VRRP failover

andrewluck · June 15, 2010, 10:18am

I’m setting up a pair of routers on RB450Gs as a high availability VPN server. Each router has two active interfaces that participate in VRRP interfaces.

Failover of the individual VRRP interfaces is fine and a complete router failure is handled OK with both vitual IP addresses ending up on the backup unit. The problem arises with a single interface failure. Only one of the interfaces is failed over.

So far, I’ve tried to address this with scripting using the On-Backup and On-Master triggers but on the master interface the VRRP status stays as Master when the interface is disconnected so the On-Backup script never runs.

Can anyone offer any guidance on this? My current scripts are as follows:

[admin@Backup] /system script> pr
Flags: I - invalid 
 0   name="VRRP-Backup" owner="admin" policy=ftp,read,write,winbox 
     last-started=jun/15/2010 09:18:21 run-count=15 
     source=
       :global tmp;:global t;:global iface;
       :foreach i in=[/int vrrp get [find backup=yes]] do={
         /int vrrp {
           :foreach e in=[find master=yes] do={
             :set iface [get $e interface]
             /interface disable [/inter find name=$iface]
             }
           }
         }

 1   name="VRRP-Master" owner="admin" policy=ftp,read,write,winbox 
     last-started=jun/15/2010 09:15:26 run-count=24 
     source=
       :global tmp;:global t;:global iface;
         /int vrrp {
           :foreach e in=[find invalid=yes] do={
             :set iface [get $e interface]
             /interface enable [/interf find name=$iface]
             }
           }

Cheers

Andrew

janisk · June 15, 2010, 11:45am

hmm, if you have VRRP on each side, you have to turn off interface is one of interfaces from master goes to backup

gdorm · June 15, 2010, 1:25pm

Are the int bonded or they are in different subnets?

andrewluck · June 15, 2010, 4:25pm

Hi Janisk

The problem I have is the Master never goes to backup when the parent interface stops running.

Interfaces on each side of the router are in different subnets.

Cheers

Andrew

gdorm · June 15, 2010, 4:48pm

http://wiki.mikrotik.com/wiki/Manual:VRRP-examples

Did you check it ?

andrewluck · June 15, 2010, 5:28pm

Did you check it ?

Yes & the VRRP RFC. It’s a little vague on what should happen if the parent interface goes down.

gdorm · June 15, 2010, 6:41pm

Hmmm yeah i will give it a try between two RB1000 this days and see what will happen.Can you tell or draw me how to reproduce it to be exact?

andrewluck · June 16, 2010, 11:20am

Thanks for the offer of help. Much appreciated.

Master config

/interface vrrp
add arp=enabled authentication=simple comment="" disabled=no interface=ether1 \
    interval=1 mtu=1500 name=Internet on-backup=VRRP-Backup on-master=\
    VRRP-Master password=****** preemption-mode=yes priority=254 vrid=1
add arp=enabled authentication=simple comment="" disabled=no interface=ether5 \
    interval=1 mtu=1500 name=LAN on-backup=VRRP-Backup on-master=VRRP-Master \
    password=****** preemption-mode=yes priority=254 vrid=2

Backup config

/interface vrrp
add arp=enabled authentication=simple comment="" disabled=no interface=ether5 \
    interval=1 mtu=1500 name=LAN on-backup=VRRP-Backup on-master=VRRP-Master \
    password=****** preemption-mode=yes priority=100 vrid=2
add arp=enabled authentication=simple comment="" disabled=no interface=ether1 \
    interval=1 mtu=1500 name=Internet on-backup=VRRP-Backup on-master=\
    VRRP-Master password=****** preemption-mode=yes priority=100 vrid=1

If you require any more information then let me know

Cheers

Andrew

janisk · June 16, 2010, 11:39am

and how look your up/down scripts?

andrewluck · June 16, 2010, 1:31pm

and how look your up/down scripts?

At the top of this thread.

gdorm · June 17, 2010, 11:26am

I just tested it it works fine on RB1000 4.10.Flag RM goes to flag M after RM int fail on Master and on Backup B goes to RM! After int restore on master flag M goes to RM and on backup flag RM goes to B.

Check your ip connectivity!It’s very likely that the problem is on your ip config,check the pings!

God speed

gdorm · June 17, 2010, 11:34am

BTW this is not a good setup for VPN redundacy,because ot the routing issue which you will have if the internet link fails and the local not on the master!!!The vpn tunnes from internet will be restablished on the backup but it’s local int will be in backup state so no routing there from the internal nets !

Some redundancy can be achieved with bonding the interfaces with two eth each , the only drawbacks of this would be the power supply on the router and the loss of ability to loadshare the vpns bw the two… would be nice if i had two on the RB1000 i would gladly pay for an extra which would not be so expessive but don’t know why mikrotik didn’t include second one!?

God speed

andrewluck · June 17, 2010, 5:38pm

Flag RM goes to flag M after RM int fail on Master and on Backup B goes to RM! After int restore on master flag M goes to RM and on backup flag RM goes to B.

Agreed. That’s exactly what mine does.

As you say, you need to ensure that both master’s are on the same router. To do this you use a script. Two script triggers are provided ‘On-Backup’ and ‘On-Master’. The problem is; on the higher priority master, the On-Backup script is never run because the router never becomes a backup, it’s merely a non-running master as you have observed.

Kind regards

Andrew

gdorm · June 17, 2010, 5:54pm

I just hit some strange behavour on inital config thigs are working but when i restarted the routers bouth are masters ??? Very strange and cannt make them select the backup!?

gdorm · June 17, 2010, 7:07pm

Strange Strange Strange !?!?!? With same priority vrrp choose which one to be master which is OK and things seem to be working! But setting differenet prioritys on two vrrps on same router things don’t work ???

Try with same PR

P.S. Just opened a new topic about this i thing it’s a serous bug!?

http://forum.mikrotik.com/viewtopic.php?f=2&t=42635

God speed

andrewluck · June 21, 2010, 7:41pm

Interesting.

My priorities on each vrrp instance on the same router are the same.

Kind regards

Andrew

andrewluck · March 20, 2011, 2:37pm

I need to bump this thread as I still haven’t found a solution to the problem of synchronising the state of multiple vrrp interfaces on a single router. With Vyatta I get the option to place vrrp interfaces into a group which will achieve this. Is there something that will do the same thing for RouterOS?

Regards

Andrew

janisk · March 21, 2011, 7:26am

you can do additional stuff with VRRP on event that inteface becomes master or backup with corresponding scripting fields on-backup and on-master

andrewluck · March 21, 2011, 10:43am

If you check back to my first post in this thread you can see my attempt at scripting. However, I never managed to get this script working and was looking for some guidance.

Regards

Andrew

janisk · March 24, 2011, 7:18am

when i used to test vrrp there where 2 options:
1st - disable other VRRPs to make sure that on other end vrrp would become masters (do not like this option much)
2nd - lower priority so other device become master and one on the router becomes backup.