Configuring and making VRRP work for keepalived

aigini82 · June 26, 2024, 8:48am

Hi,

I have setup an IPA Server and IPA Replica each in Linux, and now I am configuring keepalived for these servers for the failover to work. However, I am not sure how to get the information for some of the parameters in the VRRP config file, like the authentication section "auth_type" and "auth_pass".

Also I try to get the virtual_router_id from the IPA server by running the command below :

tcpdump -vvv -n -i ens192 host 224.0.0.18

This is because I read from another article that keepalived uses 224.0.0.18 IP address for VRRP (Virtual Router Redundancy Protocol) by default. However, I don't get any result from this, (maybe there is an internal firewall blocking) :

[root@newipaservertest log]# tcpdump -vvv -n -i ens192 host 224.0.0.18
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes

0 packets captured
0 packets received by filter
0 packets dropped by kernel

Is there any other way to get the virtual router id?

Furthermore, when I restart the keepalived service after adding the vrrp config file, I get the error :

[root@newipaservertest log]# systemctl restart keepalived
Job for keepalived.service failed because the control process exited with error code. See "systemctl status keepalived.service" and "journalctl -xe" for details.

Checking journalctl -xe I get :

[root@newipaservertest log]# journalctl -xe
Jun 26 16:25:36 newipaservertest ns-slapd[24510]: GSSAPI client step 1
Jun 26 16:25:36 newipaservertest ns-slapd[24510]: GSSAPI client step 2
Jun 26 16:25:36 newipaservertest ns-slapd[24510]: GSSAPI server step 1
Jun 26 16:25:36 newipaservertest ns-slapd[24510]: GSSAPI server step 2
Jun 26 16:25:36 newipaservertest ns-slapd[24510]: GSSAPI server step 3
Jun 26 16:29:43 newipaservertest sssd_be[24632]: GSSAPI client step 1
Jun 26 16:29:43 newipaservertest sssd_be[24632]: GSSAPI client step 1
Jun 26 16:29:43 newipaservertest ns-slapd[24510]: GSSAPI server step 1
Jun 26 16:29:43 newipaservertest sssd_be[24632]: GSSAPI client step 1
Jun 26 16:29:43 newipaservertest ns-slapd[24510]: GSSAPI server step 2
Jun 26 16:29:43 newipaservertest sssd_be[24632]: GSSAPI client step 2
Jun 26 16:29:43 newipaservertest ns-slapd[24510]: GSSAPI server step 3
Jun 26 16:30:37 newipaservertest ns-slapd[24510]: GSSAPI client step 1
Jun 26 16:30:37 newipaservertest ns-slapd[24510]: GSSAPI client step 1
Jun 26 16:30:37 newipaservertest ns-slapd[24510]: GSSAPI client step 1
Jun 26 16:30:37 newipaservertest ns-slapd[24510]: GSSAPI client step 1
Jun 26 16:30:37 newipaservertest ns-slapd[24510]: GSSAPI client step 2
Jun 26 16:33:44 newipaservertest polkitd[10770]: Registered Authentication Agent for unix-process:1619:50964173 (system bus name :1.1438 [/usr/bin/pkttyagent
Jun 26 16:33:44 newipaservertest Keepalived[1625]: Starting Keepalived v2.3.1 (05/24,2024)
Jun 26 16:33:44 newipaservertest systemd[1]: Starting LVS and VRRP High Availability Monitor...
-- Subject: Unit keepalived.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit keepalived.service has begun starting up.
Jun 26 16:33:44 newipaservertest Keepalived[1625]: Running on Linux 5.4.17-2011.6.2.el7uek.x86_64 #2 SMP Thu Sep 3 14:09:14 PDT 2020 (built for Linux 3.10.0)
Jun 26 16:33:44 newipaservertest systemd[1]: keepalived.service: control process exited, code=exited status=6
Jun 26 16:33:44 newipaservertest Keepalived[1625]: Command line: '/usr/local/sbin/keepalived' '-D'
Jun 26 16:33:44 newipaservertest systemd[1]: Failed to start LVS and VRRP High Availability Monitor.
-- Subject: Unit keepalived.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit keepalived.service has failed.
--
-- The result is failed.
Jun 26 16:33:44 newipaservertest Keepalived[1625]: CPU usage (self/children) user: 0.000000/0.000000 system: 0.003891/0.000000
Jun 26 16:33:44 newipaservertest systemd[1]: Unit keepalived.service entered failed state.
Jun 26 16:33:44 newipaservertest Keepalived[1625]: Stopped Keepalived v2.3.1 (05/24,2024)
Jun 26 16:33:44 newipaservertest systemd[1]: keepalived.service failed.
Jun 26 16:33:44 newipaservertest polkitd[10770]: Unregistered Authentication Agent for unix-process:1619:50964173 (system bus name :1.1438, object path /org/f
lines 1244-1284/1284 (END)

Please help shed some light to properly configure the parameters for the keepalived config file and successfully start the service.

Peasant · June 27, 2024, 7:54pm

virtual router id is a arbitrary number you select from 1 to 255.
It should not be same as other router IDs in the same subnet.

That's about it.

As for how it works ..... read about it.

To put it simple

Two or more keepalived nodes will join a multicast group, exchanging information who holds the VIP, is node alive, connection state etc.
One will hold VIP address defined and traffic will flow thru that node.

If you turn off or restart keepalived service on that node, it will failover the VIP to another node, advertising the new L2 info to your local subnet/router e.g my VIP has now MAC address of network interface of 'another node'.
You will also see that IP active on node and traffic flowing.

This will not affect connections, e.g clients will not notice this failover or notice it slightly as TCP RST is sent, and next packet send should just work.

Regards.
Peasant.