VRRP failover

andrewluck · Tue Jun 15, 2010 1:18 pm

I'm setting up a pair of routers on RB450Gs as a high availability VPN server. Each router has two active interfaces that participate in VRRP interfaces.

Failover of the individual VRRP interfaces is fine and a complete router failure is handled OK with both vitual IP addresses ending up on the backup unit. The problem arises with a single interface failure. Only one of the interfaces is failed over.

So far, I've tried to address this with scripting using the On-Backup and On-Master triggers but on the master interface the VRRP status stays as Master when the interface is disconnected so the On-Backup script never runs.

Can anyone offer any guidance on this? My current scripts are as follows:

[admin@Backup] /system script> pr
Flags: I - invalid 
 0   name="VRRP-Backup" owner="admin" policy=ftp,read,write,winbox 
     last-started=jun/15/2010 09:18:21 run-count=15 
     source=
       :global tmp;:global t;:global iface;
       :foreach i in=[/int vrrp get [find backup=yes]] do={
         /int vrrp {
           :foreach e in=[find master=yes] do={
             :set iface [get $e interface]
             /interface disable [/inter find name=$iface]
             }
           }
         }

 1   name="VRRP-Master" owner="admin" policy=ftp,read,write,winbox 
     last-started=jun/15/2010 09:15:26 run-count=24 
     source=
       :global tmp;:global t;:global iface;
         /int vrrp {
           :foreach e in=[find invalid=yes] do={
             :set iface [get $e interface]
             /interface enable [/interf find name=$iface]
             }
           }

Cheers

Andrew

janisk · Tue Jun 15, 2010 2:45 pm

hmm, if you have VRRP on each side, you have to turn off interface is one of interfaces from master goes to backup

gdorm · Tue Jun 15, 2010 4:25 pm

Are the int bonded or they are in different subnets?

andrewluck · Tue Jun 15, 2010 7:25 pm

Hi Janisk

The problem I have is the Master never goes to backup when the parent interface stops running.

Interfaces on each side of the router are in different subnets.

Cheers

Andrew

gdorm · Tue Jun 15, 2010 7:48 pm

http://wiki.mikrotik.com/wiki/Manual:VRRP-examples

Did you check it ?

andrewluck · Tue Jun 15, 2010 8:28 pm

Did you check it ?

Yes & the VRRP RFC. It's a little vague on what should happen if the parent interface goes down.

gdorm · Tue Jun 15, 2010 9:41 pm

Hmmm yeah i will give it a try between two RB1000 this days and see what will happen.Can you tell or draw me how to reproduce it to be exact?

andrewluck · Wed Jun 16, 2010 2:20 pm

Thanks for the offer of help. Much appreciated.

Master config

/interface vrrp
add arp=enabled authentication=simple comment="" disabled=no interface=ether1 \
    interval=1 mtu=1500 name=Internet on-backup=VRRP-Backup on-master=\
    VRRP-Master password=****** preemption-mode=yes priority=254 vrid=1
add arp=enabled authentication=simple comment="" disabled=no interface=ether5 \
    interval=1 mtu=1500 name=LAN on-backup=VRRP-Backup on-master=VRRP-Master \
    password=****** preemption-mode=yes priority=254 vrid=2

Backup config

/interface vrrp
add arp=enabled authentication=simple comment="" disabled=no interface=ether5 \
    interval=1 mtu=1500 name=LAN on-backup=VRRP-Backup on-master=VRRP-Master \
    password=****** preemption-mode=yes priority=100 vrid=2
add arp=enabled authentication=simple comment="" disabled=no interface=ether1 \
    interval=1 mtu=1500 name=Internet on-backup=VRRP-Backup on-master=\
    VRRP-Master password=****** preemption-mode=yes priority=100 vrid=1

If you require any more information then let me know

Cheers

Andrew

janisk · Wed Jun 16, 2010 2:39 pm

and how look your up/down scripts?

andrewluck · Wed Jun 16, 2010 4:31 pm

and how look your up/down scripts?

At the top of this thread.

gdorm · Thu Jun 17, 2010 2:26 pm

I just tested it it works fine on RB1000 4.10.Flag RM goes to flag M after RM int fail on Master and on Backup B goes to RM! After int restore on master flag M goes to RM and on backup flag RM goes to B.

Check your ip connectivity!It's very likely that the problem is on your ip config,check the pings!

God speed

gdorm · Thu Jun 17, 2010 2:34 pm

BTW this is not a good setup for VPN redundacy,because ot the routing issue which you will have if the internet link fails and the local not on the master!!!The vpn tunnes from internet will be restablished on the backup but it's local int will be in backup state so no routing there from the internal nets !

Some redundancy can be achieved with bonding the interfaces with two eth each , the only drawbacks of this would be the power supply on the router and the loss of ability to loadshare the vpns bw the two.... would be nice if i had two on the RB1000 i would gladly pay for an extra which would not be so expessive but don't know why mikrotik didn't include second one!?

God speed

andrewluck · Thu Jun 17, 2010 8:38 pm

>>Flag RM goes to flag M after RM int fail on Master and on Backup B goes to RM! After int restore on master flag M goes to RM and on backup flag RM goes to B.

Agreed. That's exactly what mine does.

As you say, you need to ensure that both master's are on the same router. To do this you use a script. Two script triggers are provided 'On-Backup' and 'On-Master'. The problem is; on the higher priority master, the On-Backup script is never run because the router never becomes a backup, it's merely a non-running master as you have observed.

Kind regards

Andrew

gdorm · Thu Jun 17, 2010 8:54 pm

I just hit some strange behavour on inital config thigs are working but when i restarted the routers bouth are masters ???? Very strange and cannt make them select the backup!?

gdorm · Thu Jun 17, 2010 10:07 pm

Strange Strange Strange !?!?!? With same priority vrrp choose which one to be master which is OK and things seem to be working! But setting differenet prioritys on two vrrps on same router things don't work ???

Try with same PR

P.S. Just opened a new topic about this i thing it's a serous bug!?

http://forum.mikrotik.com/viewtopic.php?f=2&t=42635

God speed

andrewluck · Mon Jun 21, 2010 10:41 pm

Interesting.

My priorities on each vrrp instance on the same router are the same.

Kind regards

Andrew

andrewluck · Sun Mar 20, 2011 4:37 pm

I need to bump this thread as I still haven't found a solution to the problem of synchronising the state of multiple vrrp interfaces on a single router. With Vyatta I get the option to place vrrp interfaces into a group which will achieve this. Is there something that will do the same thing for RouterOS?

Regards

Andrew

janisk · Mon Mar 21, 2011 9:26 am

you can do additional stuff with VRRP on event that inteface becomes master or backup with corresponding scripting fields on-backup and on-master

andrewluck · Mon Mar 21, 2011 12:43 pm

If you check back to my first post in this thread you can see my attempt at scripting. However, I never managed to get this script working and was looking for some guidance.

Regards

Andrew

janisk · Thu Mar 24, 2011 9:18 am

when i used to test vrrp there where 2 options:
1st - disable other VRRPs to make sure that on other end vrrp would become masters (do not like this option much)
2nd - lower priority so other device become master and one on the router becomes backup.

andrewluck · Thu Mar 24, 2011 12:41 pm

Thanks for the tip. Sounds a lot better than disabling things. I'll look at reworking the scripts.

Regards

Andrew

andrewluck · Sat Mar 26, 2011 2:09 pm

Spent a while re-working this to use changing priorities to control the master/backup relationships with some success.

The main problem I'm left with is this: Changing the priority on a vrrp instance where the router is the master causes the router to drop to backup for a short while. This occurs even when the backup router has a lower priority. This causes the backup router to assume the master role, triggering it's on-master script. The result is instability with the master/backup roles swapping unnecessarily.

Current testing is with v5rc11.

Andrew

naskoblg · Mon Apr 04, 2011 12:26 am

You can test with netwatch script:

add comment to vrrp interface: like: "gateway-vrrp"
set vrrp priority on secondary router to 100

on primary one
create two scripts:
vrrp-master:
/interface vrrp set [/interface vrrp find vrid=49] priority=250 find comment="gateway-vrrp"];

vrrp-slave:
/interface vrrp set [/interface vrrp find vrid=49] priority=10 find comment="gateway-vrrp"];

andrewluck · Sat Apr 09, 2011 6:25 pm

Thanks for the post but I don't see how that's going to help me.

Both HSRP and other implementations of VRRP offer the ability to track another interface. At the moment it would appear that this function is not reproducible with scripting.

Andrew

naskoblg · Mon Apr 11, 2011 8:31 pm

Hello andrewluck,
I want to implement mikrotik OVPN server in "cluster" mode - Active/Standby using VRRP, using two ISPs
I already have working OVPN client confuguration using two RB750G with two ISPs.
Can you please give me some hints about OVPN server part or if you have some global view for the issues that I may face.

Tetrafluoroethane · Fri Jun 24, 2011 10:59 pm

Might I suggest a much simpler solution? Use 2 switches and dedicate 1 to each MikroTik. Make sure your WAN and LAN links for each MikroTik go to a separate VLAN (call them VLAN-WAN and VLAN-LAN). In the end VLAN-WAN will have 3 ports and VLAN-LAN will have at least 2 (and probably the rest of your switch ports). Add a cable between each switch on each VLAN. Add your provider's links to the VLAN-WAN on each switch. This addresses your problem by:

WAN1 link failure:
- MikroTik 1 stil has a path to your provider through WAN2 by forwarding packets through your secondary switch.

MikroTik1 failure:
- MikroTik 2 takes over on both interfaces.

Switch 1 failure:
- MikroTik 1 is effectively isolated from the network so MikroTik 2 takes over on both LAN and WAN VRRP interfaces.

The downside is you need 2 managed switches and this assumes your provider is giving you Ethernet links. It also assumes your provider is presenting you with a single gateway address across both links.

WARNING: Ensure you have SpanningTree properly configured! Depending on your provider's configuration you may be creating a loop on the WAN side of your network since you have a link between your switches on the VLAN-WAN. Your provider likely already has SpanningTree configured, but I am sure they would not appreciate a broadcast storm due to your network.

andrewluck · Mon Jul 04, 2011 6:11 pm

I can't see that this will work. Are you suggesting this instead of VRRP?

If so, in normal operation I would have duplicate IP addresses on both WAN & LAN interfaces.

Andrew

Tetrafluoroethane · Thu Jul 07, 2011 9:46 pm

No. This is instead of trying to script both interfaces into synchronization. Use VRRP and let your underlying network structure take care of the problem. This is my configuration and I assure you it performs perfectly.

andrewluck · Fri Jul 08, 2011 12:07 am

OK. I see what you're trying to do. It won't work for me because I'm only getting one feed from my ISP.

Andrew

siel · Sun Aug 28, 2011 9:13 pm

Hello,

how far did you come now with the failover ? Mikrotik should really program some features for failover (state sync, firewall configuration sync... it shouldn't be that difficult, after all what has been done).

and about the vrrp failover, i've made a little different approach, i did all the scripting on slave.

I assumed that after interface fail on master, slave will become master for the failed lan, so I've coded the script in a way that activates on-master, additionally checking if the interface is really up.

So if one interface on the slave becomes a master and if that interface is running (ethernet connected), it should be good evidence that the real master has failed, then I raise priorities on all interfaces on slave box, which should take the master status from other interfaces still running on master.

it's not the best solution, but it's one...

script should look something like this:

:global master
:set master 0
:foreach e in=[/int vrrp find master=yes] do={
   :if ([/interface get [/interface vrrp get $e interface] running] = true) do={
     :set master 1
   }
}

:if ($master = 1) do={
   /tool e-mail send to="admin@company.com" subject="Mikrotik failover triggered !!"
   :foreach e in=[/int vrrp find] do={
     /int vrrp set $e priority=250
   }
}

ibisgroup · Tue Sep 27, 2011 9:48 pm

Hi

I have 2 routers running 2 vrrps (one on the inside and one on the outside) as described above and would like that if one vrrp flips, both vrrps flip. I have tested the script above and I am having this problem.

things done to simulate a fault

1) unplugged cable of outside vrrp of Master router
2) Backup router outside vrrp gets promoted to master
3) script runs and sets the priority on the backup (both vrrps) from 100 to 250 as it should
4) problem arises (Vrrp start to flip Master to backup all the time). If I remove the script from the backup (after the whole sequence), it stops flipping.

Could it be that the script keeps running on and on again sending the vrrp to initial state as described in the documentation forcing an election?

If this is the case, is there a way to force the script to run only once?

Regards
Chris

peydude · Sat Nov 05, 2011 2:27 am

andrewluck,

Were you ever able to successfully implement this? I needed a similar setup for implementing plain failover routing (not vpn) and I have done it using the following strategy:

- I have no scripts on the master router:

[admin@master] > /interface vrrp print detail
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
 0  RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=WAN vrid=49 priority=200
       interval=1s preemption-mode=yes authentication=none password="" on-backup="" on-master="" version=2
       v3-protocol=ipv4

 1  RM name="vrrp2" mtu=1500 mac-address=00:00:5E:00:01:32 arp=enabled interface=LAN vrid=50 priority=200 interval=1s
       preemption-mode=yes authentication=none password="" on-backup="" on-master="" version=2 v3-protocol=ipv4

- On the backup router I have the following setup:

[admin@backup] > /system script print 
Flags: I - invalid 
 0   name="vrrp-master" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api 
     last-started=jan/02/1970 18:55:39 run-count=227 source=
       :foreach e in=[/int vrrp find backup=yes] do={
             /int vrrp set $e priority=250
          }

 1   name="vrrp-backup" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api 
     last-started=jan/02/1970 18:59:28 run-count=9 source=
       :foreach e in=[/int vrrp find master=yes] do={
            /int vrrp set $e priority=150
          }

[admin@backup] > /interface vrrp print detail 
Flags: X - disabled, I - invalid, R - running, M - master, B - backup 
 0   B name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=WAN vrid=49 priority=150 interval=1s 
       preemption-mode=yes authentication=none password="" on-backup=vrrp-backup on-master=vrrp-master version=2 v3-protocol=ipv4 

 1   B name="vrrp2" mtu=1500 mac-address=00:00:5E:00:01:32 arp=enabled interface=LAN vrid=50 priority=150 interval=1s 
       preemption-mode=yes authentication=none password="" on-backup=vrrp-backup on-master=vrrp-master version=2 v3-protocol=ipv4

When one of the interfaces on the master goes down (either on the router itself or the ethernet switch) the corresponding interface on the backup router becomes master at which time its on-master script kicks in and increases the priority on the other interface of the backup router. This makes the backup router the new master.

Note that I only increase the priority of one of the interfaces in the on-master script. So when the master router's troubled interface is restored it forces the backup router to go back to its original state.

Things worth noting:

1. I was only able to get this working when the vrrp version was set to 2 not 3.

2. I am using the latest stable firmware on the RB450G which at the time of this post is 5.8

3. My switch (Cisco 2960) complained about the vrrp mac appearing on two interfaces. This happens when the routers are both in master mode and are trying to negotiate their status until one becomes backup. This might be worth noting if you use a managed switch. If your switch blocks traffic on any of the ports because it sees the same mac multiple ports then this could be break the communication between your routers thus preventing vrrp from functioning correctly.

4. My switch ports are setup as edge ports (no spanning-tree delays) so they go into forwarding mode as soon as they are activated

odge · Tue Dec 11, 2012 5:56 pm

Might I suggest a much simpler solution? Use 2 switches and dedicate 1 to each MikroTik. Make sure your WAN and LAN links for each MikroTik go to a separate VLAN (call them VLAN-WAN and VLAN-LAN). In the end VLAN-WAN will have 3 ports and VLAN-LAN will have at least 2 (and probably the rest of your switch ports). Add a cable between each switch on each VLAN. Add your provider's links to the VLAN-WAN on each switch. This addresses your problem by:

WAN1 link failure:
- MikroTik 1 stil has a path to your provider through WAN2 by forwarding packets through your secondary switch.

MikroTik1 failure:
- MikroTik 2 takes over on both interfaces.

Switch 1 failure:
- MikroTik 1 is effectively isolated from the network so MikroTik 2 takes over on both LAN and WAN VRRP interfaces.

The downside is you need 2 managed switches and this assumes your provider is giving you Ethernet links. It also assumes your provider is presenting you with a single gateway address across both links.

WARNING: Ensure you have SpanningTree properly configured! Depending on your provider's configuration you may be creating a loop on the WAN side of your network since you have a link between your switches on the VLAN-WAN. Your provider likely already has SpanningTree configured, but I am sure they would not appreciate a broadcast storm due to your network.

Hi, thanks for this, its a good idea.

I was trying to work out, my ISP is saying they cannot support STP (What?).
If I have two switches, with STP configured, will they at least between themselves intelligently not create a loop?

kenknight · Tue Mar 26, 2013 2:56 am

Hi all,

I too am working on this issue and have found the same issue where if a single interface fails, it doesn't flip over to the backup properly. I created a work around for this by creating a netwatch object that pings the gateway address every 3 seconds and if it fails, it will turn off the LAN interface which then causes the flip to take place.

I tried the scripts above on the backup router and they appear to only work when the LAN would go down. If the WAN went down, it didn't flip. Here is the backup router info prior to removing the "On Master" and "On Backup" scripts.

[admin@MikroTik] > /int vrrp print detail
Flags: X - disabled, I - invalid, R - running, M - master, B - backup 
 0   B name="vrrp1-wan" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled interface=ether1-gateway vrid=1 
       priority=100 interval=1s preemption-mode=yes authentication=none password="" on-backup="vrrp-backup" on-master="vrrp-master" 
       version=2 v3-protocol=ipv4 

 1  RM name="vrrp2-lan" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled interface=bridge-local vrid=1 
       priority=100 interval=1s preemption-mode=yes authentication=none password="" on-backup="vrrp-backup" on-master="vrrp-master" 
       version=2 v3-protocol=ipv4 
	   
	   
2   name="vrrp-master" owner="admin" 
     policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api 
     last-started=mar/25/2013 19:32:29 run-count=16 source=
       :foreach e in=[/int vrrp find backup=yes] do={
                    /int vrrp set $e priority=250
                 }

 3   name="vrrp-backup" owner="admin" 
     policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api 
     last-started=mar/25/2013 19:30:56 run-count=10 source=
       :foreach e in=[/int vrrp find master=yes] do={
                   /int vrrp set $e priority=150

I checked and the scripts are firing, but I believe the issue is that the vrrp1-wan adapter has an RM flag regardless of the priority. If anybody has any suggestions on what I might be doing wrong I'd greatly appreciate it. Of if you think the netwatch is a proper method without causing undue traffic.

Also, a quick question... why are you unable to access the physical ip address assigned to the router with WinBox. How do you manipulate secondary routers without pulling them offline and working on them?

Thanks,
Ken

francois · Mon Dec 23, 2013 2:56 pm

Hi Guys

Just to add to this thread. I have used the scripts that was added by peydude (thanks

). But I needed some error checking built in as there are a few shortcomings. For instance. If an interface on the backup goes down , that vrrp interface goes into master and runs on-master script and causing all other interfaces to become master...not good.

Another issue I had was that each vrrp interface runs the same script even when it doesn't need to. So this is my solution. I hope someone can use it. This is on the backup router on the "on-master" script

:if ([/interface vrrp get [find name="vrrp-interface"] priority]=150) do={
:if ([/interface ethernet get [find name="ethernet interface"] running]=true) do={
/system script run vrrp-master}}

nucleon · Wed Mar 19, 2014 12:07 pm

I will try to offer its own version ...
a script on the main router, runs every 30 seconds. (possibly can and more ..)

:if [/int ethernet get ether3-slave-local running] do={
:if [/int ethernet get ether4-slave-local running] do={
:if ([/interface vrrp get vrrp1 priority] =50) do={/interface vrrp set priority=150 preemption-mode=yes numbers=vrrp1}
:if ([/interface vrrp get vrrp2 priority] =50) do={/interface vrrp set priority=150 preemption-mode=yes numbers=vrrp2}
} else {
/interface vrrp set priority=50 preemption-mode=yes numbers=vrrp1
/interface vrrp set priority=50 preemption-mode=yes numbers=vrrp2
}
} else {
/interface vrrp set priority=50 preemption-mode=yes numbers=vrrp1
/interface vrrp set priority=50 preemption-mode=yes numbers=vrrp2
}

ask to comment on this option, I do not see a problem with him

d0glesby · Sun Feb 22, 2015 8:46 am

Might I suggest a much simpler solution? Use 2 switches and dedicate 1 to each MikroTik. Make sure your WAN and LAN links for each MikroTik go to a separate VLAN (call them VLAN-WAN and VLAN-LAN). In the end VLAN-WAN will have 3 ports and VLAN-LAN will have at least 2 (and probably the rest of your switch ports). Add a cable between each switch on each VLAN. Add your provider's links to the VLAN-WAN on each switch. This addresses your problem by:

WAN1 link failure:
- MikroTik 1 stil has a path to your provider through WAN2 by forwarding packets through your secondary switch.

MikroTik1 failure:
- MikroTik 2 takes over on both interfaces.

Switch 1 failure:
- MikroTik 1 is effectively isolated from the network so MikroTik 2 takes over on both LAN and WAN VRRP interfaces.

The downside is you need 2 managed switches and this assumes your provider is giving you Ethernet links. It also assumes your provider is presenting you with a single gateway address across both links.

WARNING: Ensure you have SpanningTree properly configured! Depending on your provider's configuration you may be creating a loop on the WAN side of your network since you have a link between your switches on the VLAN-WAN. Your provider likely already has SpanningTree configured, but I am sure they would not appreciate a broadcast storm due to your network.

I'm curious to know more about the details of this setup. I'm working on improving our networking situation in a datacenter, and have a pair of Mikrotiks I'd like to put in a redundant mode using this method. I have the hardware in place, (dual switches, dual ethernet uplinks, dual Mikrotiks), but ran into issues with spanning-tree on the initial turn-up. How do you have your spanning-tree set up on the switches for this configuration?

VRRP failover

VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Re: VRRP failover

Who is online