sync-connection-tracking=yes

1. MikroTik uses its own proprietary protocol for connection syncing. Therefore, both routers must be MikroTik.
2. Both routers must be running the same version of RoutersOS v7 (e.g., 7.1beta2).
3. While VRRP allows multiple backup routers, the connection syncing protocol supports only one (i.e., there must be only two routers: one master + one backup).
4. VRRP Preemption Mode must be disabled (preemption-mode=no).
5. The connection syncing protocol uses IPv4 for the internal data channel. In case of IPv6 (v3-protocol=ipv6), remote-address is mandatory.
6. In case of IPv4, remote-address is optional, however, recommended (reduces VRRP latency).

If VRRP is up and running, then in most cases, simply setting

Code: Select all

sync-connection-tracking=yes

on both ends should do the trick: VRRP master syncing its connection with the backup router.

Some useful info / limitations:

1. MikroTik uses its own proprietary protocol for connection syncing. Therefore, both routers must be MikroTik.
2. Both routers must be running the same version of RoutersOS v7 (e.g., 7.1beta2).
3. While VRRP allows multiple backup routers, the connection syncing protocol supports only one (i.e., there must be only two routers: one master + one backup).
4. VRRP Preemption Mode must be disabled (preemption-mode=no).
5. The connection syncing protocol uses IPv4 for the internal data channel. In case of IPv6 (v3-protocol=ipv6), remote-address is mandatory.
6. In case of IPv4, remote-address is optional, however, recommended (reduces VRRP latency).

Yeah... I know about the "possibilities" or "options" for centralized management...
but are there any "suggested"/Recommended "product/solution" for that purpose?

I know about for ex Unimus and some other similar products and the TR-69 (Genie-ACS...) options... but it seems to me that's oriented more to "collecting configurations" than "managing" especially some HA (paired) setups.
Correct me if I'm wrong... or even better, suggest some "actual" solution.

Thanks!

Regards,

Is it possible to sync connection tracking state in an active/active setup?
I like to peer via BGP with my upstream provider, so i like to have two active bgp sessions and so on to route the traffic from WAN to LAN where the traffic arrives. So there is a possibility of asymmetric routing. Because of that, syncing the connection tracking tables is important.

Nice... someone is actually *reading this*...

Great! I really hope the 7.1 will hit "production" soon and that config sync will follow soon...

Mikrotik "clusters" would be *FANTASTIC* after all this years and a requirement for "enterprise" deployments.

Keep the good work you guys!

Best regards
M.C

We are considering decoupling sync connection tracking from VRRP, and make connection syncing a standalone feature that users may set up in any way they want.

(change from the default "auto" to "yes")?

 16:58:00 system,info router rebooted
 16:58:10 vrrp,info vrrp.voip-router now BACKUP
 16:58:10 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 16:58:10 vrrp,warning UDP send error (101) - Network unreachable
 16:58:10 interface,info sfp-sfpplus1.qv-rz2 link up (speed 1G, full duplex)
 16:58:11 vrrp,warning UDP send error (101) - Network unreachable
 16:58:12 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 interface,info ether1.Uplink-RSM link up (speed 1G, full duplex)
 16:58:13 interface,info ether2.Uplink-Core-Switch link up (speed 1G, full duplex)
 16:58:15 vrrp,info vrrp.voip-router stop CONNTRACK
 16:58:15 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 16:58:16 system,info,account user rack logged in from 185.58.28.171 via winbox
 18:00:10 system,info,account user rack logged in from 185.58.28.171 via local

Active-Active is possible with linux conntrackd userspace client without any issues: https://conntrack-tools.netfilter.org/m ... ml#sync-aa

is this the Mellanox extension (MAGP) or a completely separate linux implementation with similar functionality?

Hi.
should I set the synchronization on each VRRP interface or is it enough on one?

If multiple VRRP interfaces are grouped together, enable sync on the group-master.

You need to set sync-connection-tracking=yes only on one VRRP interface (on both ends). If multiple VRRP interfaces are grouped together, enable sync on the group-master.

You need to set sync-connection-tracking=yes only on one VRRP interface (on both ends). If multiple VRRP interfaces are grouped together, enable sync on the group-master.

So only sync-connection-tracking=yes on group-master. Other VRRP in the group dont need to

Just to make sure that I've understood this thread correctly - I have two RB5009s with VLANs in VRRP configuration. I've enabled pre-emptive mode for all the VRRP interfaces, set one of the VLAN VRRPs as the Group Master, and then enabled Sync.Connection Tracking on the Group Master interface on both routers. Is this is indeed allowed and correct according to what I have read?

Just to make sure that I've understood this thread correThe reason I ask is that as I conduct fail over tests by removing the trunk cable from my primary router, I am able to cycle once or twice before I then see a vrrp warning message in my log that says: CTSYNC link down. At this point, the backup router never transitions from master to backup nor does my primary take over as master. It's almost as if the sync communication between the two routers dies. If I disable the Sync. Connection Tracking on the backup router, this issue seems never to occur and I am able to fail over back and forth many times with no issues. Happy to post configs but wanted to see if anyone else (or Mikrotik staff) had observed the same issue.