Bug #15664
closed
IPsec VTI firewall rules not syncing in HA setup
0%
Description
Seems to be a failure in the way the sycing is done with pfSense in High Availability
Two systems in HA.
On Master, i can create a IPsec tunnel with phase2 VTI settings. Static routes are created on the Master. Firewall rules are created under the newly assigned VTI interface.
All changes are synced to Backup except interface creation which is expected. IPsecX interface is assigned with the same name as it is on the secondary.
Firewall rules are not sync'd across.
Testing failover, the failover works as expected as the Backup does bring up the IPsec tunnel but because there are not rules under the IPsecX interface no traffic is able to cross.
You cant assign the VTI interface for CARP
This seems like a limitation in how IPsec VTI tunnels are done within pfSense.
Updated by Jim Pingle over 1 year ago
- Status changed from New to Not a Bug
This is a config issue, not a bug.
If the rules appear to not sync then the interfaces must not be assigned in an identical order on both systems (their internal names don't match).