HA failover interrupts streams

[steilfirn_8000]

Hello everyone,

I am using two OPNsense firewalls as HA.
So far everything works as expected but I am having difficulties when it comes to streaming media (e.g. audio streams, VoIP session).

If I do a failover the connections get interrupted.
Is this a known behaviour?

[Grossartig]

I am not using CARP on my end but am fully expecting that all active connections (inbound & outbound) would be impacted in one way or another during a failover. But it really is more up to the client how well it recovers from such temporary disruptions. For example, Zoom connections recover pretty well, even if your connection is going down for a few seconds (the client reconnects automatically, but you still experience a temporary disruption -- it's just that it gets resolved by itself).

[steilfirn_8000]

Hmm according to the wiki description I would expect a failover without any interrupt:

Together with CARP, we can use pfSync to replicate our firewalls state. When failing over you need to make sure both machines know about all connections to make the migration seamless. It’s highly advisable to use a dedicated interface for pfSync packets between the hosts, both for security reasons (state injection) as for performance.

https://docs.opnsense.org/manual/how-tos/carp.html#terminology

[mimugmail]

Hello everyone,

I am using two OPNsense firewalls as HA.
So far everything works as expected but I am having difficulties when it comes to streaming media (e.g. audio streams, VoIP session).

If I do a failover the connections get interrupted.
Is this a known behaviour?

Did you set manual outbound Nat rule to translate to carp address?

[steilfirn_8000]

Hello @mimugmail,

yes, outbound NAT is set to the shared CARP IP for WAN.

[mimugmail]

- Screenshot of outbound NAT
- Screenshot of Firewall : Virtual IPs : Status (both Firewalls)
- Check in Firewall : Diagnostics : State table if the running connection is on both Firewalls

I tested the failover with a customer 2-3 weeks ago, wasn't a problem.
We also did a telnet via port 25, typed EHLO .. switched to Firewall2 and the telnet session was still alive and able to send an email

[steilfirn_8000]

I think I found the issue:

I had the option enabled to scan all HTTP/S connections via ClamAV (transparanet mode).

If I set the 1st firefwall to maintenance mode the 2nd firewall ClamAV was not aware of the connections and interrupted.

[mimugmail]

Dont forget that transparent mode just redirect to itself so outgoing connections will be initiated via local IP and not CARP IP!

[steilfirn_8000]

So is transparent proxy with ClamAV still a HA feature or should that be disabled?

[mimugmail]

It will work with HA, but you will loose all connections on failover and they have to reestablish again.

[steilfirn_8000]

Thanks for clarification - I will leave the transparent proxy disabled.