The conntrack-sync service is a HA service allowing 2 or more hosts to share informations on various connections. When a failover occurs connections are kept open between connected hosts.
service conntrack-sync accept-protocol # Protocols only for which local conntrack entries will be synced tcp udp icmp sctp event-listen-queue-size <int> # Queue size for listening to local conntrack events (in MB) expect-sync # Protocol for which expect entries need to be synchronized. all ftp h323 nfs sip sqlnet failover-mechanism # Failover mechanism to use for conntrack-sync [REQUIRED] cluster group <string> vrrp sync-group <1-255> ignore-address ipv4 <x.x.x.x> # IP addresses for which local conntrack entries will not be synced interface <text> # Interface to use for syncing conntrack entries [REQUIRED] mcast-group <x.x.x.x> # Multicast group to use for syncing conntrack entries sync-queue-size <int> Queue size for syncing conntrack entries (in MB)
The next exemple is a simple configuration of conntrack-sync.
First of all, make sure conntrack is enabled by running
show conntrack table ipv4
If the table is empty and you have a warning message, it means conntrack is not enabled. To enable conntrack, just create a NAT or a firewall rule.
set firewall state-policy established action accept commit
Then, you should have a conntrack table
$ show conntrack table ipv4 TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK, TW - TIME WAIT, CL - CLOSE, LI - LISTEN CONN ID Source Destination Protocol TIMEOUT 1015736576 10.35.100.87:58172 172.31.20.12:22 tcp  ES 430279 1006235648 10.35.101.221:57483 172.31.120.21:22 tcp  ES 413310 1006237088 10.100.68.100 172.31.120.21 icmp  29 1015734848 10.35.100.87:56282 172.31.20.12:22 tcp  ES 300 1015734272 172.31.20.12:60286 188.8.131.52:694 udp  29 1006239392 10.35.101.221 172.31.120.21 icmp  29
Then, configuration of conntrack-sync service on router1 *and* router2
set service conntrack-sync accept-protocol 'tcp,udp,icmp' set service conntrack-sync event-listen-queue-size '8' set service conntrack-sync failover-mechanism cluster group 'GROUP' # Or VRRP set service conntrack-sync interface 'eth0' set service conntrack-sync mcast-group '184.108.40.206' set service conntrack-sync sync-queue-size '8'
On the active router, you should have informations in the internal-cache of conntrack-sync. The same current active connections number should be shown in the external-cache of the standby router
On active router:
$ show conntrack-sync statistics Main Table Statistics: cache internal: current active connections: 10 connections created: 8517 failed: 0 connections updated: 127 failed: 0 connections destroyed: 8507 failed: 0 cache external: current active connections: 0 connections created: 0 failed: 0 connections updated: 0 failed: 0 connections destroyed: 0 failed: 0 traffic processed: 0 Bytes 0 Pckts multicast traffic (active device=eth0): 868780 Bytes sent 224136 Bytes recv 20595 Pckts sent 14034 Pckts recv 0 Error send 0 Error recv message tracking: 0 Malformed msgs 0 Lost msgs
On standby router :
$ show conntrack-sync statistics Main Table Statistics: cache internal: current active connections: 0 connections created: 0 failed: 0 connections updated: 0 failed: 0 connections destroyed: 0 failed: 0 cache external: current active connections: 10 connections created: 888 failed: 0 connections updated: 134 failed: 0 connections destroyed: 878 failed: 0 traffic processed: 0 Bytes 0 Pckts multicast traffic (active device=eth0): 234184 Bytes sent 907504 Bytes recv 14663 Pckts sent 21495 Pckts recv 0 Error send 0 Error recv message tracking: 0 Malformed msgs 0 Lost msgs