Bug #10741
closedFails with CARP VIP Status - SQUID
0%
Description
Tests with CARP protocol, using CARP VIP option Squid status activated, the CARP IP type does not assume in the secondary pfsense.
CARP VIP Status: "Used to determine the HA MASTER/BACKUP status. Squid will be stopped when the chosen VIP is in BACKUP status, and started in MASTER status."
real tests simulating unavailability of the primary pfsense:
example: 192.168.0.30 --> CARP IP
pfsense 1:
[2.4.5-RELEASE][root@pf1.local]/root: sockstat -4l | grep 3128
squid squid 14930 36 tcp4 192.168.0.31:3128 :*
squid squid 14930 37 tcp4 127.0.0.1:3128 *:
squid squid 14930 38 tcp4 192.168.0.30:3128 *:*
cat /usr/local/etc/squid/squid.conf | grep 3128
/usr/local/etc/squid/squid.conf
http_port 192.168.0.31:3128
http_port 127.0.0.1:3128
http_port 192.168.0.30:3128
pfsense 2:
[2.4.5-RELEASE][root@pf2.alfaws1.com.br]/root: sockstat -4l | grep 3128
squid squid 44189 49 tcp4 192.168.0.32:3128 :*
squid squid 44189 50 tcp4 127.0.0.1:3128 *:
/usr/local/etc/squid/squid.conf
http_port 192.168.0.31:3128
http_port 127.0.0.1:3128
The CARP IP of the LAN changes temporarily in the secondary pfsense in a few seconds, then the squid service for navigation stops working.
Because it stops listening on the proxy port for IP CARP in pfsense 2.
[2.4.5-RELEASE][root@pf2.local]/root: sockstat -4l | grep 3128
squid squid 59281 53 tcp4 192.168.0.32:3128 :*
squid squid 59281 54 tcp4 127.0.0.1:3128 *:
squid squid 59281 55 tcp4 192.168.0.30:3128 *:
[2.4.5-RELEASE][root@pf2.local]/root: sockstat -4l | grep 3128
squid squid 59281 66 tcp4 192.168.0.32:3128 *:
squid squid 59281 67 tcp4 127.0.0.1:3128 *:*
Updated by Viktor Gurov almost 4 years ago
squid pkg 0.4.44_28 on 2.4.5-p1 (clean install) - no such issue, HA works as expected
it seems something incorrect in your configuration,
Have you configured Package / Proxy Server: XMLRPC Sync / Sync and local cache on the secodary?
Please provide more details about your issue
Updated by Thiago Orico almost 4 years ago
Viktor Gurov wrote:
squid pkg 0.4.44_28 on 2.4.5-p1 (clean install) - no such issue, HA works as expected
it seems something incorrect in your configuration,
Have you configured Package / Proxy Server: XMLRPC Sync / Sync and local cache on the secodary?Please provide more details about your issue
yes the squid rules sync is working.
XMLRPC Sync is enabled, replication working.
Local cache on the secodary does the synchronization too, right?
XMLRPC Sync is enabled, the primary and secondary pfsense settings are identical.
Details:
when primary pfsense is in master status, squid works normal.
when primary pfsense is backed up, squid does not work on secondary pfsense.
behavior:
LAN CARP IP (IP configured on the browsers proxy) stops working.
LAN CARP virtual IP migrates to secondary pfsense, but the squid service stops running on the LAN carp IP port 3128.
I will review configurations, but according to current tests the failure persists.
Updated by Thiago Orico almost 4 years ago
Symptoms persist.
Details:
inside the squid packet, the advanced rule of port 3128 of the proxy does not automatically rise to IP type CARP.
Only for real IP of the network interface, but not for IP CARP.
Squid.conf IPs
http_port 192.168.0.31:3128
http_port 127.0.0.1:3128
Does not load 192.168.0.30:3128 - IP CARP
Updated by Thiago Orico almost 4 years ago
adjusted the setting and it looks like it worked.
We will monitor new tests.
Updated by Thiago Orico almost 4 years ago
Thiago Orico wrote:
adjusted the setting and it looks like it worked.
We will monitor new tests.
Case solved.
New tests and validations ok!
Sorry for the inconvenience!