Bug #8100
open
pfsync deletes states on primary for connections established through secondary
Added by Chris Linstruth almost 8 years ago.
Updated about 2 months ago.
Description
Steps to duplicate:
Create a typical HA pair.
Enter Persistent CARP Maintenance Mode on Primary to initiate a fail over.
Establish a new TCP session. Was tested here with a long scp transfer to an outside server from an inside host.
Observe states created on both nodes with traffic going through Secondary.
Leave Persistent CARP Maintenance Mode on Primary, initiating fail back.
Observe states deleted from Primary but still exist on Secondary. Traffic in TCP session stalls.
Enter Persistent CARP Maintenance Mode on Primary to initiate a fail over. Wait for TCP session to start passing traffic again.
Observe states recreated on Primary.
Fail back and fail over again at will. States will now persist until closed.
Condition does not exist if states are initially established while Primary is the CARP MASTER.
Tested with latest 2.4.2 snapshots.
Files
Attached complete pcaps of sync interfaces.
- Target version changed from 2.4.2 to 2.4.3
- Assignee set to Jim Pingle
- Assignee changed from Jim Pingle to Luiz Souza
- Target version changed from 2.4.3 to 2.4.4
- Target version changed from 2.4.4 to 48
- Target version changed from 48 to 2.5.0
Verified still occurs on 12.1-STABLE/2.5.0.
- Target version changed from 2.5.0 to CE-Next
- Subject changed from pfsync Initially Deletes States on Primary for Connections Established through Secondary to pfsync Deletes States on Primary for Connections Established through Secondary
This defect still exists in pfSense Plus 25.07. States created when the secondary is the MASTER node are removed from the primary's state table when failing back to the primary. This breaks the client's connections, requiring reestablishment by the client.
Current testing shows that, when failing back to the secondary and generating traffic through the states, the states are recreated on the primary but when failing back to the primary the states vanish and traffic does not flow.
This only appears to be true for states created while the secondary is the MASTER node.
A simple SSH session into LAN and out WAN was used to test. Persistent, should stay connected through failover and fail back, and is easy to test and identify in the state table.
- Subject changed from pfsync Deletes States on Primary for Connections Established through Secondary to pfsync deletes states on primary for connections established through secondary
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Anonymous 
Updated by Viktor Gurov