Why the Virtual IP (VIP) is being assigned to both the keepalived servers master & backup nodes in RHEL when the firewalld is enabled ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7
  • Red Hat Enterprise Linux (RHEL) 8
  • Red Hat Enterprise Linux (RHEL) 9
  • iptables / firewalld

Issue

  • Why does the VIP get assigned to both the keepalived servers master / Backup?
  • Both keepalived nodes showing the Master with VIP.

Resolution

In a High Availability (HA) setup using Keepalived, both the master and backup servers are assigned a virtual IP (VIP) for redundancy and failover purposes. The purpose of assigning a virtual IP to both servers is to ensure seamless failover in case one of the servers becomes unavailable.

The VIP is associated with the master server, and it handles incoming traffic. The backup server monitors the master's status. If the master server fails or becomes unavailable for any reason, the backup server detects this failure through monitoring. It then takes over the VIP, ensuring continuity of service. This is achieved through the VRRP (Virtual Router Redundancy Protocol) protocol, which keepalived utilizes.

To ensure that only one node in your keepalived cluster is able to hold the Virtual IP (VIP) at a time, you need to allow the Virtual Router Redundancy Protocol (VRRP) traffic through the firewall.

If the firewall is running on the system then You can use the below command to allow the VRRP protocol in the firewall rules on both (master/backup) nodes.

# firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
# firewall-cmd --reload

Diagnostic Steps

  • Master node:
[root@node01 ~]# ip a
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:00:00:00:00:aa brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.5/24 brd 10.0.0.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet 10.0.0.20/32 scope global enp1s0
       valid_lft forever preferred_lft forever
  • Backup Node:
[root@node02 ~]# ip a
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:00:00:00:00:bb brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.6/24 brd 10.0.0.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet 10.0.0.20/32 scope global enp1s0
       valid_lft forever preferred_lft forever
  • VRRP protocol not added in the Firewall rules on both nodes (node01 / node02)
[root@node01 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: cockpit dhcpv6-client http ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@node02 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: cockpit dhcpv6-client http ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments