Conntrack sync

From VyOS Wiki
Jump to: navigation, search

The conntrack-sync service is a HA service allowing 2 or more hosts to share informations on various connections. When a failover occurs connections are kept open between connected hosts.

Configuration commands

service conntrack-sync 
   accept-protocol # Protocols only for which local conntrack entries will be synced
      tcp
      udp
      icmp
      sctp
   event-listen-queue-size <int> # Queue size for listening to local conntrack events (in MB)
   expect-sync # Protocol for which expect entries need to be synchronized.
      all
      ftp
      h323
      nfs
      sip
      sqlnet
   failover-mechanism # Failover mechanism to use for conntrack-sync [REQUIRED]
      cluster group <string>
      vrrp sync-group <1-255>
   ignore-address ipv4 <x.x.x.x> # IP addresses for which local conntrack entries will not be synced
   interface <text> # Interface to use for syncing conntrack entries [REQUIRED]
   mcast-group <x.x.x.x> #  Multicast group to use for syncing conntrack entries
   sync-queue-size <int> Queue size for syncing conntrack entries (in MB)

Example

The next exemple is a simple configuration of conntrack-sync.

Conntrack Sync Example

First of all, make sure conntrack is enabled by running

 show conntrack table ipv4

If the table is empty and you have a warning message, it means conntrack is not enabled. To enable conntrack, just create a NAT or a firewall rule.

 set firewall state-policy established action accept
 commit

Then, you should have a conntrack table

$ show conntrack table ipv4
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
                 FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
                 TW - TIME WAIT, CL - CLOSE, LI - LISTEN

CONN ID    Source                 Destination            Protocol         TIMEOUT
1015736576 10.35.100.87:58172     172.31.20.12:22        tcp [6] ES       430279
1006235648 10.35.101.221:57483    172.31.120.21:22       tcp [6] ES       413310
1006237088 10.100.68.100          172.31.120.21          icmp [1]         29
1015734848 10.35.100.87:56282     172.31.20.12:22        tcp [6] ES       300
1015734272 172.31.20.12:60286     239.10.10.14:694       udp [17]         29
1006239392 10.35.101.221          172.31.120.21          icmp [1]         29

Then, configuration of conntrack-sync service on router1 *and* router2

 set service conntrack-sync accept-protocol 'tcp,udp,icmp'
 set service conntrack-sync event-listen-queue-size '8'
 set service conntrack-sync failover-mechanism cluster group 'GROUP' # Or VRRP
 set service conntrack-sync interface 'eth0'
 set service conntrack-sync mcast-group '225.0.0.50'
 set service conntrack-sync sync-queue-size '8'

On the active router, you should have informations in the internal-cache of conntrack-sync. The same current active connections number should be shown in the external-cache of the standby router

On active router:

$ show conntrack-sync statistics

Main Table Statistics:

cache internal:
current active connections:               10
connections created:                    8517    failed:            0
connections updated:                     127    failed:            0
connections destroyed:                  8507    failed:            0

cache external:
current active connections:                0
connections created:                       0    failed:            0
connections updated:                       0    failed:            0
connections destroyed:                     0    failed:            0

traffic processed:
                   0 Bytes                         0 Pckts

multicast traffic (active device=eth0):
              868780 Bytes sent               224136 Bytes recv
               20595 Pckts sent                14034 Pckts recv
                   0 Error send                    0 Error recv

message tracking:
                   0 Malformed msgs                    0 Lost msgs

On standby router :

$ show conntrack-sync statistics

Main Table Statistics:

cache internal:
current active connections:                0
connections created:                       0    failed:            0
connections updated:                       0    failed:            0
connections destroyed:                     0    failed:            0

cache external:
current active connections:               10
connections created:                     888    failed:            0
connections updated:                     134    failed:            0
connections destroyed:                   878    failed:            0

traffic processed:
                   0 Bytes                         0 Pckts

multicast traffic (active device=eth0):
              234184 Bytes sent               907504 Bytes recv
               14663 Pckts sent                21495 Pckts recv
                   0 Error send                    0 Error recv

message tracking:
                   0 Malformed msgs                    0 Lost msgs