Vyos HA

Bulit · October 15, 2015, 3:33pm

Hello!
How configure vyos for HA Cluster for firewalls ?

Where get sample config ?

jl3128 · October 19, 2015, 6:44pm

I think you will have to do this manually with a script to manually sync firewall config from one VyOS to the other. You can also look into conntrackd with VRRP for HA failover of firewall

Bulit · October 22, 2015, 4:32pm

Hello, again.

I try create cluster HA by two nodes vyos.
Config nodes:
vyos@R1# show cluster
dead-interval 10000
group HA {
auto-failback false
monitor 192.168.11.75
monitor 192.168.100.11
primary R1
secondary R2
service 192.168.11.182/24/eth0
service 192.168.11.10/24/eth1
}
interface eth0
interface eth1
keepalive-interval 2000
monitor-dead-interval 20000
pre-shared-secret !secret!

vyos@R2# show cluster
dead-interval 10000
group HA {
auto-failback false
monitor 192.168.11.75
monitor 192.168.100.11
primary R1
secondary R2
service 192.168.11.183/24/eth0
service 192.168.100.12/24/eth1
}
interface eth0
interface eth1
keepalive-interval 2000
monitor-dead-interval 20000
pre-shared-secret !secret!

Error Log:
Oct 22 17:57:43 R1 heartbeat: [2930]: WARN: Logging daemon is disabled --enabling logging daemon is recommended
Oct 22 18:13:17 R1 heartbeat: [2931]: WARN: node 192.168.11.75: is dead
Oct 22 18:13:17 R1 heartbeat: [2931]: WARN: node 192.168.100.11: is dead
Oct 22 18:18:15 R1 heartbeat: [2951]: ERROR: glib: Error sending packet: Network is unreachable
Oct 22 18:18:15 R1 heartbeat: [2951]: ERROR: write_child: write failure on ping 192.168.11.75.: Network is unreachable
Oct 22 18:18:15 R1 heartbeat: [2953]: ERROR: glib: Error sending packet: Network is unreachable
Oct 22 18:18:15 R1 heartbeat: [2953]: ERROR: write_child: write failure on ping 192.168.100.11.: Network is unreachable
Oct 22 18:18:15 R1 heartbeat: [2931]: ERROR: Cannot write to media pipe 0: Resource temporarily unavailable
Oct 22 18:18:15 R1 heartbeat: [2931]: ERROR: Killing and restarting communications processes.: Resource temporarily unavailable
Oct 22 18:18:15 R1 heartbeat: [2931]: ERROR: Cannot write to media pipe 1: Invalid argument
Oct 22 18:18:15 R1 heartbeat: [2931]: ERROR: Killing and restarting communications processes.: Invalid argument
Oct 22 18:18:15 R1 heartbeat: [2931]: ERROR: Cannot write to media pipe 2: Bad file descriptor
Oct 22 18:18:15 R1 heartbeat: [2931]: ERROR: Killing and restarting communications processes.: Bad file descriptor
Oct 22 18:18:15 R1 heartbeat: [2931]: ERROR: Cannot write to media pipe 3: Invalid argument
Oct 22 18:18:15 R1 heartbeat: [2931]: ERROR: Killing and restarting communications processes.: Invalid argument
Oct 22 18:18:15 R1 heartbeat: [2931]: CRIT: send_to_all_media: No working comm channels to write to.
Oct 22 18:04:28 R1 heartbeat: [2923]: WARN: Logging daemon is disabled --enabling logging daemon is recommended
Oct 22 18:20:02 R1 heartbeat: [2924]: WARN: node 192.168.11.75: is dead
Oct 22 18:20:02 R1 heartbeat: [2924]: WARN: node 192.168.100.11: is dead
vyos@R1:~$

show cluster status

vyos@R1:~$ show cluster status
=== Status report on primary node R1 ===

Primary R1 (this node): Active

Secondary R2: Down

Monitor 192.168.100.11: Unreachable
Monitor 192.168.11.75: Unreachable

Resources [192.168.11.182/24/eth0 192.168.11.10/24/eth1 10.10.10.2/24/eth2]:
Active on primary R1 (this node)

What is wrong ?