HA failover interrupts streams

Started by steilfirn_8000, May 03, 2022, 10:13:20 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 03, 2022, 10:13:20 AM
Hello everyone,

I am using two OPNsense firewalls as HA.
So far everything works as expected but I am having difficulties when it comes to streaming media (e.g. audio streams, VoIP session).

If I do a failover the connections get interrupted.
Is this a known behaviour?
May 03, 2022, 01:32:08 PM #1
I am not using CARP on my end but am fully expecting that all active connections (inbound & outbound) would be impacted in one way or another during a failover. But it really is more up to the client how well it recovers from such temporary disruptions. For example, Zoom connections recover pretty well, even if your connection is going down for a few seconds (the client reconnects automatically, but you still experience a temporary disruption -- it's just that it gets resolved by itself).
May 03, 2022, 02:14:52 PM #2
Hmm according to the wiki description I would expect a failover without any interrupt:

Together with CARP, we can use pfSync to replicate our firewalls state. When failing over you need to make sure both machines know about all connections to make the migration seamless. It's highly advisable to use a dedicated interface for pfSync packets between the hosts, both for security reasons (state injection) as for performance.

https://docs.opnsense.org/manual/how-tos/carp.html#terminology


May 03, 2022, 06:37:05 PM #3
Quote from: steilfirn_8000 on May 03, 2022, 10:13:20 AM
Hello everyone,

I am using two OPNsense firewalls as HA.
So far everything works as expected but I am having difficulties when it comes to streaming media (e.g. audio streams, VoIP session).

If I do a failover the connections get interrupted.
Is this a known behaviour?

Did you set manual outbound Nat rule to translate to carp address?
May 03, 2022, 06:43:48 PM #4
Hello @mimugmail,

yes, outbound NAT is set to the shared CARP IP for WAN.
May 04, 2022, 10:28:19 AM #5
- Screenshot of outbound NAT
- Screenshot of Firewall : Virtual IPs : Status (both Firewalls)
- Check in Firewall : Diagnostics : State table if the running connection is on both Firewalls

I tested the failover with a customer 2-3 weeks ago, wasn't a problem.
We also did a telnet via port 25, typed EHLO .. switched to Firewall2 and the telnet session was still alive and able to send an email
May 04, 2022, 12:14:43 PM #6
I think I found the issue:

I had the option enabled to scan all HTTP/S connections via ClamAV (transparanet mode).

If I set the 1st firefwall to maintenance mode the 2nd firewall ClamAV was not aware of the connections and interrupted.
May 04, 2022, 01:54:04 PM #7
Dont forget that transparent mode just redirect to itself so outgoing connections will be initiated via local IP and not CARP IP!
May 04, 2022, 02:02:23 PM #8
So is transparent proxy with ClamAV still a HA feature or should that be disabled?
May 04, 2022, 02:18:10 PM #9
It will work with HA, but you will loose all connections on failover and they have to reestablish again.
May 04, 2022, 03:51:42 PM #10
Thanks for clarification - I will leave the transparent proxy disabled.
Print
Go Up Pages1
User actions