Bug #11807
closedHA setup restarts all OpenVPN instances on the secondary after making any change on the primary
0%
Description
This Plus project does not contemplate the issue reported in:
https://redmine.pfsense.org/issues/11082
We simply can't use HA in AWS instances as all of our traffic is in openvpn, restarting the services for any reason, even if there is no change to openpvn is a killer.
Please fix this, its been fixed in the main PfSense project.
Thanks.
Files
Updated by Marcos M about 3 years ago
- Status changed from New to Rejected
This patch was applied to both pfSense Plus and CE. If you believe there is a regression or the issue is not fully fixed, please provide reproducible steps along with any relevant logs.
Updated by Edgar Escoboza about 3 years ago
- File CodeRevision.png CodeRevision.png added
- File PfSenseVersion.png PfSenseVersion.png added
Marcos Mendoza wrote:
This patch was applied to both pfSense Plus and CE. If you believe there is a regression or the issue is not fully fixed, please provide reproducible steps along with any relevant logs.
Hello Marcos,
Thanks for looking into this, I believe there is a regression on the code. In order to reproduce this please follow these steps:
- Create a couple of Instances in EC2 in AWS with the PfSense AMI [[Netgate pfSense Plus Firewall/VPN/Router]] (Master - Slave)
- In the Slave instance perform the following configurations:
- Create a User Group in Slave instance with the appropriate permissions for xmlrpc synchronization (System - HA node sync).
- Create a User (xmlrpc_user) and assigned it to the newly created User Group above.
- Create an OpenVpn Server (VPN > OpenVPN > Servers) add one and configure as needed (beyond this scope)
- Connect a client machine to this OpenVPN server)
- Back into the Master instance go to System > High Availability Sync and configure as follows
- Synchronize states = Unchecked
- Synchronize Interface = WAN Interface (or you could create an specific interface for this by attaching a secondary Interface)
- pfsync Synchronize Peer IP = Blank
- Synchronize Config to IP = Slave's WAN Interface's IP Address
- Remote System Username = xmlrpc_user
- Remote System Password = xmlrpc_user's password
- Synchronize admin = checked
- Select options to sync = Select any of these, in my case I just selected Firewall rules
- Make any change to the firewall rule and hit Apply.
- Last but not least, make any firewall rule change in the Master instance and hit on Apply.
- Slave PfSense+ Instance will reload the OpenVPN daemon.
At this point, we have disabled the XMLRPC syncronization to avoid affecting production, therefore, no logs are available that can help. But I believe I have something better for you. which are 2 screenshots.
- PfSenseVersion.png demonstrates that we are on the latest version of the PfSense+
- CodeRevision.png illustrates to the left the Code in the PfSense CE repository, while on the right side it shows the xmlrpc.php file in our PfSense+ instance via Shell access.
Things to notice, on the left the function starts with the comment: "do not restart unchanged services on XMLRPC sync", while on the right side function starts with "The DNS Resolver and the DNS Forwarder may both be .."
Please let me know if this helps or if additional information is required.
Thanks.
Updated by Viktor Gurov about 3 years ago
Edgar Escoboza wrote:
PfSenseVersion.png demonstrates that we are on the latest version of the PfSense+
CodeRevision.png illustrates to the left the Code in the PfSense CE repository, while on the right side it > shows the xmlrpc.php file in our PfSense+ instance via Shell access.
This is currently fixed in pfSense 2.6.0-DEVEL
For 2.5.0/2.5.1/Plus you need to apply Patch ID 23fcdcccd369603f4af6a89a0ec0a81505173f40
See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html