Server Failover Issue

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
darkpeppy
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 16, 2023 4:34 pm

Server Failover Issue

Post by darkpeppy » Mon Jan 16, 2023 5:51 pm

Hi everyone, I'ma t a loss here.

I deployed the 2 server Primary/secondary setup, and i can connect just fine, when the primary is up. But when i shut primary down, i never get a connection.

When the secondary is the only one online, i get no connectivity.

This is again with lan/ucarp based failover, when i validate that configuration, i get good x 4

Connectivity GOOD: Connectivity test between primary and secondary nodes succeeded.
LAN Model GOOD: Shared virtual IP address is directly accessible via locally connected interface on both primary and secondary nodes.
Primary Node
License GOOD: Licensed for 2 concurrent connections.
Secondary Node
License GOOD: Licensed for 2 concurrent connections.

when i attempt the minimalistic troubleshooting i seemingly have vrrp traffic being blocked... new territory for me.

I use Unifi Dream machine Pro and a unifi switch

Servers are deployed on ESXI 7

OpenVPN AS Servers have no UFW settings that i can find.

ALL traffic is allowed between the two servers via udm pro interface

I tried a few other random fixes found around the internet with no luck. Has anyone had this before?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Server Failover Issue

Post by openvpn_inc » Mon Jan 16, 2023 5:54 pm

Hello darkpeppy,

With failover you need to make sure your port forwarding goes to the shared virtual IP. Not the IP of the primary node specifically. Also the necessary traffic for VRRP must be unblocked or else both nodes will try to use the virtual IP.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

darkpeppy
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 16, 2023 4:34 pm

Re: Server Failover Issue

Post by darkpeppy » Wed Jan 18, 2023 12:25 pm

Thanks Johan, can you give me any tips on this portion:

The port forwarding rule is set for the virtual IP, and that works when primary is up.

Also the necessary traffic for VRRP must be unblocked or else both nodes will try to use the virtual IP. To my knowledge all traffic between the two devices is allowed.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Server Failover Issue

Post by openvpn_inc » Tue Jan 24, 2023 12:54 pm

Hello darkpeppy,

There's a guide here on how to setup failover and how to do some basic troubleshooting:
https://openvpn.net/vpn-server-resource ... over-mode/

With virtual platforms like ESXi it is often the case that the security policies on the virtual switches disallow certain traffic necessary for the shared IP to work correctly. It was either promiscuous mode or MAC spoofing that needed to be enabled, I forgot exactly which. You can run the test in the troubleshooting to see if the VRRP packets are making it from one node to the other node. If they don't, then both nodes will assume they are the master node and both try to take the virtual IP. You can also check /var/log/openvpnas.log to see if the node is currently trying to be the master node or the standby mode. One should be master and the other standby. When the master dies, the standby should become master automatically. If they're both master, it's the VRRP traffic that doesn't make it from one node to the other, something you can verify with the troubleshooting information given in the article I linked.

You could also consider using clustering, which also offers high-availability, and doesn't require VRRP or shared IP addresses. But it depends on your network situation if this is suitable or not.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply