Moritz Kraus
2 years
Florian Heinle
2 years
Claus-Theodor Riegg
3 years
Claus-Theodor Riegg
3 years
Andreas Vöst
3 years
Claus-Theodor Riegg
8 years

Keepalived VRRP FAQ

Updated . Posted . Visible to the public.

How can I configure virtual IP's?

There are two parameter to set up virtual ips in Keepalived:

virtual_ipaddress

Addresses defined here are included into the VRRP Packages and are therefore limited in number, especially with IPv6.

Address families cannot be mixed here.

If this contains IPv6 addresses, Keepalived will use VRRP over IPv6.

The inclusion of the addresses into the VRRP packages is for troubleshooting reasons. See RFC5798 Section 5.2.9 Show archive.org snapshot and RFC3768 Section 5.3 Show archive.org snapshot

Warning

Put the IP addresses into the same section. Otherwise keepalived will end up in split brain.

virtual_ipaddress_excluded

These addresses are managed by keepalived like virtual_ipaddress items, but they are not included in the communication. Here it is possible to mix address families.

If one of these addresses get lost, Keepalived will failover the VRRP Instance.

How do I set up VRRP on certain interfaces?

interface

This is the interface where the VRRP communication happens. Virtual IP's will be bound to this interface, if not specified otherwise.

the address dev setting

An interface can be specified on address level. This will bind the specified interface instead of the one in `interface.

Why are the floating getting dropped by systemd-networkd/netplan?

Read Prevent systemd from dropping IP-Addresses configured from other processes.

What are the criteria for master election?

The master is selected by the highest priority. If the priorities are the same, the highest primary address(virtual_ipaddress) wins.

How does the network gets informed about a failover?

After a transition Gratuitous Address Resolution Protocol(GARP) Packages / unsolicited Neighbor Advertisements(NA) are sent to update MAC address tables on Switches and ARP caches on nodes and router. These packages are send out on a lower cadence after the transition.

  • send 5 GARP/NA packages immediately after transition (vrrp_garp_master_repeat)

  • wait 5 seconds (vrrp_garp_master_delay)

  • send 5 GARP/NA packages (vrrp_garp_master_repeat)

  • loop until state change

    • wait 60 seconds (vrrp_garp_master_refresh)
    • send 1 GARP/NA package (vrrp_garp_master_refresh_repeat)

The timings here are default which can be tweaked with the mentioned config settings.

Why is authentication not available in VRRPv3?

Support for authenticating VRRP Communication was dropped in VRRPv3. There is no additional security in enabling authentication for VRRP. Malicious packages can be crafted with the information available on the wire.

Misconfigured authentication leads into a split brain situation.

See RFC5798 Section9 Show archive.org snapshot

Some of my addresses are not advertised

If there are loads of addresses configured, keepalived has to send lots of ARP/ND packages to announce the addresses to the network.
The network stack has a buffer for these packages. If the buffer is full, no more packages are enqueued. This is logged as follows:

Jun 29 16:49:53 myhost Keepalived_vrrp[787]: Error 11 sending ndisc unsolicited neighbour advert on eth0 for 2001:DB8::1
Jun 29 16:49:53 myhost Keepalived_vrrp[787]: Error 11 (Resource temporarily unavailable) sending gratuitous ARP on eth0 for 192.0.2.123

Error 11 is from sendto, which throws an error, if the send buffer is full.

In the ERROR section of man 2 sendto adds another piece to the puzzle

EAGAIN or EWOULDBLOCK
    The socket is marked nonblocking and the requested
    operation would block.  POSIX.1-2001 allows either 
    error to be returned for this case, and does not 
    require these constants to have the same value, so a 
    portable application should check for both 
    possibilities.

To avoid the above error increase the kernel parameter net.core.wmem_default to adjust the size of this buffer. kernel.org - wmem_default Show archive.org snapshot

There is the article Blocking vs. Non-Blocking Sockets Show archive.org snapshot for a deeper look into this topic.

Moritz Kraus
Last edit
Marc Dierig
License
Source code in this card is licensed under the MIT License.