That's a good question. While the Mikrotik documentation states that preemption mode and sync connection tracking are mutually exclusive, it does not explain why. Let me clarify that.
Let's begin with a short recap of why connection sync is needed. Most firewalls have rules to allow established or related connections. Without connection syncing, the backup router knows nothing about the established connection on the master. When the master goes down and traffic starts going through the backup router, the latter treats all connections as new. Which, under certain circumstances, may lead to connections drop. The same story with NAT - it is impossible to do network address translation without connection tracking. When the backup router becomes the VRRP master, all clients behind NAT lose all their connections unless the connection sync has been on.
Sync connection tracking works the best when both master and backup routers are identical or close performance-wise.
If the backup router is significantly slower than the master router, and the latter goes down during heavy load, the situation is similar to a DDoS attack to the former. In such a case it is better to have
sync-connection-tracking=no. Yes, the existing connections get dropped, but at least the backup router can handle new (or re-established) connections during the master's downtime.
Moreover, connection sync does not work with the standard VRRP preemption. For example, if the master rebooted and gets back online with a higher VRRP priority value, it becomes the VRRP master again according to the VRRP protocol. But at this moment,
the master does not have connections synced from the backup router yet! It leads to a drop of established or/and NAT'ed connections. According to VRRP, if the routers' priority is higher and preemption mode enabled, it
immediately becomes the VRRP master. VRRP does not have an option for the backup router (which is temporarily VRRP-master now) to tell the original master something like "please wait until connection sync and then become the master".
Theoretically, Mikrotik could implement an extension to VRRP that would allow delayed preemption. But that's a lot of development effort for little-to-no benefit. Moreover, while VRRP is the standard protocol, the extension would not work with third-party routers or even Mikrotik routers running RouterOS v6.
- If both master and backup routers are identical (or similar), then there is no difference in which one is handling traffic. Set:
preemption-mode=no sync-connection-tracking=yes
- If the backup router is significantly slower and may not handle all the traffic, don't bother with connection syncing. Set:
preemption-mode=yes sync-connection-tracking=no