MikroTik

I had a case where a customer lost network. It turned out that both the routers had the WAN-address enabled, and of course this made trouble. Rebooting the customers routers solved the problem.

This customer have two RB450g running ROS 4.14.
They have one VRRP on the lan side, and rely on the on-backup / on-master scripts to enable/disable the ip address on the wan side.

Next week I'll setup some quite advanced routing for another customer, so I've configured their RB1100AHx2's and currently I'm testing them out in a test environment. These routers are currently running ROS 5.19.

Now it turns out that these router frequently are not running the on-backup script when VRRP state changes from "RM" to "B". I've tested out various kinds of scripts, and at some point the script fail to run. It's not like the commands in the script fail - the script is just not being initiated when the state changes. Out of my about 30 failover tests the script has failed to run about 8 times.

So, as one cannot rely on the scripts to enable/disable the WAN IP address, what would be the best practice to setup VRRP to switch both LAN and WAN ip's?

I also run quite complex scripts on VRRP up and down events and so far haven't had a problem yet.

If you can replicate the problem exactly (as you said that 8/30 scripts runs fail) contact support with the support.rif files from both routers and steps to replicate the problem, they should be able to help.

I did a new test of vrrp on two brand new RB2011, ROS 5.20

From the default settings I did these changes to the settings:
Master Standby: Now I connected them together with a cable in ether5 on both.
Then I connected a pc to ether4 on each of them and watched status in winbox.

Then I tried various ways to make them fail:
Power off the master - wait 30 sec and power it back on. Repeated 10 times - no failure

Power off the master - and imidiatly power it back on. Repeated 10 times - 1 failure for the slave to run on-master script

Unplug the cable between the routers - wait until winbox show status M on both and plug back in. - Repeated 20 times - no failure

Set priority=250 of vrrp on the slave to make them swap roles. I then repeated the tests above on the new master (the one that started out as slave) - no failures

Set priority=150 of vrrp on the slave to make them swap roles again.

Power off the master - wait 30 sec and power it back on. Repeated 10 times - no failure

Power off the master - and imidiatly power it back on. Repeated 10 times - no failure

Unplug the cable between the routers - wait until winbox show status M on both and plug back in. - slave fail to run on-master script EVERY TIME!

Set priority=250 of vrrp on the slave to make them swap roles again.
Results turned out to be the same as above - the new slave fail to run on-master when cable is unplugged

Set priority=251 of vrrp on the slave (the one that started out as master) to make them swap roles again.
Then I repeated the tests, and now they didn't fail at all.


So all I can conclude is that there is some unexpected behavior when it comes to running the on-master/on-backup scripts.

How can it be that I'm the only to experience this? As I've now experienced this on ROS 4.14, ROS 5.19 and ROS 5.20, so there should be plenty of others doing vrrp during this time. And I've only setup VRRP three times. That means I've experienced this on all my setups!

There must be something I'm doing wrong with the vrrp setup?

ip addresses on interfaces that are running vrrp should be reachable between themselves. As that is the way how they can communicate. Multicast packet has to have source address.

You think I rather should have done this?
/ip address add address=192.168.2.1/24 interface=vrrp1

That was my first attempt, and as I discovered problems, and all examples I found were using /32, I changed to /32. In both cases I run into these kind of problems.

(Maybe I misunderstood what you explained.)

vrrp interface has to have /32 address assigned.

interface by itself should have working Ip address.

If I get you right that was done by the following:

Master

Code: Select all

...
/ip address add address=192.168.2.2/24 interface=ether5
...

Slave:

Code: Select all

...
/ip address add address=192.168.2.3/24 interface=ether5
...

Now I connected them together with a cable in ether5 on both.
...

One more thing I've realized: if the vrrp interface has a /32 address, the arp of various devices (inkluding other RB's) does not update. For my test I'm using a RB750 as a switch on the LAN side between my pc and the two rb1100's. Even if I manually delete the vrrp address from the arp table of the RB750 after master router has lost power, it returns to the ARP table with the mac address of the master router. I need to manually enter the mac of the backup router in order for the rb750 to send packets to the backup router.

If I assign a /24 address to the vrrp interface, this is not showing up as an issue.

What is the drawback of assigning /24 address to the vrrp interface? (So far I haven't found any.)

IN my tests (not strictly on vrrp, but on a configuration of IPsec over vrrp) it seems that "on backup" is executed only when the interfaces becomes backup from a master state, and not from init state. At reboots or configuration changes no script is executed if the interface go from init state to backup. I tried this on 5.22 and previous, and there is nothing about this on 5.23 changelog.

In any case, it would be interesting to have and "on init" script, cause I am running a quite complex configuration (http://forum.mikrotik.com/viewtopic.php?f=2&t=69511) that needs script executions to function.
At least a checkbox to say "execute on-backup when going to init state"... would be sufficient.

I've solved the startup issue this way:

I've scheduled the following to run on startup: The script vrrpCheck basically runs the onBackup, then waits for a while before it checks if there is any vrrp master interfaces. If there is, it runs onMaster. The script looks like this: vrrp interface is defined to run the scripts onMaster and onBackup scripts on the events.
And I have the scrips onMaster and onBackup that performs what I want them to do.