OpenVPN Support Forum

Hi everyone, I'ma t a loss here.

I deployed the 2 server Primary/secondary setup, and i can connect just fine, when the primary is up. But when i shut primary down, i never get a connection.

When the secondary is the only one online, i get no connectivity.

This is again with lan/ucarp based failover, when i validate that configuration, i get good x 4

Connectivity GOOD: Connectivity test between primary and secondary nodes succeeded.
LAN Model GOOD: Shared virtual IP address is directly accessible via locally connected interface on both primary and secondary nodes.
Primary Node
License GOOD: Licensed for 2 concurrent connections.
Secondary Node
License GOOD: Licensed for 2 concurrent connections.

when i attempt the minimalistic troubleshooting i seemingly have vrrp traffic being blocked... new territory for me.

I use Unifi Dream machine Pro and a unifi switch

Servers are deployed on ESXI 7

OpenVPN AS Servers have no UFW settings that i can find.

ALL traffic is allowed between the two servers via udm pro interface

I tried a few other random fixes found around the internet with no luck. Has anyone had this before?

Hello darkpeppy,

With failover you need to make sure your port forwarding goes to the shared virtual IP. Not the IP of the primary node specifically. Also the necessary traffic for VRRP must be unblocked or else both nodes will try to use the virtual IP.

Kind regards,
Johan

Thanks Johan, can you give me any tips on this portion:

The port forwarding rule is set for the virtual IP, and that works when primary is up.

Also the necessary traffic for VRRP must be unblocked or else both nodes will try to use the virtual IP. To my knowledge all traffic between the two devices is allowed.

Hello darkpeppy,

There's a guide here on how to setup failover and how to do some basic troubleshooting:
https://openvpn.net/vpn-server-resource ... over-mode/

With virtual platforms like ESXi it is often the case that the security policies on the virtual switches disallow certain traffic necessary for the shared IP to work correctly. It was either promiscuous mode or MAC spoofing that needed to be enabled, I forgot exactly which. You can run the test in the troubleshooting to see if the VRRP packets are making it from one node to the other node. If they don't, then both nodes will assume they are the master node and both try to take the virtual IP. You can also check /var/log/openvpnas.log to see if the node is currently trying to be the master node or the standby mode. One should be master and the other standby. When the master dies, the standby should become master automatically. If they're both master, it's the VRRP traffic that doesn't make it from one node to the other, something you can verify with the troubleshooting information given in the article I linked.

You could also consider using clustering, which also offers high-availability, and doesn't require VRRP or shared IP addresses. But it depends on your network situation if this is suitable or not.

Kind regards,
Johan