search

acassen / keepalived

Keepalived
https://www.keepalived.org
GNU General Public License v2.0
4k stars 737 forks source link

3 node unicast with IPSEC-AH auth_type not work #143

Closed scakkia closed 8 years ago

scakkia commented 9 years ago

Hi,

I'm just tryng this simple config, with 3 nodes in unicast and auth IPSEC-AH:

10.x.x.21 --> MASTER 10.x.x.22 --> BACKUP1 10.x.x.23 --> BACKUP2

1 VIP 10.x.x.20

First with Keepalived 1.2.13 and then with 1.2.16 (from debian experimental), I've the same behaviour.

The config file are:

ON NODE1 - vrrp01 - 10.x.x.21

vrrp_script chk_haproxy { script "killall -0 haproxy" interval 2 weight 2 fall 2 rise 2 } vrrp_instance VI_1 { debug 4 interface eth0 state MASTER virtual_router_id 99 priority 101 authentication { auth_type AH auth_pass XXXXX } unicast_src_ip 10.x.x.21 unicast_peer { 10.x.x.22 10.x.x.23 } virtual_ipaddress { 10.x.x.20 dev eth0 } track_script { chk_haproxy } }

ON NODE2 - vrrp02 - 10.x.x.22

vrrp_script chk_haproxy { script "killall -0 haproxy" interval 2 weight 2 fall 2 rise 2 } vrrp_instance VI_1 { debug 4 interface eth0 state BACKUP virtual_router_id 99 priority 100 authentication { auth_type AH auth_pass XXXXX } unicast_src_ip 10.x.x.22 unicast_peer { 10.x.x.21 10.x.x.23 } virtual_ipaddress { 10.x.x.20 dev eth0 } track_script { chk_haproxy } }

ON NODE3 - vrrp03 - 10.x.x.23

vrrp_script chk_haproxy { script "killall -0 haproxy" interval 2 weight 2 fall 2 rise 2 } vrrp_instance VI_1 { debug 4 interface eth0 state BACKUP virtual_router_id 99 priority 50 authentication { auth_type AH auth_pass XXXXX } unicast_src_ip 10.x.x.23 unicast_peer { 10.x.x.21 10.x.x.22 } virtual_ipaddress { 10.x.x.20 dev eth0 } track_script { chk_haproxy } }

tcpdump on NODE1: 10.x.x.21 > 10.x.x.22: AH(spi=0x0a030315,seq=0x184a): VRRPv2, Advertisement, vrid 99, prio 103, authtype ah, intvl 1s, length 20 10.x.x.21 > 10.x.x.23: AH(spi=0x0a030315,seq=0x184b): VRRPv2, Advertisement, vrid 99, prio 103, authtype ah, intvl 1s, length 20

tcpdump on NODE2: 10.x.x.21 > 10.x.x.22: AH(spi=0x0a030315,seq=0x184a): VRRPv2, Advertisement, vrid 99, prio 103, authtype ah, intvl 1s, length 20

tcpdump on NODE3: 10.x.x.21 > 10.x.x.23: AH(spi=0x0a030315,seq=0x184b): VRRPv2, Advertisement, vrid 99, prio 103, authtype ah, intvl 1s, length 20

At startup of 3 nodes, on NODE3 I've this messages every second:

VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! bogus VRRP packet received on eth0 !!! VRRP_Instance(VI_1) ignoring received advertisment...

Then when test failures of node1 and/or node2 (keepalived stop then start), I've this kind of messages randomly on every nodes:

VRRP_Instance(VI_1) IPSEC-AH : sequence number 1383 already proceeded. Packet dropped. Local(1384) bogus VRRP packet received on eth0 !!! VRRP_Instance(VI_1) Dropping received VRRP packet...

and VIP become active on 2 NODES simultaneously.

debug messages are

NODE01:

May 7 20:29:18 vrrp01 Keepalived[14655]: Starting Keepalived v1.2.16 (05/07,2015) May 7 20:29:18 vrrp01 Keepalived[14656]: Starting Healthcheck child process, pid=14659 May 7 20:29:18 vrrp01 Keepalived[14656]: Starting VRRP child process, pid=14660 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Registering Kernel netlink reflector May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Registering Kernel netlink command channel May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Registering gratuitous ARP shared channel May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Opening file '/etc/keepalived/keepalived.conf'. May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Initializing ipvs 2.6 May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Registering Kernel netlink reflector May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Registering Kernel netlink command channel May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Configuration is using : 64385 Bytes May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Opening file '/etc/keepalived/keepalived.conf'. May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: ------< Global definitions >------ May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Router ID = vrrp01 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Smtp server connection timeout = 30 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Email notification from = root@vrrp01 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: VRRP IPv4 mcast group = 224.0.0.18 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: VRRP IPv6 mcast group = ff02::12 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: SNMP Trap disabled May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: ------< VRRP Topology >------ May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: VRRP Instance = VI_1 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Want State = MASTER May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Runing on device = eth0 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Using src_ip = 10.x.x.21 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Gratuitous ARP repeat = 5 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Gratuitous ARP refresh repeat = 1 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Virtual Router ID = 99 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Priority = 101 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Advert interval = 1sec May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Authentication type = IPSEC_AH May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Password = xxxxxxx May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Tracked scripts = 1 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: chk_haproxy weight 2 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Unicast Peer = 2 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: 10.x.x.22 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: 10.x.x.23 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Virtual IP = 1 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: 10.x.x.20/32 dev eth0 scope global May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: ------< VRRP Scripts >------ May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: VRRP Script = chk_haproxy May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Command = killall -0 haproxy May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Interval = 2 sec May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Timeout = 0 sec May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Weight = 2 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Rise = 2 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Fall = 2 May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Status = INIT May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: Using LinkWatch kernel netlink reflector... May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Configuration is using : 5164 Bytes May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: ------< Global definitions >------ May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Router ID = vrrp01 May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Smtp server connection timeout = 30 May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Email notification from = root@vrrp01 May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: VRRP IPv4 mcast group = 224.0.0.18 May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: VRRP IPv6 mcast group = ff02::12 May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: SNMP Trap disabled May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: ------< SSL definitions >------ May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Using autogen SSL context May 7 20:29:18 vrrp01 Keepalived_healthcheckers[14659]: Using LinkWatch kernel netlink reflector... May 7 20:29:18 vrrp01 Keepalived_vrrp[14660]: VRRP_Script(chk_haproxy) succeeded May 7 20:29:19 vrrp01 Keepalived_vrrp[14660]: VRRP_Instance(VI_1) Transition to MASTER STATE May 7 20:29:20 vrrp01 Keepalived_vrrp[14660]: VRRP_Instance(VI_1) Entering MASTER STATE

NODE2:

May 7 20:29:18 vrrp02 Keepalived[15187]: Starting Keepalived v1.2.16 (05/07,2015) May 7 20:29:18 vrrp02 Keepalived[15188]: Starting Healthcheck child process, pid=15191 May 7 20:29:18 vrrp02 Keepalived[15188]: Starting VRRP child process, pid=15192 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Registering Kernel netlink reflector May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Registering Kernel netlink command channel May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Registering gratuitous ARP shared channel May 7 20:29:18 vrrp02 Keepalived_healthcheckers[15191]: Initializing ipvs 2.6 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Opening file '/etc/keepalived/keepalived.conf'. May 7 20:29:18 vrrp02 Keepalived_healthcheckers[15191]: Registering Kernel netlink reflector May 7 20:29:18 vrrp02 Keepalived_healthcheckers[15191]: Registering Kernel netlink command channel May 7 20:29:18 vrrp02 Keepalived_healthcheckers[15191]: Opening file '/etc/keepalived/keepalived.conf'. May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Configuration is using : 64385 Bytes May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: ------< Global definitions >------ May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Router ID = vrrp02 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Smtp server connection timeout = 30 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Email notification from = root@vrrp02 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: VRRP IPv4 mcast group = 224.0.0.18 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: VRRP IPv6 mcast group = ff02::12 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: SNMP Trap disabled May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: ------< VRRP Topology >------ May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: VRRP Instance = VI_1 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Want State = BACKUP May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Runing on device = eth0 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Using src_ip = 10.x.x.22 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Gratuitous ARP repeat = 5 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Gratuitous ARP refresh repeat = 1 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Virtual Router ID = 99 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Priority = 100 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Advert interval = 1sec May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Authentication type = IPSEC_AH May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Password = xxxxxxx May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Tracked scripts = 1 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: chk_haproxy weight 2 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Unicast Peer = 2 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: 10.x.x.21 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: 10.x.x.23 May 7 20:29:18 vrrp02 Keepalived_healthcheckers[15191]: Configuration is using : 5164 Bytes May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Virtual IP = 1 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: 10.x.x.20/32 dev eth0 scope global May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: ------< VRRP Scripts >------ May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: VRRP Script = chk_haproxy May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Command = killall -0 haproxy May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Interval = 2 sec May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Timeout = 0 sec May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Weight = 2 May 7 20:29:18 vrrp02 Keepalived_vrrp[15192]: Rise = 2 May 7 20:29:19 vrrp02 Keepalived_vrrp[15192]: Fall = 2 May 7 20:29:19 vrrp02 Keepalived_vrrp[15192]: Status = INIT May 7 20:29:19 vrrp02 Keepalived_vrrp[15192]: Using LinkWatch kernel netlink reflector... May 7 20:29:19 vrrp02 Keepalived_vrrp[15192]: VRRP_Instance(VI_1) Entering BACKUP STATE May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: ------< Global definitions >------ May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: Router ID = vrrp02 May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: Smtp server connection timeout = 30 May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: Email notification from = root@vrrp02 May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: VRRP IPv4 mcast group = 224.0.0.18 May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: VRRP IPv6 mcast group = ff02::12 May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: SNMP Trap disabled May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: ------< SSL definitions >------ May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: Using autogen SSL context May 7 20:29:19 vrrp02 Keepalived_healthcheckers[15191]: Using LinkWatch kernel netlink reflector... May 7 20:29:19 vrrp02 Keepalived_vrrp[15192]: VRRP_Script(chk_haproxy) succeeded

NODE3:

May 7 20:29:18 vrrp03 Keepalived[15658]: Starting Keepalived v1.2.16 (05/07,2015) May 7 20:29:18 vrrp03 Keepalived[15659]: Starting Healthcheck child process, pid=15662 May 7 20:29:18 vrrp03 Keepalived[15659]: Starting VRRP child process, pid=15663 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Registering Kernel netlink reflector May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Registering Kernel netlink command channel May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Registering gratuitous ARP shared channel May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Opening file '/etc/keepalived/keepalived.conf'. May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Initializing ipvs 2.6 May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Registering Kernel netlink reflector May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Configuration is using : 64383 Bytes May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Registering Kernel netlink command channel May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Opening file '/etc/keepalived/keepalived.conf'. May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: ------< Global definitions >------ May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Router ID = vrrp03 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Smtp server connection timeout = 30 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Email notification from = root@vrrp03 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: VRRP IPv4 mcast group = 224.0.0.18 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: VRRP IPv6 mcast group = ff02::12 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: SNMP Trap disabled May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: ------< VRRP Topology >------ May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: VRRP Instance = VI_1 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Want State = BACKUP May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Runing on device = eth0 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Using src_ip = 10.x.x.23 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Gratuitous ARP repeat = 5 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Gratuitous ARP refresh repeat = 1 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Virtual Router ID = 99 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Priority = 50 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Advert interval = 1sec May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Authentication type = IPSEC_AH May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Password = xxxxxxxx May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Tracked scripts = 1 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: chk_haproxy weight 2 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Unicast Peer = 2 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: 10.x.x.21 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: 10.x.x.22 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Virtual IP = 1 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: 10.x.x.20/32 dev eth0 scope global May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: ------< VRRP Scripts >------ May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: VRRP Script = chk_haproxy May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Command = killall -0 haproxy May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Interval = 2 sec May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Timeout = 0 sec May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Weight = 2 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Rise = 2 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Fall = 2 May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Status = INIT May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: Using LinkWatch kernel netlink reflector... May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) Entering BACKUP STATE May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Configuration is using : 5162 Bytes May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: ------< Global definitions >------ May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Router ID = vrrp03 May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Smtp server connection timeout = 30 May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Email notification from = root@vrrp03 May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: VRRP IPv4 mcast group = 224.0.0.18 May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: VRRP IPv6 mcast group = ff02::12 May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: SNMP Trap disabled May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: ------< SSL definitions >------ May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Using autogen SSL context May 7 20:29:18 vrrp03 Keepalived_healthcheckers[15662]: Using LinkWatch kernel netlink reflector... May 7 20:29:18 vrrp03 Keepalived_vrrp[15663]: VRRP_Script(chk_haproxy) succeeded May 7 20:29:19 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:19 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:19 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... May 7 20:29:20 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:20 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:20 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... May 7 20:29:21 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:21 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:21 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... May 7 20:29:22 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:22 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:22 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... May 7 20:29:23 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:23 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:23 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... May 7 20:29:24 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:24 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:24 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... May 7 20:29:25 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:25 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:25 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... May 7 20:29:26 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:26 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:26 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... May 7 20:29:27 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) IPSEC-AH : invalid IPSEC HMAC-MD5 value. Due to fields mutation or bad password ! May 7 20:29:27 vrrp03 Keepalived_vrrp[15663]: bogus VRRP packet received on eth0 !!! May 7 20:29:27 vrrp03 Keepalived_vrrp[15663]: VRRP_Instance(VI_1) ignoring received advertisment... . . . .

Any hints ? thanks

acassen commented 9 years ago

Hello,

hmm, and you dont have issue with 2 nodes ?

regs,

scakkia commented 9 years ago

Hello, right, no issue with 2 nodes. regards

acassen commented 9 years ago

In fact, while processing incoming advert, local instance maintain seq_num monitoring. In multiple source sending this seq_num change. In order to make it work for multiple sending source, need to maintain a seq_num by source what is not case right.

As a workaround you can define multiple vrrp_instance to get the same env.

Thanks for reporting.

scakkia commented 9 years ago

I understand,

but how can i manage single virtual ipaddress with multiple vrrp instances on 3 nodes?

Thank you in advanced

pqarmitage commented 8 years ago

The best option would be to not use any authentication.

RFC2338 in 1998 specified the authentication options for VRRPv2. That RFC was obsoleted in 2004 by RFC3768, which was an update for VRRPv2. RFC3768 states (at 5.3.6) that authentication was "removed in this specification because operational experience showed that they did not provide any real security and would only cause multiple masters to be created."

You seem to be suffering from the very problem that caused the removal of authentication from the VRRPv2 specification!

Commit 273d211 updates the documentation to recommend not using authentication.

acassen commented 8 years ago

well, if you are using VRRP in non mcast fashion over udp with remote peer, then IPSEC-AH is a good security add-on to consider. But only efficient with 2 vrrp_instances. if multiple nodes you then need to add new vrrp instance to make it working in duality. Anyway this is the way unicast work so this not really an issue.

rcsrao commented 6 years ago

Please use auth_type as "PASS"

lethargosapatheia commented 1 year ago

I've come across this thread and in my case the problem was related to the fact that another vrrp cluster in the same broadcast domain had the same router id configured and it was, of course, sending the wrong password from the perspective of this other instance, which was configured differently (but sharing the router id). @rcsrao I'm a little bit surprised by the suggestion that one should use "PASS" instead of "AH", although I've seen it before. As far as I understand, AH is encrypted, whereas PASS isn't, right? So why wouldn't one choose the better security?

locomx commented 4 months ago

Hi

Searching about how to get bether security on my implementantion of Keepalived. I found this, and hope will help you.

https://serverfault.com/questions/1097034/keepalived-going-split-brain-when-firewalld-is-running

=========================

I've this morning figured out what the cause of the issue was, in case this helps somebody at a future date. I enabled LogDenied=all in /etc/firewalld/firewalld.conf, and was then able to identify which packets were still being dropped by firewalld using the --get-log-denied switch:

[root@dca-ngx02-al keepalived]# firewall-cmd --get-log-denied Mar 28 08:40:04 dca-ngx01-al.REDACTED.local kernel: FINAL_REJECT: IN=ens192 OUT= MAC=01:00:5e:00:00:12:00:50:56:84:ac:d0:08:00 SRC=172.31.5.229 DST=224.0.0.18 LEN=64 TOS=0x00 PREC=0xC0 TTL=255 ID=79 PROTO=AH SPI=0xac1f05e5 Mar 28 08:40:05 dca-ngx01-al.REDACTED.local kernel: FINAL_REJECT: IN=ens192 OUT= MAC=01:00:5e:00:00:12:00:50:56:84:ac:d0:08:00 SRC=172.31.5.229 DST=224.0.0.18 LEN=64 TOS=0x00 PREC=0xC0 TTL=255 ID=80 PROTO=AH SPI=0xac1f05e5 I resolved the issue by adding a subsequent firewall rule for AH multicast packets.

firewall-cmd --add-rich-rule='rule protocol value="ah" accept' --permanent