Project

General

Profile

Bug #10741

Fails with CARP VIP Status - SQUID

Added by Thiago Orico 25 days ago. Updated 20 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
07/08/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.5-p1
Affected Architecture:
amd64

Description

Tests with CARP protocol, using CARP VIP option Squid status activated, the CARP IP type does not assume in the secondary pfsense.

CARP VIP Status: "Used to determine the HA MASTER/BACKUP status. Squid will be stopped when the chosen VIP is in BACKUP status, and started in MASTER status."

real tests simulating unavailability of the primary pfsense:

example: 192.168.0.30 --> CARP IP
pfsense 1:
[2.4.5-RELEASE][]/root: sockstat -4l | grep 3128
squid squid 14930 36 tcp4 192.168.0.31:3128 :*
squid squid 14930 37 tcp4 127.0.0.1:3128 *:

squid squid 14930 38 tcp4 192.168.0.30:3128 *:*

cat /usr/local/etc/squid/squid.conf | grep 3128

/usr/local/etc/squid/squid.conf
http_port 192.168.0.31:3128
http_port 127.0.0.1:3128
http_port 192.168.0.30:3128

pfsense 2:
[2.4.5-RELEASE][]/root: sockstat -4l | grep 3128
squid squid 44189 49 tcp4 192.168.0.32:3128 :*
squid squid 44189 50 tcp4 127.0.0.1:3128 *:

/usr/local/etc/squid/squid.conf
http_port 192.168.0.31:3128
http_port 127.0.0.1:3128

The CARP IP of the LAN changes temporarily in the secondary pfsense in a few seconds, then the squid service for navigation stops working.

Because it stops listening on the proxy port for IP CARP in pfsense 2.

[2.4.5-RELEASE][]/root: sockstat -4l | grep 3128
squid squid 59281 53 tcp4 192.168.0.32:3128 :*
squid squid 59281 54 tcp4 127.0.0.1:3128 *:

squid squid 59281 55 tcp4 192.168.0.30:3128 *:
[2.4.5-RELEASE][]/root: sockstat -4l | grep 3128
squid squid 59281 66 tcp4 192.168.0.32:3128 *:

squid squid 59281 67 tcp4 127.0.0.1:3128 *:*

History

#1 Updated by Viktor Gurov 25 days ago

squid pkg 0.4.44_28 on 2.4.5-p1 (clean install) - no such issue, HA works as expected
it seems something incorrect in your configuration,
Have you configured Package / Proxy Server: XMLRPC Sync / Sync and local cache on the secodary?

Please provide more details about your issue

#2 Updated by Thiago Orico 25 days ago

Viktor Gurov wrote:

squid pkg 0.4.44_28 on 2.4.5-p1 (clean install) - no such issue, HA works as expected
it seems something incorrect in your configuration,
Have you configured Package / Proxy Server: XMLRPC Sync / Sync and local cache on the secodary?

Please provide more details about your issue

yes the squid rules sync is working.

XMLRPC Sync is enabled, replication working.

Local cache on the secodary does the synchronization too, right?
XMLRPC Sync is enabled, the primary and secondary pfsense settings are identical.

Details:

when primary pfsense is in master status, squid works normal.

when primary pfsense is backed up, squid does not work on secondary pfsense.

behavior:
LAN CARP IP (IP configured on the browsers proxy) stops working.

LAN CARP virtual IP migrates to secondary pfsense, but the squid service stops running on the LAN carp IP port 3128.

I will review configurations, but according to current tests the failure persists.

#3 Updated by Thiago Orico 21 days ago

Symptoms persist.

Details:

inside the squid packet, the advanced rule of port 3128 of the proxy does not automatically rise to IP type CARP.

Only for real IP of the network interface, but not for IP CARP.

Squid.conf IPs
http_port 192.168.0.31:3128
http_port 127.0.0.1:3128

Does not load 192.168.0.30:3128 - IP CARP

#4 Updated by Thiago Orico 21 days ago

adjusted the setting and it looks like it worked.

We will monitor new tests.

#5 Updated by Thiago Orico 20 days ago

Thiago Orico wrote:

adjusted the setting and it looks like it worked.

We will monitor new tests.

Case solved.

New tests and validations ok!

Sorry for the inconvenience!

#6 Updated by Viktor Gurov 20 days ago

  • Status changed from New to Closed

Also available in: Atom PDF