Messages

There is another thread with the same issue, where the user bamypamy did track it down to the issue that when the OPNsense systems do not have direct internet and have to use a proxy server, see https://forum.opnsense.org/index.php?msg=238761

After reading his post, i tested the solution and it worked ! I'm also using proxy because that pair of firewall is only filtering the corp network to a lab. I did not mention it in my post because that doesn't make sense with the problem i had.

EDIT: I opened a bug:
https://github.com/opnsense/core/issues/8765

I had the same problem. Here is what fixed it for me.

I did an update from 24.4.3 to 25.4.1 (VMs on proxmox).
I'm not using the default web GUI port, but I've never had to add the port to the IP settings in the HA configuration.
I have tried though, but it didn't help.

Since my firewalls don't have direct internet access, I had added the proxy environment variable as shown here so I can download updates.
https://docs.opnsense.org/development/backend/configd.html#extending-the-environment

That worked fine, but it broke the HA synchronization.
I can reproduce it. When I create the proxy.conf and restart configd, I immediately get the error message on the HA sync status page.
If I delete the proxy.conf and restart configd, I immediately see the status of the cluster again.

Maybe it will help someone else and save them from getting (even more) gray hair.

Hi ! You totally found my problem ! HA Sync is working again after renaming proxy.conf to proxy.confbak and a restart of the configd service.

EDIT: I opened a bug:
https://github.com/opnsense/core/issues/8765


Thanks !!!!

Hi, I have problem with HA sync between my 25.1.5_5 firewalls. When i go to System-HA-Status, it hangs there for 30 secs, then say Check user credentials.

I know the credentials is good.
Listen interfaces is set to all
There is no port in the Synchronize Config box. Just IP
Both Replication interface are connected to a dedicated port with a cross-over cable (no switch)
I have a firewall rule to allow * because it's directly connected.
When i open the Firewall Live view on a second browser tab, i can't see any traffic when i click on Status (in HA section where the error appear)

But, if i connect to the primary FW through SSH and issue the command: /usr/local/etc/rc.filter_synchronize there is no error, sync is working, and i can see Replication traffic on the Firewall Live View.

Looks like something is broken on the web interface.

I have another pair of OpnSense with the same version, same HA config and it's working fine.

I currently have a working HA pair of OpnSense 25.1 with two WAN connection. I successfully set a GW failover group using both WAN with virtual IP (CARP).

On WAN-1, my ISP is giving me 5 differents public subnet. Here is an example of their ASR920 router config for me:

ip address 210.1.1.1 255.255.255.248  (my current internet WAN-1 gateway, with failover on another ASR920 (WAN-2))
ip address 210.2.2.1 255.255.255.240 secondary
ip address 210.3.3.1 255.255.255.240 secondary

ip route 210.4.4.0 255.255.255.240 210.1.1.1
ip route 210.5.5.0 255.255.255.240 210.1.1.1

I successfully set all 210.4.4.0 and 210.5.5.0 subnet using Virtual IP Alias on the same VHID group as my primary 210.1.1.1 gateway. I can then use all theses IP to do port forward to any server.

Let's forget the HA setup for now:

I'm now trying to use both secondary subnet (210.2.2.0 and 210.3.3.0) and have theses range available with DHCP for lab device. I want devices to receive public ip from OpnSense without NAT.

I added two new nic card and set the opnsense to 210.2.2.2 and 210.3.3.2 to have the dhcp server available for both subnet. I also added two gateway on the Wan-1 interface (210.2.2.1 and 210.3.3.1). Dhcp server is running on these two new nic card with correct range with both .1 as the dhcp gateway instead of .2 and 8.8.8.8 as the DNS.

I added a firewall rules on each new nic with correct gateway. (Pass, in, interface wan1_210.2, source wan1_210.2 net, gateway GW_wan1_210.2)

A device now receive 210.2.2.3 or 210.3.3.3 with .1 as the gateway and 8.8.8.8 as the DNS but i can't reach internet.

This was really complicated to explain, i hope you will understand :)