Reboot PFSense HA Pair

2 minute read

There will be exceptions to the below, but for a standard HA reboot process this should be applicable.

Before restarting, confirm the following:

  • On both firewalls, check CARP status. This is under Status gt Carp (Failover)
    • The primary firewall should show all interfaces status as MASTER
    • The secondary firewall should show all interfaces status as BACKUP
  • On both firewalls, check Gateway status. This is under Status gt Gateways
    • All gateways should show as Online on both firewalls with no loss for a successful HA failover. If an interface is up on the primary, but down on the secondary, the failover will not be successful.
  • Once you have confirmed the above, proceed with the restart / upgrade on the secondary firewall first. Because it is inactive, this has the lowest risk. If the secondary firewall fails to recover from a restart, you should not proceed with a restart of the primary.
    • The restart process is initiated from Diagnostics gt Reboot
  • Once the secondary has recovered from its reboot, you should check CARP status again. If the secondary shows backup and the primary shows master, you now need to fail the firewalls over to the secondary.
    • On the primary (MASTER) select Enter Persistent Carp Maintenance Mode This option is located under Status gt Carp (Failover)
      • This immediately takes the primary out of service and the secondary should kick in.
  • Once the primary shows BACKUP and the secondary shows MASTER, you can proceed with a reboot on the primary.
  • Once the restart of the primary has been completed, check CARP status again and if it looks correct, on the primary you would click Leave Persistent Carp Maintenance mode
Last modified May 9, 2022
Get Started Now