On Sat, Aug 12, 2023 at 12:52:19PM +0300, Pierre-Philipp Braun wrote: > > > Three nodes and FT-FW mode will not work. FT-FW would need to be > > extended to maintain sequence tracking for more than one single node. > > It is doable but this requires development effort. > > > > For three node, you should try NOTRACK which means sync messages are > > sent from active to passive nodes without any kind of sequence > > tracking (best effort approach). > > I switched to NOTRACK UDP but I get the same issue with the commit. > > The inbound session is seen alright on all the nodes, although node3 (active vrrp) sees it both in internal and external cache. > The host where the guest lives sees it only in the internal cache this time. You should see: - active: internal cache contains the flow that represents the SSH connection. - backup: external cache contains the flow that represents the SSH connection. on failover, what you see in the external cache in the backup node will be visible in the internal cache. By "inbound session", I guess you refer to the SSH connection you use for testing, but is this a SSH connection to the guest VM? Is this DNAT to the guest VM or simply routing? Such guess VM gets migrated to the active node and the active node forwards traffic to the guest VM? >From what you write, there is no state synchronization issue with NOTRACK with three nodes. If connection gets lost on failover, it might be also be related to your firewall policy. If the state is not yet in conntrack, NAT packets will be handled as local packet by the router, not the guess itself, likely being rejecting them with TCP RST. Dropping packets that are in invalid state is important to make sure no races occur with state injection, your basechain policy is also set to accept as default. Please also check that you set: /proc/sys/net/netfilter/nf_conntrack_tcp_loose to zero to disable TCP connection tracking pick up on failover. Otherwise, conntrack creates an entry from the middle. Moreover, you will need to drop packets in invalid state in your policy in combination with this sysctl toggle, both at input and forward chains.
