Connection Tracking Inactive?

robvh · March 4, 2025, 10:54am

I’m trying to setup Connection Syncing between 2 VRRP members

When enabling Connection Syncing (does not matter if preemption mode is on or off, or if a remote address is specified) it shows a warning on the VRRP interface
Connection Tracking Inactive!

However Connection Tracking is enabled on both nodes (enabled=yes)
RouterOS is 7.18 (both nodes)

Relevant Configuration from node 1

/interface vrrp
# Connection tracking inactive!
add group-authority=self interface=local name=vrrp1 priority=254 \
    remote-address=192.168.2.252 sync-connection-tracking=yes
/interface vrrp
add group-authority=vrrp1 interface=vlan68 name=vrrp68 priority=254 vrid=68
add group-authority=vrrp1 interface=vlan69 name=vrrp69 priority=254 vrid=69
/ip address
add address=192.168.2.251/24 interface=local network=192.168.2.0
add address=192.168.2.250 interface=vrrp1 network=192.168.2.250
add address=192.168.68.254 interface=vrrp68 network=192.168.68.254
add address=192.168.69.254 interface=vrrp69 network=192.168.69.254
add address=192.168.68.251/24 interface=vlan68 network=192.168.68.0
add address=192.168.69.251/24 interface=vlan69 network=192.168.69.0
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall address-list
add address=192.168.0.0/16 list=Internal
add address=192.168.2.0/24 list=vlan2
add address=192.168.2.252 list=VRRP
add address=192.168.2.254 list=VRRP
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Input" connection-state=invalid log=yes
add action=drop chain=forward comment="Drop Invalid Forward" connection-state=invalid
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=input protocol=vrrp src-address-list=Internal
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input src-address-list=VRRP
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop other input" log=yes
add action=accept chain=output log-prefix=output

Node 2 is identical except priority for vrrp is 100 and ip’s are .252 instead of .251
Tried disabling the drop rule for input chain, made no difference
What am I doing wrong that it states connection tracking is inactive?

robvh · March 4, 2025, 11:13am

added info to original post

jcavaliere · March 5, 2025, 7:59pm

Looks like something with SO v7.17 and newer is causing the issue.

I tested on OS V7.16.1 and older and works fine.

Not sure on a Solution. Maybe put in a support ticket

jhablitzel · March 5, 2025, 11:24pm

I am having the same issue and just opened a support ticket. I was seeing it in the later 7.17 series and now on 7.18.1. I saw in the release notes where they added that message somewhere in the 7.17 series. Was connection tracking really working on 7.16 or just not seeing the message.

robvh · March 11, 2025, 8:16am

Can’t tell if it worked with older releases.
This is a new setup and before setting it up I upgraded to the latest stable release (by lack of a LTS version)
So I’ve never tried connection sync with a version below 7.18
Please keep us updated if you get any response from the support ticket

mbfrey · March 13, 2025, 12:28pm

I can confirm that connection tracking is working with 7.16.2. I have a VRRP setup with connection “Sync. Connection Tracking” activated. Connections established on one partner are visible in the connection table of the second partner.
I broke with version 7.17. I created a bug report on 12.2.25 (SUP-179219) but have not yet received a reply.

Paradox · March 18, 2025, 10:07am

Same problem here:
I had two routers with v7.16.1 in a VRRP setup and connection tracking was working. Connections yould be seen on IP-Firewall-Connections on both routers.
I’ve upgraded the backup router to v7.18.2 and now it says “Connection tracking inactive!”

DPCGUY · March 26, 2025, 7:16pm

Just chiming in, seeing the same issue and sent a message to support.

DPCGUY · March 26, 2025, 7:50pm

Just an update,

Under connections and tracking in Winbox, I toggled tracking off and them back to on and it just started working again.

Mimiko · March 31, 2025, 11:41am

Toggling connection tracking in firewall → connections does not resolve the problem.

robvh · March 31, 2025, 2:12pm

DPCGUY seems to be right somehow

Disabled Connection tracking and immediately enabled it again on both nodes.
Then enabled Connection Sync on the group authority master (VRRP1) on both nodes and it now works without any complaints
Both nodes showed around 1800 connections in the list, no longer a warning

Still running 7.18, did not get around to upgrading yet