HA Configuration not syncing to backup server

[cdsane]

I have configured my OPNsense HA on to servers master and backup, both firewalls indicate master and backup as it is suppose to be but the issue is that when I try to perform a sync to the backup firewall I get an error message saying backup firewall is not configured but I have. What could be the possible issue for this error also the master firewall was existing before I added the backup firewall but the CARP configuration was configured the same day.

[Patrick M. Hausen]

Do you have a decicated sync interface? What are the firewall rules on that one? Did you change the "listen interfaces" for the UI? The primary needs to login to the UI/API of the standby ...

[cdsane]

Yes the interface for the sync i have named pfsync with IP 10.0.0.1 for master and 10.0.0.2 for backup.
The rule I have for the pfsync on the master is the PASS rule pushing all traffic out.
By "listen Interface" do you mean the Virtual IPs ?

The primary needs to login to the UI/API of the standby ...
I don't get this last part can you breakdown the question for me please

[Patrick M. Hausen]

The UI must listen on the HA interface. And the HA interface should have an "allow * * in" rule.

For the UI: System > Settings > Administration > Listen interfaces. Leave at "All (recommended).

How do you think the primary syncs the config to the secondary? It literally logs in as root via HTTP ...

[cdsane]

1. The UI must listen on the HA interface. And the HA interface should have an "allow * * in" rule.  : Yes that is what I have

2.For the UI: System > Settings > Administration > Listen interfaces. Leave at "All (recommended). : I have the same in my system

3. How do you think the primary syncs the config to the secondary? It literally logs in as root via HTTP
I don't understand this  : Yes that is what I have done

[Patrick M. Hausen]

So ...

- The UI is listening on the HA interface on the standby? Check with `netstat -na|grep LISTEN`
- The standby has got an "allow all" rule on the HA interface?
- On the primary you entered 10.0.0.2, root, and the root password of the standby in System > High Availability > Settings?

Then it should work. If it doesn't:

- Can you ping the standby from the primary on the HA interface?
- Run tcpdump on the standby, HA interface, UI port, to watch if the primary tries to connect at all ...

[cdsane]

Yes i am able to ping
and also I can see logs when I run tcpdump command on my backup opnsense firewalls shell
I get
94 packets captured
96 packets received by filter
0 packets dropped by kernel

[Patrick M. Hausen]

Please post screenshots of

- the HA interface configuration of both firewalls
- the HA settings on the primary

[cdsane]

Black interfaces Primary
White Interfaces backup

[cdsane]

same as above
dark interface Primary
white backup

[cdsane]

same as above
dark interface Primary
white backup

[Patrick M. Hausen]

NAT and virtual IPs are not relevant at the moment.

pfsync interface settings of the standby are missing.

HA settings (not status!) of the primary are missing. System > High Availability > Settings

[cdsane]

HA settings for primary

[Patrick M. Hausen]

Leave "synchroinze peer IP" at 224.0.0.240 - no need to change that. Rest looks good assuming the root password is correct for the standby.

Can you show the firewall rules on the pfsync interface of the standby, please?

[cdsane]

i have attached the rule for the pfsync for the backup