Conntrackd won't synchronize between routers.

horizn · 05-13-2016, 09:59 AM

This is regarding to my previous post:
http://www.linuxquestions.org/questions/linux-networking-3/keepalived-doesn%27t-create-vip-on-external-nic-4175577260/

In mean time I've changed keepalived configuration and added conntrackd (below), but unfortunately for some reason conntrack is not being synchronized between two routers. Dedicated link is configured on eth2, and both routers can talk to each other using this interface. But this is what I can see in master log:

Code:

[Fri May 13 15:28:15 2016] (pid=981) [notice] running in polling mode
[Fri May 13 15:28:15 2016] (pid=981) [notice] initialization completed
[Fri May 13 15:28:15 2016] (pid=981) [notice] -- starting in console mode --
[Fri May 13 15:28:15 2016] (pid=981) [ERROR] no dedicated links available!
[Fri May 13 15:28:16 2016] (pid=981) [ERROR] no dedicated links available!
[Fri May 13 15:28:16 2016] (pid=981) [ERROR] no dedicated links available!
[Fri May 13 15:28:16 2016] (pid=981) [ERROR] no dedicated links available!

whilst conntrack says:

on active:

Code:

root@gw01-vrrp02:~# conntrackd -i
tcp      6 ESTABLISHED src=10.171.171.10 dst=173.194.151.135 sport=35959 dport=443 src=173.194.151.135 dst=1.2.3.52 sport=443 dport=35959 [ASSURED] mark=0 [active since 50s]
udp      17 src=10.171.171.10 dst=8.8.8.8 sport=38060 dport=53 src=8.8.8.8 dst=1.2.3.52 sport=53 dport=38060 [ASSURED] mark=0 [active since 50s]
tcp      6 ESTABLISHED src=10.171.171.10 dst=163.1.221.67 sport=49403 dport=80 src=163.1.221.67 dst=1.2.3.52 sport=80 dport=49403 [ASSURED] mark=0 [active since 1205s]
udp      17 src=10.171.171.10 dst=8.8.8.8 sport=58124 dport=53 src=8.8.8.8 dst=1.2.3.52 sport=53 dport=58124 [ASSURED] mark=0 [active since 50s]
udp      17 src=10.171.171.10 dst=8.8.8.8 sport=59078 dport=53 src=8.8.8.8 dst=1.2.3.52 sport=53 dport=59078 [ASSURED] mark=0 [active since 125s]
tcp      6 CLOSE src=10.171.171.10 dst=173.194.5.167 sport=34776 dport=443 src=173.194.5.167 dst=1.2.3.52 sport=443 dport=34776 [ASSURED] mark=0 [active since 35s]
icmp     1 src=10.171.171.10 dst=8.8.8.8 type=8 code=0 id=30351 src=8.8.8.8 dst=1.2.3.52 type=0 code=0 id=30351 mark=0 [active since 1580s]
udp      17 src=10.171.171.10 dst=8.8.8.8 sport=37410 dport=53 src=8.8.8.8 dst=1.2.3.52 sport=53 dport=37410 [ASSURED] mark=0 [active since 125s]
udp      17 src=10.171.171.10 dst=8.8.8.8 sport=51506 dport=53 src=8.8.8.8 dst=1.2.3.52 sport=53 dport=51506 [ASSURED] mark=0 [active since 35s]
udp      17 src=10.171.171.10 dst=8.8.8.8 sport=44053 dport=53 src=8.8.8.8 dst=1.2.3.52 sport=53 dport=44053 [ASSURED] mark=0 [active since 140s]
udp      17 src=10.171.171.10 dst=8.8.8.8 sport=55673 dport=53 src=8.8.8.8 dst=1.2.3.52 sport=53 dport=55673 [ASSURED] mark=0 [active since 20s]

and on backup there is nothing replicated.

The same situation if I count conntrack entries:

Code:

root@gw01-vrrp02:~# cat /proc/net/ip_conntrack | wc -l
14

vs.

Code:

root@gw01-vrrp01:~# cat /proc/net/ip_conntrack | wc -l
6

and to be honest have no idea where is the problem.

Keepalived on master router:

Code:

global_defs {
   notification_email { it@domain.com }
   notification_email_from GW01-MASTER@domain.com
   smtp_server localhost
   smtp_connect_timeout 30
   router_id LVS_MASTER
}

vrrp_sync_group VG1 {
        group {
                EXTERNAL
                LOCAL
        }

    notify_master "/etc/conntrackd/primary-backup.sh primary"
    notify_backup "/etc/conntrackd/primary-backup.sh backup"
    notify_fault "/etc/conntrackd/primary-backup.sh fault"
}

vrrp_instance EXTERNAL {
    state BACKUP
    interface eth0
    virtual_router_id 61
    priority 100
    advert_int 1
    smtp_alert
    authentication {
        auth_type PASS
        auth_pass 1234
    }
    virtual_ipaddress {
        1.2.3.52/27 dev eth0
    }
    nopreempt
    garp_master_delay 1
}

vrrp_instance LOCAL {
    state BACKUP
    interface eth1.2
    virtual_router_id 62
    priority 100
    advert_int 1
    smtp_alert
    authentication {
        auth_type PASS
        auth_pass 1234
    }
    virtual_ipaddress {
        10.171.171.254/16 dev eth1.2
    }
    nopreempt
    garp_master_delay 1
}

Keepalived on backup router:

Code:

global_defs {
        notification_email { it@domain.com }
        notification_email_from GW01-BACKUP@domain.com
        smtp_server localhost
        smtp_connect_timeout 30
        router_id LVS_BACKUP
        }

vrrp_sync_group VG1 {
        group {
                EXTERNAL
                LOCAL
        }
        notify_master "/etc/conntrackd/primary-backup.sh primary"
        notify_backup "/etc/conntrackd/primary-backup.sh backup"
        notify_fault "/etc/conntrackd/primary-backup.sh fault"
        }

vrrp_instance EXTERNAL {
    state BACKUP
    interface eth0
    virtual_router_id 61
    priority 50
    advert_int 1
    smtp_alert  
    authentication {
        auth_type PASS
        auth_pass 1234
    }
    virtual_ipaddress {
        1.2.3.52/27 dev eth0
    }
    nopreempt
    garp_master_delay 1
}

vrrp_instance LOCAL {
    state BACKUP
    interface eth1.2
    virtual_router_id 62
    priority 50
    advert_int 1
    smtp_alert
    authentication {
        auth_type PASS
        auth_pass 1234
    }
    virtual_ipaddress {
        10.171.171.254/16 dev eth1.2
    }
    nopreempt
    garp_master_delay 1
}

Conntrackd on master router:

Code:

Sync {
        Mode FTFW {
                ResendQueueSize 262144
                CommitTimeout 1800
                PurgeTimeout 5
                #ACKWindowSize 300
                DisableExternalCache Off
        }

        UDP {
                IPv4_address 10.10.10.1
                IPv4_Destination_Address 10.10.10.2
                Port 3780
                Interface eth2
                SndSocketBuffer 1249280
                RcvSocketBuffer 1249280
                Checksum on
        }

}

General {
        Nice -20
        HashSize 32768
        HashLimit 131072
        LogFile on
        Syslog on
        LockFile /var/lock/conntrack.lock

        UNIX {
                Path /var/run/conntrackd.ctl
                Backlog 20
        }

        NetlinkBufferSize 2097152
        NetlinkBufferSizeMaxGrowth 8388608
        NetlinkOverrunResync On
        NetlinkEventsReliable Off
        PollSecs 15
        # EventIterationLimit 100

        Filter From Userspace {
                Protocol Accept {
                        TCP
                        SCTP
                        DCCP
                        UDP
                        ICMP
                        # IPv6-ICMP
                }

                Address Ignore {
                        IPv4_address 127.0.0.1 # loopback
                        IPv4_address 10.10.10.1
                        IPv4_address 10.10.10.2
                        IPv4_address 1.2.3.52
                        IPv4_address 1.2.3.53
                        IPv4_address 1.2.3.54
                        IPv4_address 10.171.171.1
                        IPv4_address 10.171.171.2
                        IPv4_address 10.171.171.254
                        IPv4_address 10.172.172.1
                        IPv4_address 10.172.172.2
                        IPv4_address 10.172.172.254
                        # IPv6_address ::1
                }

        }
}

Conntrackd on backup router:

Code:

Sync {
        Mode FTFW {
                ResendQueueSize 262144
                CommitTimeout 1800
                PurgeTimeout 5
                #ACKWindowSize 300
                DisableExternalCache Off
        }

        UDP {
                IPv4_address 10.10.10.2
                IPv4_Destination_Address 10.10.10.1
                Port 3780
                Interface eth2
                SndSocketBuffer 1249280
                RcvSocketBuffer 1249280
                Checksum on
        }

}

General {
        Nice -20
        HashSize 32768
        HashLimit 131072
        LogFile on
        Syslog on
        LockFile /var/lock/conntrack.lock

        UNIX {
                Path /var/run/conntrackd.ctl
                Backlog 20
        }

        NetlinkBufferSize 2097152
        NetlinkBufferSizeMaxGrowth 8388608
        NetlinkOverrunResync On
        NetlinkEventsReliable Off
        PollSecs 15
        # EventIterationLimit 100

        Filter From Userspace {
                Protocol Accept {
                        TCP
                        SCTP
                        DCCP
                        UDP
                        ICMP
                        # IPv6-ICMP
                }

                Address Ignore {
                        IPv4_address 127.0.0.1 # loopback
                        IPv4_address 10.10.10.1
                        IPv4_address 10.10.10.2
                        IPv4_address 1.2.3.52
                        IPv4_address 1.2.3.53
                        IPv4_address 1.2.3.54
                        IPv4_address 10.171.171.1
                        IPv4_address 10.171.171.2
                        IPv4_address 10.171.171.254
                        IPv4_address 10.172.172.1
                        IPv4_address 10.172.172.2
                        IPv4_address 10.172.172.254
                        # IPv6_address ::1
                }

        }
}

lazydog · 05-13-2016, 10:40 AM

Have you taken a look at the following page for conntrackd Sync?

horizn · 05-13-2016, 10:59 AM

Quote:

Originally Posted by lazydog

Have you taken a look at the following page for conntrackd Sync?

Yes. Keepalived works fine and there is no firewall configured on eth2.

horizn · 05-18-2016, 07:55 AM

I've disabled external cache, and now I've got different error messages (on both routers):

Code:

Wed May 18 13:41:01 2016        tcp      6 ESTABLISHED src=10.171.171.10 dst=216.58.208.142 sport=45895 dport=443 [ASSURED] mark=0
[Wed May 18 13:41:01 2016] (pid=1464) [ERROR] inject-upd1: Invalid argument
...
Wed May 18 13:51:35 2016        udp      17 src=10.171.171.10 dst=8.8.8.8 sport=33324 dport=53 [ASSURED] mark=0
[Wed May 18 13:51:35 2016] (pid=1332) [ERROR] inject-add2: Invalid argument
Wed May 18 13:51:35 2016        icmp     1 src=10.171.171.10 dst=8.8.8.8 type=8 code=0 id=30351 mark=0
[Wed May 18 13:51:50 2016] (pid=1332) [ERROR] inject-upd1: Invalid argument
Wed May 18 13:51:50 2016        udp      17 src=10.171.171.10 dst=8.8.8.8 sport=33324 dport=53 [ASSURED] mark=0
[Wed May 18 13:51:50 2016] (pid=1332) [ERROR] inject-upd1: Invalid argument
Wed May 18 13:51:50 2016        icmp     1 src=10.171.171.10 dst=8.8.8.8 type=8 code=0 id=30351 mark=0
[Wed May 18 13:52:05 2016] (pid=1332) [ERROR] inject-upd1: Invalid argument
Wed May 18 13:52:05 2016        udp      17 src=10.171.171.10 dst=8.8.8.8 sport=33324 dport=53 [ASSURED] mark=0
[Wed May 18 13:52:05 2016] (pid=1332) [ERROR] inject-add2: Invalid argument
Wed May 18 13:52:05 2016        udp      17 src=1.2.3.35 dst=1.2.3.63 sport=513 dport=513 [UNREPLIED] mark=0
[Wed May 18 13:52:05 2016] (pid=1332) [ERROR] inject-upd1: Invalid argument
Wed May 18 13:52:05 2016        icmp     1 src=10.171.171.10 dst=8.8.8.8 type=8 code=0 id=30351 mark=0

any ideas?