Split brain with keepalived

Question

I have keepalived attempting to hold a vip in master/slave configuration on 2 servers.

Master config:

vrrp_script chk_haproxy {
   script "/usr/bin/killall -0 haproxy"
   interval 2
   weight 2
}

vrrp_instance NAME {
        interface ens224
        state MASTER
        virtual_router_id 70
        priority 104

        virtual_ipaddress {
            SOME_IP
        }

        track_script {
            chk_haproxy
        }

}

Slave config:

vrrp_script chk_haproxy {
   script "/usr/bin/killall -0 haproxy"
   interval 2
   weight 2
}

vrrp_instance scc_elastic {
        interface ens224
        state BACKUP
        virtual_router_id 70
        priority 103

        virtual_ipaddress {
            SOME_IP
        }

        track_script {
            chk_haproxy
        }

}

But this is causing split brain.. i.e. each one of the servers are showing the ip show up under "ip addr show" How can I prevent this from happening? I am not sure how to diagnose this. I dont have much network expertise.

I looked at the ip tables:

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

No rules present.

Answer 1

1. Ensure you have the proper kernel configuration:

   sudo sysctl -p

Result:

net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.vs.conntrack = 1

2. You need to ensure vrrp traffic is getting to the slave from master e.g.

   sudo tcpdump -i ens224 host master_ip_address && proto vrrp

Result:

 14:45:25.207338 IP master_ip_address > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 101, authtype simple, intvl 10s, length

3. Ensure iptables allows VRRP and multicast except if you are using unicast:

   sudo iptables -I INPUT -d 224.0.0.0/8 -j ACCEPT

   sudo iptables -I INPUT -p vrrp -j ACCEPT