Strange, other than the sticky address (which should be more a
nuisance than anything) not getting set on the secondary, I'm not
seeing anything obvious that would prevent the connection from
working.
The only other thing I can think to look at is whether the rulesets
(/tmp/rules.debug) are the same between the two machines (with
exception to a few subtle differences they should be).
You can try tcpdump'ing on the secondary and making sure the tcp
traffic is making it to the external interface. If it is, check the
inside and see what's actually getting passed through. Lastly, double
check the firewall logs, you might be seeing blocks for some reason.
FWIW, I have similar setups working just fine (minus pfsense as the
frontend), so this is likely a pfsense bug or a config issue of some
sort.
--Bill
On 10/10/07, Lee Hetherington <[EMAIL PROTECTED]> wrote:
> Hi Bill,
>
> All is carp, when the primary is off, I can ping the address still.
>
> Primary:
>
> # pfctl -sn -aslb
> rdr inet proto tcp from any to 10.2.48.1 port = smtp -> { 10.5.49.1,
> 10.5.49.2 } port 25 round-robin sticky-address
> rdr inet proto tcp from any to 10.2.48.1 port = http -> { 10.5.49.1,
> 10.5.49.2 } port 80 round-robin sticky-address
>
> Secondary:
>
> # pfctl -sn -aslb
> rdr inet proto tcp from any to 10.2.48.1 port = smtp -> { 10.5.49.1,
> 10.5.49.2 } port 25 round-robin
> rdr inet proto tcp from any to 10.2.48.1 port = http -> { 10.5.49.1,
> 10.5.49.2 } port 80 round-robin
>
> Thanks,
>
> Lee
>
> Bill Marquette wrote:
> > Hmm, what does the output of "pfctl -sn -aslb" look like on both
> > boxes? The other obvious question is, are the virtual addresses that
> > front end your load balance pool CARP addresses? If they aren't, then
> > the secondary won't take them over on failover regardless of the load
> > balance config.
> >
> > --Bill
> >
> > On 10/10/07, Lee Hetherington <[EMAIL PROTECTED]> wrote:
> >
> >> Hi Bill,
> >>
> >> The config was sync'd ok, I can see it on both boxes. Below is a ps -ax
> >> from the secondary machine:
> >>
> >> # ps -ax |grep slb
> >> 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000
> >> 65097 p0 RV 0:00.00 grep slb (tcsh)
> >>
> >> Looks to me like its running? I tried editing the config and saving it
> >> like you suggest, and the ps -ax was then:
> >>
> >> # ps -ax | grep slb
> >> 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000
> >>
> >> Still nothing however when I reboot the primary...
> >>
> >> Lee
> >>
> >> Bill Marquette wrote:
> >>
> >>> Can you confirm that the load balancer config sync'd over to the
> >>> secondary? Also, assuming it did, can you do a 'ps -ax |grep slb'
> >>> from the shell? I suspect it never started slbd after sync (as an
> >>> interim workaround, you could try going to the load balancer page on
> >>> the secondary and editing/saving the config).
> >>>
> >>> --Bill
> >>>
> >>> On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >>>
> >>>
> >>>> Hi Bill,
> >>>>
> >>>> Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we
> >>>> are load balancing 443 and 80 TCP
> >>>>
> >>>> Lee
> >>>>
> >>>> On Tue, 9 Oct 2007 08:47:27 -0500, "Bill Marquette" <[EMAIL PROTECTED]>
> >>>> wrote:
> >>>>
> >>>>
> >>>>> Inbound or outbound load balancing?
> >>>>>
> >>>>> --Bill
> >>>>>
> >>>>> On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >>>>>
> >>>>>
> >>>>>> Hi There,
> >>>>>>
> >>>>>> Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and
> >>>>>>
> >>>>>>
> >>>>> working, the two machines are syncing settings and the carp is working
> >>>>> properly. However, if I reboot the primary firewall the secondary takes
> >>>>> over pings, but the load balancing doesnt work again until the primary
> >>>>> is
> >>>>> back online.
> >>>>>
> >>>>>
> >>>>>> Everything seems to be ok, when the primary disappears, the ping drops
> >>>>>> 1
> >>>>>>
> >>>>>>
> >>>>> packet, then the secondary carries on and everything runs ok. The
> >>>>> servers
> >>>>> on the lan interface of the firewall can route out to the internet fine
> >>>>> whilst running with only the secondary firewall. The only thing not to
> >>>>> work is the load balancer.
> >>>>>
> >>>>>
> >>>>>> Anyone have any ideas?
> >>>>>>
> >>>>>> I have it wired as:
> >>>>>>
> >>>>>> INTERNET --> PIX 515 PAIR --> 2X CISCO 3550-EMI --> PFSENSE PAIR -->
> >>>>>> 2X
> >>>>>>
> >>>>>>
> >>>>> CISCO 3550-EMI --> LAN
> >>>>>
> >>>>>
> >>>>>> Each of the pix/pfsense are connected to seperate switches, which are
> >>>>>> in
> >>>>>>
> >>>>>>
> >>>>> turn linked together.
> >>>>>
> >>>>>
> >>>>>> Thanks in advance,
> >>>>>>
> >>>>>> Lee
> >>>>>>
> >>>>>>
> >>>>>> ---------------------------------------------------------------------
> >>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>>>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Message scanned for all known viruses by Mailsauce. Email protection
> >>>>> solutions from E-Sauce. For more information please visit
> >>>>> http://www.mailsauce.com
> >>>>>
> >>>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>>
> >>>>
> >>>>
> >>>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >>>
> >>> --
> >>> Message scanned for all known viruses by Mailsauce. Email protection
> >>> solutions from E-Sauce. For more information please visit
> >>> http://www.mailsauce.com
> >>>
> >>>
> >>>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> > --
> > Message scanned for all known viruses by Mailsauce. Email protection
> > solutions from E-Sauce. For more information please visit
> > http://www.mailsauce.com
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
