-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HA Cluster: Failover does not force a reconnect of mobile clients to new master #3708
Comments
So I got a little bit further:
|
So the linux client reconnected not to the CARP IP on the new master, but to the now backup firewall on another internal facing interface (the interface facing the clients LAN). On that interface IPsec to the OPNsense is not even allowed per rules... I do firmly believe now that a restart of strongswan is necessary to make clients reconnect to the new master OPNsense. I do not want to disable MobIke since mobile clients tend to change the IP on their side... |
Reconnecting the backup won’t make any difference, since it can’t communicate using it’s address while in backup mode... |
Maybe I made myself not properly clear. Only after stopping the strongswan process I was able to let the client know that the connection is down. |
I created a devd rc.syshook.d script (as a copy from 50-frr).
And I found a bug in den devd carp.conf file: |
ah, your traffic is leaving from the wrong address, did you add an outbound nat rule to enforce usage of the correct outbound address? It might help to capture some packets and see if it really is accepting traffic on |
The problem is MobIke... This is the current list of IPs available to strongswan, which it communicates to the MobIke clients:
So the .11 and .41 IPs are the interface IPs and the .1 is the CARP IP. As soon as the CARP IP switches over to the HA partner the strongswan session uses the interface IP. And since the strongswan switches the connection from "behind" the firewall to the client I think there is no way to stop that except for taking down strongswan. |
I would try to match an outbound nat rule, although usually I expect that selecting the VIP on phase 1 should already do the trick in these cases. |
The CARP VIP is already the one used on phase 1. I have anyway still another problem with the HA failover/fallback. Maybe better to just have another support session. |
sure, there must be something we're overlooking, although I'm also not sure what it is yet. This week I'm not at the office by the way. |
Rainer, can you try what happens when in old master the daemon restarts (to force mobike clients switch), but have S2S VPNs with start immediate mode? |
Hi Michael, |
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
[/] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[/] I have searched the existing issues and I'm convinced that mine is new.
Describe the bug
In a master-backup HA setup:
If a failover is triggered using "Enter Persistent CARP Maintenance Mode" or "Temporarily Disable CARP" the CARP IP moves to the backup HA system, but the IPsec mobile clients still remain connected to the previous master. Though a reboot of the master HA system forces a reconnect.
See as well https://forum.opnsense.org/index.php?topic=14226
To Reproduce
Steps to reproduce the behavior:
Background:
https://wiki.strongswan.org/projects/strongswan/wiki/MobIke
https://tools.ietf.org/html/rfc4555
Expected behavior
Mobile IPsec VPN users should be disconnected from the old master and then reconnected to the new master HA system.
Additional context
Maybe create a script in /usr/local/etc/rc.syshook.d/carp named 10-ipsec that restarts strongswan as soon as OPNsense receives a "I became backup" event.
Environment
Software version used and hardware type if relevant.
OPNsense 19.7.4_1 (amd64, OpenSSL).
2x Lenovo ThinkServer SR630
ThinkSystem 10Gb 4-port SFP+ LOM (Intel X722 Integrated 10 GbE Controller)
ZFS
The text was updated successfully, but these errors were encountered: