HA Sync Issue in Production Environment

[pthapa084]

Greetings OpenSense Community,

I hope this message finds everyone in good health and spirits.

I'm reaching out regarding a perplexing issue that has arisen in our production environment, and I'm hopeful that the collective wisdom of this forum can offer some guidance.

Here's a concise overview of the situation:

I'm managing two identical physical servers.
High Availability (HA) is configured with dedicated interfaces, as well as WAN and LAN laggs.
Multiple VLANs are established within the LAN laggs.
All interfaces are configured uniformly across both servers.
Initially, HA was functioning as expected shortly after implementation.
However, issues arose when attempting to add new rules on the master node. Despite attempts to sync these rules to the secondary node, the HA status remains stuck, displaying the message: "The backup firewall is not accessible or not configured."
The HA port, established for peer-to-peer communication between the two firewalls, is operational, with successful pinging between them.
Curiously, while the WAN interface on the primary node shows as online, the WAN bond on the secondary node appears offline.
Manually initiating failover by temporarily disabling CARP results in the secondary node taking over as master, which functions correctly.
However, when the master node is brought back online, it automatically reassumes its role as master, with the secondary node reverting to backup status.
Newly added rules on the primary node do not function until identical rules are manually added to the secondary node.
Similarly, modifications to existing rules on the primary node do not take effect until mirrored on the secondary node.
Attempts to manually trigger sync via the HA status page result in the page becoming unresponsive.
I'm reaching out to this community for assistance in resolving this critical issue, as its continuation jeopardizes the success of our project.
I'm prepared to provide any additional details or logs necessary to facilitate troubleshooting and resolution.

Thank you in advance for any guidance or support you can offer.

[Patrick M. Hausen]

Is the UI "interfaces" setting changed from "All (recommended)" in any way? Config sync needs the UI active on the HA interface.

[pthapa084]

hello patrick sir thank you for the response but i am unable to catch your question where should i look for ui interface??

[Patrick M. Hausen]

System > Settings > Administration > Listen Interfaces

Leave that at "All (recommended)". There is a reason for the "recommended" part.

If that is already the case make sure there is a "allow * * * *" rule on the HA interface on both nodes.

[pthapa084]

got it sir there is only one interface allow which is mgmt should i enable ha sync interface only or all if i enable all interface then all interface network can access the opensense mgmt console right

[Patrick M. Hausen]

Leave it at "All (recommended)". Firewall rules will ensure that is only accessible where explicitly allowed. Misusing the listen configuration for security policy leads to all sorts of problems like no HA sync, UI not accessible when the management interface goes down and up again, ... like when you reboot your switch for a firmware update.

Etc.

[pthapa084]

Thank you so much really appreciate your answer Patrick Sir, my issue has been resolved, i did not allow all but only mgmt and ha sync interface in listen interface and it works as expected. Thank you again !!!!