VyOS 1.2.5 VRRP on IPSec interface issue

chalmrah · October 14, 2020, 4:07pm

I’ve built VyOs 1.2 from source and am having this issue on all of the vyos routers that I use as virtual endpoints for various networks.

The configuration there are a pair of routers with public (eth1) and private (eth0) IP addresses, both of which have VRRP enabled for HA for sevices.

We also have IPSec enabled on the public interface for IKEv2 site to site vpn connections to other routers.

A thing we have noticed is that when the VRRP on the public interface changes state, intended for private ip addresseses go out of the public interface.

Here is the interface config:


high-availability {

    vrrp {

        group eth0-1 {

            advertise-interval 1

            interface eth0

            priority 32

            virtual-address 10.xx.xx.254/24

            vrid 1

        }

        group eth1-1 {

            advertise-interval 1

            interface eth1

            peer-address xx.xx.xx.34

            priority 32

            virtual-address xx.xx.xx.2/26

            vrid 2

        }

    }

}

ethernet eth0 {

        address 10.xx.xx.253/24

        duplex auto

        smp-affinity auto

        speed auto

    }

    ethernet eth1 {

        address xx.xx.xx.35/26

        duplex auto

        smp-affinity auto

        speed auto

    }

Once the VRRP state changes, packets meant to go out of etho go out of eth1


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

15:46:09.525007 IP RouterA > 10.xx.xx.11: ICMP echo request, id 37020, seq 1, length 12

15:46:10.200648 IP RouterA > 10.xx.xx.11: ICMP echo request, id 30211, seq 29, length 64

15:46:11.224580 IP RouterA > 10.xx.xx.11: ICMP echo request, id 30211, seq 30, length 64

15:46:12.248571 IP RouterA > 10.xx.xx.11: ICMP echo request, id 30211, seq 31, length 64

This is reproduceable by just manually changing the priority of VRRP on the public interface and changing it back again.

The weird part is that in order to fix this all I have to do is to run restart vpn to restart the ipsec process and packets go back to running out of the correct interfaces again.

This is on both VyOS 1.2.4 and 1.2.5.

The version of strongSwan is 5.7.2-1+vyos2

Is anyone else able to reproduce this issue?

Below is the journalctl log for the time this router was affected:


Oct 14 15:41:20 RouterA kernel: device eth1 entered promiscuous mode

Oct 14 15:43:45 RouterA kernel: IPv4: martian source xx.xx.xx.2 from xx.xx.xx.2, on dev eth1

Oct 14 15:43:45 RouterA kernel: ll header: 00000000: ff ff ff ff ff ff 00 15 5d 70 ef c1 08 06        ........]p....

Oct 14 15:43:45 RouterA kernel: IPv4: martian source xx.xx.xx.2 from xx.xx.xx.2, on dev eth1

Oct 14 15:43:45 RouterA kernel: ll header: 00000000: ff ff ff ff ff ff 00 15 5d 70 ef c1 08 06        ........]p....

Oct 14 15:43:45 RouterA kernel: IPv4: martian source xx.xx.xx.2 from xx.xx.xx.2, on dev eth1

Oct 14 15:43:45 RouterA kernel: ll header: 00000000: ff ff ff ff ff ff 00 15 5d 70 ef c1 08 06        ........]p....

Oct 14 15:43:45 RouterA kernel: IPv4: martian source xx.xx.xx.2 from xx.xx.xx.2, on dev eth1

Oct 14 15:43:45 RouterA kernel: ll header: 00000000: ff ff ff ff ff ff 00 15 5d 70 ef c1 08 06        ........]p....

Oct 14 15:43:45 RouterA kernel: IPv4: martian source xx.xx.xx.2 from xx.xx.xx.2, on dev eth1

Oct 14 15:43:45 RouterA kernel: ll header: 00000000: ff ff ff ff ff ff 00 15 5d 70 ef c1 08 06        ........]p....

Oct 14 15:43:45 RouterA Keepalived_vrrp[3646]: (eth1-1) Master received advert from xx.xx.xx.34 with higher priority 64, ours 32

Oct 14 15:43:45 RouterA Keepalived_vrrp[3646]: (eth1-1) Entering BACKUP STATE

Oct 14 15:43:45 RouterA charon[172445]: 06[KNL] xx.xx.xx.2 disappeared from eth1

Oct 14 15:43:45 RouterA bgpd[1210]: [EC 100663301] INTERFACE_ADDRESS_DEL: Cannot find IF 3 in VRF 0

Oct 14 15:43:45 RouterA charon[172445]: 15[IKE] sending address list update using MOBIKE

Oct 14 15:43:45 RouterA charon[172445]: 15[ENC] generating INFORMATIONAL request 674 [ N(NO_ADD_ADDR) ]

Oct 14 15:43:45 RouterA charon[172445]: 15[NET] sending packet: from xx.xx.xx.35[4500] to vpn.endpoint.138[4500] (76 bytes)

Oct 14 15:43:45 RouterA charon[172445]: 05[NET] received packet: from vpn.endpoint.138[4500] to xx.xx.xx.35[4500] (76 bytes)

Oct 14 15:43:45 RouterA charon[172445]: 05[ENC] parsed INFORMATIONAL response 674 [ ]

Oct 14 15:43:46 RouterA ntpd[3399]: Deleting interface #11 eth1, xx.xx.xx.2#123, interface stats: received=0, sent=0, dropped=0, active_time=16336589 secs

Oct 14 15:43:46 RouterA ntpd[3399]: peers refreshed

Oct 14 15:43:48 RouterA sudo[29967]: support : TTY=pts/1 ; PWD=/home/support ; USER=root ; COMMAND=/bin/ping 10.xx.xx.11

Oct 14 15:43:48 RouterA sudo[29967]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:44:02 RouterA sudo[29967]: pam_unix(sudo:session): session closed for user root

Oct 14 15:44:11 RouterA sudo[30083]: support : TTY=pts/1 ; PWD=/home/support ; USER=root ; COMMAND=/usr/libexec/vyos/op_mode/vrrp.py --summary

Oct 14 15:44:11 RouterA sudo[30083]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:44:11 RouterA Keepalived_vrrp[3646]: Printing VRRP as json for process(3646) on signal

Oct 14 15:44:11 RouterA sudo[30083]: pam_unix(sudo:session): session closed for user root

Oct 14 15:44:28 RouterA Keepalived_vrrp[3646]: (eth1-1) received lower priority (16) advert from xx.xx.xx.34 - discarding

Oct 14 15:44:29 RouterA Keepalived_vrrp[3646]: (eth1-1) received lower priority (16) advert from xx.xx.xx.34 - discarding

Oct 14 15:44:30 RouterA Keepalived_vrrp[3646]: (eth1-1) received lower priority (16) advert from xx.xx.xx.34 - discarding

Oct 14 15:44:31 RouterA Keepalived_vrrp[3646]: (eth1-1) received lower priority (16) advert from xx.xx.xx.34 - discarding

Oct 14 15:44:32 RouterA Keepalived_vrrp[3646]: (eth1-1) Entering MASTER STATE

Oct 14 15:44:32 RouterA charon[172445]: 07[KNL] xx.xx.xx.2 appeared on eth1

Oct 14 15:44:32 RouterA bgpd[1210]: [EC 100663301] INTERFACE_ADDRESS_ADD: Cannot find IF 3 in VRF 0

Oct 14 15:44:32 RouterA charon[172445]: 15[IKE] sending address list update using MOBIKE

Oct 14 15:44:32 RouterA charon[172445]: 15[ENC] generating INFORMATIONAL request 675 [ N(ADD_4_ADDR) ]

Oct 14 15:44:32 RouterA charon[172445]: 15[NET] sending packet: from xx.xx.xx.35[4500] to vpn.endpoint.138[4500] (76 bytes)

Oct 14 15:44:32 RouterA charon[172445]: 12[NET] received packet: from vpn.endpoint.138[4500] to xx.xx.xx.35[4500] (76 bytes)

Oct 14 15:44:32 RouterA charon[172445]: 12[ENC] parsed INFORMATIONAL response 675 [ ]

Oct 14 15:44:34 RouterA ntpd[3399]: Listen normally on 32 eth1 xx.xx.xx.2 UDP 123

Oct 14 15:44:34 RouterA ntpd[3399]: peers refreshed

Oct 14 15:44:35 RouterA sudo[30116]: support : TTY=pts/1 ; PWD=/home/support ; USER=root ; COMMAND=/usr/libexec/vyos/op_mode/vrrp.py --summary

Oct 14 15:44:35 RouterA sudo[30116]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:44:35 RouterA Keepalived_vrrp[3646]: Printing VRRP as json for process(3646) on signal

Oct 14 15:44:35 RouterA sudo[30116]: pam_unix(sudo:session): session closed for user root

Oct 14 15:45:11 RouterA sudo[30165]: support : TTY=pts/1 ; PWD=/home/support ; USER=root ; COMMAND=/bin/ping 10.xx.xx.11

Oct 14 15:45:11 RouterA sudo[30165]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:45:14 RouterA sudo[30165]: pam_unix(sudo:session): session closed for user root

Oct 14 15:45:16 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:45:16 RouterA kernel: device eth1 left promiscuous mode

Oct 14 15:45:16 RouterA sudo[29783]: pam_unix(sudo:session): session closed for user root

Oct 14 15:45:39 RouterA sudo[30182]: support : TTY=pts/2 ; PWD=/home/support ; USER=root ; COMMAND=/usr/sbin/tcpdump -i eth1

Oct 14 15:45:39 RouterA sudo[30182]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:45:39 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:45:39 RouterA kernel: device eth1 entered promiscuous mode

Oct 14 15:45:41 RouterA sudo[30210]: support : TTY=pts/1 ; PWD=/home/support ; USER=root ; COMMAND=/bin/ping 10.xx.xx.11

Oct 14 15:45:41 RouterA sudo[30210]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:45:45 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:45:45 RouterA kernel: device eth1 left promiscuous mode

Oct 14 15:45:45 RouterA sudo[30182]: pam_unix(sudo:session): session closed for user root

Oct 14 15:45:49 RouterA sudo[30212]: support : TTY=pts/2 ; PWD=/home/support ; USER=root ; COMMAND=/usr/sbin/tcpdump -i eth1

Oct 14 15:45:49 RouterA sudo[30212]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:45:49 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:45:49 RouterA kernel: device eth1 entered promiscuous mode

Oct 14 15:45:53 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:45:53 RouterA kernel: device eth1 left promiscuous mode

Oct 14 15:45:53 RouterA sudo[30212]: pam_unix(sudo:session): session closed for user root

Oct 14 15:45:55 RouterA sudo[30222]: support : TTY=pts/2 ; PWD=/home/support ; USER=root ; COMMAND=/usr/sbin/tcpdump -i eth1

Oct 14 15:45:55 RouterA sudo[30222]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:45:55 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:45:55 RouterA kernel: device eth1 entered promiscuous mode

Oct 14 15:46:07 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:46:07 RouterA kernel: device eth1 left promiscuous mode

Oct 14 15:46:07 RouterA sudo[30222]: pam_unix(sudo:session): session closed for user root

Oct 14 15:46:09 RouterA sudo[30233]: support : TTY=pts/2 ; PWD=/home/support ; USER=root ; COMMAND=/usr/sbin/tcpdump -i eth1

Oct 14 15:46:09 RouterA sudo[30233]: pam_unix(sudo:session): session opened for user root by (uid=0)

Oct 14 15:46:09 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:46:09 RouterA kernel: device eth1 entered promiscuous mode

Oct 14 15:46:24 RouterA bgpd[1210]: [EC 100663301] INTERFACE_STATE: Cannot find IF eth1 in VRF 0

Oct 14 15:46:24 RouterA kernel: device eth1 left promiscuous mode

Oct 14 15:46:24 RouterA sudo[30233]: pam_unix(sudo:session): session closed for user root

Oct 14 15:51:00 RouterA charon[172445]: 09[KNL] creating rekey job for CHILD_SA ESP/0xcd10ff9f/vpn.endpoint.138

```This text will be hidden

tjh · October 16, 2020, 5:03pm

This seems like a reproducible bug - has a Phabricator task been created for it? If not, would you be willing to create one?

chalmrah · October 20, 2020, 9:55am

No I haven’t created one for this yet. I am awaiting my phabricator account activation then I can create one.