HA Setup with two uplinks: master/slave Problem with OpenVPN

Started by c-mu, November 09, 2018, 08:35:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 09, 2018, 08:35:27 AM
Hey Guys,
my setup:

Both latest FW to date: 18.7.7

WAN x.x.x.1               WAN x.x.x.2
       |                                   |
       |                                   |
DESICO Appliance         DESICO Appliance
   "Firewall1"                   "Firewall2"
       |                                   |
       |                                   |
       ---- HA SETUP (CARP) ----
                      |
                      |
                    LAN

The Problem:
Firewall1 should be allways the master and only if i do maintanance jobs or in case of hardware failure, the firewall 2 should do the work.

So the Problem is, that if i do a firmware update on FW1 (CARP Master) for example, the default gateway and VPN tunnel switches to FW2 (CARP BKP). All fine.

BUT if the FW1 is back to work, only the default gateway switches back to the master, but the VPN Tunnel is still active on FW2 with the result, that my LAN clients can't reach the companys vpn network. And me too can't connect to the Admin interface of the Appliances. I help me out with an allways running teamviewer client at this office.

Any suggestions to help me out?
Thank You!


config master:
system -> high availability:
sync states: checked
disable preempt: unchecked
syncinterface LAN
sync peer ip > FW2

firewall -> virtual ips > settings:
mode carp
interface LAN
address: virtual IP as gateway for the clinets
gateway: empty
virtial IP password: set
VHID Group 1
Advertising Freq.: Base1 Skew 0

config slave:
system -> high availability:
sync states: chcked
disable preempt: unchecked
syncinterface LAN
sync peer ip > FW1

firewall -> virtual ips > settings:
mode carp
interface LAN
address: virtual IP as gateway for the clinets
gateway: empty
virtial IP password: set
VHID Group 1
Advertising Freq.: Base1 Skew 100
November 21, 2018, 08:33:23 AM #1
Has no one any idea?   :'(
November 21, 2018, 08:47:53 AM #2
With OpenVPN you have to select the VIP in interface so the daemon switches correctly ...
November 21, 2018, 08:53:05 AM #3
Even, if the WAN Interface has no VIP? Then I will test it outside offices hours.

Theres only a VIP between the LAN Interfaces.
November 21, 2018, 09:01:44 AM #4
There is a script behind, that when you select to bind to a VIP, the daemon itself is only started on the master and always stopped at backup .. works charmy :)
November 21, 2018, 09:07:23 AM #5
thats sounds realy good and suiteable to my setup. just for clarification:

we speak about VPN -> OpenVPN -> Client -> (select the specific client) -> Interface: There I should select my Virtual IP from LAN, right? And a background magic does the work.

My WAN does not have a VIP, becouse that are two different (physical) Uplinks.
November 21, 2018, 09:18:23 AM #6
I only tested with WAN VIP .. but in general this should also work.
November 22, 2018, 03:43:32 PM #7
I tested that now and it's working!
Thank you very much!
Print
Go Up Pages1
User actions