How to launch a Keepalived server?

n00b_noob · 04-13-2021, 08:20 AM

Hello,
I used https://tecadmin.net/ip-failover-set...centos-redhat/ tutorial to configure Keepalived on two CentOS web servers:

Server 1: 192.168.56.7
Server 2: 192.168.56.8
Virtual IP: 192.168.56.110

And after it, I added below Firewalld rule:

Code:

# firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
# firewall-cmd --reload
#
# firewall-cmd --list-all
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3 enp0s8
  sources: 
  services: dhcpv6-client http ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule protocol value="vrrp" accept

But I can't ping my Virtual IP address:

Code:

# ping 192.168.56.110
PING 192.168.56.110 (192.168.56.110) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

And cURL doesn't show anything too:

Code:

# curl -l 192.168.56.110

I used "ip addr show NIC" command and Virtual IP address is assigned to my NIC:

Code:

# ip addr show enp0s3 
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:2b:47:38 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.7/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s3
       valid_lft 536sec preferred_lft 536sec
    inet 192.168.56.110/32 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe2b:4738/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

But why it doesn't work? Which log files should be examined?

Thank you.

berndbausch · 04-13-2021, 08:45 AM

"operation not permitted" does not mean that the recipient blocks ICMP. It means that the sender does not allow sending ICMP packets.

I suggest searching the error message on the internet and finding a case that matches yours.

n00b_noob · 04-13-2021, 02:55 PM

Quote:

Originally Posted by berndbausch

"operation not permitted" does not mean that the recipient blocks ICMP. It means that the sender does not allow sending ICMP packets.

I suggest searching the error message on the internet and finding a case that matches yours.

Thanks.
I did a tcpdump:

Code:

# tcpdump -n -v -i enp0s3 vrrp
dropped privs to tcpdump
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:24:08.251180 IP (tos 0xc0, ttl 255, id 98, offset 0, flags [none], proto VRRP (112), length 40)
    192.168.56.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype none, intvl 1s, length 20, addrs: 192.168.56.110
00:24:09.251332 IP (tos 0xc0, ttl 255, id 99, offset 0, flags [none], proto VRRP (112), length 40)
    192.168.56.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype none, intvl 1s, length 20, addrs: 192.168.56.110
00:24:10.251488 IP (tos 0xc0, ttl 255, id 100, offset 0, flags [none], proto VRRP (112), length 40)
    192.168.56.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype none, intvl 1s, length 20, addrs: 192.168.56.110
00:24:11.251635 IP (tos 0xc0, ttl 255, id 101, offset 0, flags [none], proto VRRP (112), length 40)
    192.168.56.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype none, intvl 1s, length 20, addrs: 192.168.56.110
00:24:12.251797 IP (tos 0xc0, ttl 255, id 102, offset 0, flags [none], proto VRRP (112), length 40)
    192.168.56.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype none, intvl 1s, length 20, addrs: 192.168.56.110
00:24:13.251927 IP (tos 0xc0, ttl 255, id 103, offset 0, flags [none], proto VRRP (112), length 40)
    192.168.56.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype none, intvl 1s, length 20, addrs: 192.168.56.110
00:24:14.252055 IP (tos 0xc0, ttl 255, id 104, offset 0, flags [none], proto VRRP (112), length 40)
    192.168.56.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype none, intvl 1s, length 20, addrs: 192.168.56.110
00:24:15.252202 IP (tos 0xc0, ttl 255, id 105, offset 0, flags [none], proto VRRP (112), length 40)
    192.168.56.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype none, intvl 1s, length 20, addrs: 192.168.56.110

berndbausch · 04-13-2021, 06:50 PM

Quote:

Originally Posted by n00b_noob

I did a tcpdump:

I don't know how this traffic trace can help understanding the failing ping. These packets are VRRP advertisements once a second; I believe they advertise the VIP to a multicast address. Before commenting on them, I would have to research the VRRP protocol. What is 192.168.56.6, though?

I forgot to ask: Do pings to other addresses fail as well?

n00b_noob · 04-14-2021, 07:37 AM

Quote:

Originally Posted by berndbausch

I don't know how this traffic trace can help understanding the failing ping. These packets are VRRP advertisements once a second; I believe they advertise the VIP to a multicast address. Before commenting on them, I would have to research the VRRP protocol. What is 192.168.56.6, though?

I forgot to ask: Do pings to other addresses fail as well?

Sorry, it was my wrong. The correct IP address is "192.168.56.7".
No, I can ping other IP addresses.