Help !!! Packet lost and drop when HA enabled

Started by stchesmeli, July 03, 2025, 02:52:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 03, 2025, 02:52:29 PM
Hi all,
we use opnsense in our cloud IaaS provider (a based Xen solution Vates).

So we set up two instances with their own IPs in each VLAN, adding VIPs in carp mode with different group IDs.
We synchronize states and xmlrpc config via a SYNC VLAN.

Everything seemed to work fine during our tests, but as soon as we opened up the system to customers with a heavier load, we noticed a lot of timeouts and lost connections.
This only happens when both firewalls are on. As soon as we switch off the 2nd firewall everything works perfectly. I think there's a problem with the states.
Configuration level:
- each interface where there is a VIP CARP has a firewall rule to authorize CARP from any source/destination
- SYNC interface authorizes any IPV4 source and destination on the SYNC network
- SYNC's interface also authorizes CARP from any source/destination
- We sycnhronize "Aliases, DHCPD, Firewall Rules, NAT, static routes, Unbound DNS, VIP, Wireguard".
- some NAT/FW rules have the option of not synchronizing their conf via xmlrpc because they are "local" to the firewall
Print
Go Up Pages1
User actions