clear at all, because if you put your mouse on the button, it is displaying "Restart all services"... 😁
There is also the link Perform synchronization, in the HA settings area, right behind Configuration Synchronization Settings (XMLRPC Sync), but also not very clear.

None of them is giving you a clear status/result anyway so any chance to change the way we get a confirmation that everything is running smoothly?

PS: I'd love to hear from dev team to understand the change, there is probably a good reason.

Hi there,

I might be mistaken by a change, but I can't find the small "synchronize to backup" button for HA settings in the new 25.1 UI.

And therefore, also missing the small status when you press on it!

Is it missing or is it moved somewhere else? Thx in advance!

Thanks a lot for the fix!

I thought I was going crazy this morning when I got no Internet anymore... :)

Have you ever found a solution to this? I am stuck in the same problem. The detection that an IPSEC tunnel is actually down (despite DPD etc.) takes forever.

I didn't bother too much, I switched to Wireguard tunnel.
It's from my homelab to my parents for DR backups so, it just need to work!
It also increased drastically speed, so it was a win. :)

Actually I've PPPoE active with a single dhcp IP. So this is the problem.
I will try to migrarte the WAN interface behind the router with private CARP IPs

No problem, hope you can sort it out! ;)

CARP need a single IP per interface on each FW in order to be able to create a VIP.
Here you can have an overview:
https://docs.opnsense.org/manual/how-tos/carp.html

You Wireguard tunnel will be based on VIP 172.18.0.100 in this example.

I've a HA pair with PPPoE.

I can't understand the sepcificity of PPPoE pon HA setup, but one of the "obvious" thing to configure is the VIP for Wireguard tunnel.
Setting name is:  Depend on (CARP)

In my setup, each Firewall has a dedicateed IP on the Internet router "LAN" which in my case is used as a transfer network only. Don't know if it is possible with PPPoE ;)

I have another cluster where Wireguard works perfectly through an HA failure.

Well it's done, I have my HA setup properly working with Wireguard.
Thanks again for the feedback ;)

I have another cluster where Wireguard works perfectly through an HA failure.

That is a very good news! Thanks for the quick feedback... now I know what to do this afternnon! ;D

Hi,

Did you figure it out?
I just installed an OPNsense cluster and I'd like to switch from IPSEC legacy tunnel to Wireguard tunnel.

Thanks ;)

[fairly new to HA]

Hi there,

I set up a new HA cluster for my home infra and so far, migration has been great, everything seems to be working as expected. HA works when I switch CARP manually or if I shutdown/restart the master.

Everything... except my IPSEC VPN tunnel that doesn't switch over. :(

My Phase 1 is configured to the WAN CARP IP and I also tried to disable MOBIKE as mentioned here https://forum.opnsense.org/index.php?topic=19244.0
pfsync interface is a dedicated cable and there is a rule that allows everything between both FWs.

As I'm fairly new to HA, I don't know what to expect here but I tried to switchover/restart the master and also tried to shut it down for 10 minutes but this didn't help, IPSEC tunnel is only coming back after master is up again.

IPSEC tunnel is still in the legacy mode, I don't know if switching to the newer version would help.

Where can I start looking? Thanks in advance ;)

K.R
Franck

I know this is marked solved but its the first post that comes up. After two days of messing with HA, spinning up new VMs, I figured out the problem was due to ACME client and port redirection from the master. All I had to do was click the (i) and it was pretty obvious. Ensure if you have changed the web admin port you specify the entire URI under the System->High Availability->Settings> Synchronize Config to ip.  IE https://192.168.0.2:8443. They synchronize Peer IP remains just an IP. I hope this save someone time. The is the only thing left out of the official documentation.

Remember HA is using web API to configure everything.

Thanks a lot, this helped me too to solve this "rule disapearing issue"... :)