Operations 6 min read

Resolving Firewall and VIP Migration Issues in Keepalived on CentOS 7

This guide explains how to troubleshoot firewalld command errors, enable VRRP multicast traffic, and fix VIP migration problems in a Keepalived high‑availability setup on CentOS 7, providing step‑by‑step commands, configuration file adjustments, and verification procedures.

Full-Stack Internet Architecture

May 21, 2021

Resolving Firewall and VIP Migration Issues in Keepalived on CentOS 7

0x01: Firewalld Issue Resolution

The command firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent fails because firewalld is not running. Install the firewall configuration tool with yum -y install firewall-config , start firewalld using systemctl start firewalld , and verify its status with systemctl status firewalld . After the service is running, re‑execute the command; it succeeds and you can reload the rules with firewall-cmd --reload .

0x02: VIP Migration Issue Resolution

When both master and backup Keepalived nodes bind the same VIP, multicast VRRP packets are not exchanged, causing the backup to miss the master’s advertisements. Enable VRRP multicast on the relevant interfaces by adding direct firewall rules, for example on the master (interface enp0s3 ) and backup (interface enp0s4 ).

firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 \
    --in-interface enp0s3 --destination 224.0.0.18 \
    --protocol vrrp -j ACCEPT

firewall-cmd --reload

Replace enp0s3 or enp0s4 with the actual NIC that carries the VIP.

Adjust the Keepalived configuration files for both nodes. Example for the master:

! Configuration File for keepalived

global_defs {
    router_id LVS_128
    vrrp_skip_check_adv_addr
    vrrp_garp_interval 0
    vrrp_gna_interval 0
}

vrrp_script chk_nginx {
    script "/etc/keepalived/nginx_check.sh"
    interval 3
    weight -20
}

vrrp_instance VI_1 {
    state MASTER
    interface enp0s3
    virtual_router_id 99
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        192.168.56.120
    }
    track_script { chk_nginx }
}

And for the backup (change state BACKUP , priority 90 , and the interface to enp0s4 ).

! Configuration File for keepalived

global_defs {
    router_id LVS_129
    vrrp_skip_check_adv_addr
    vrrp_garp_interval 0
    vrrp_gna_interval 0
}

vrrp_script chk_nginx {
    script "/etc/keepalived/nginx_check.sh"
    interval 3
    weight -20
}

vrrp_instance VI_1 {
    state BACKUP
    interface enp0s4
    virtual_router_id 99
    priority 90
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        192.168.56.120
    }
    track_script { chk_nginx }
}

0x03: Verification

Start Keepalived on both nodes with systemctl start keepalived.service . Use ip addr to confirm that only the master shows the VIP. Stop Keepalived on the master ( systemctl stop keepalived.service ) and verify that the backup now holds the VIP. Restart Keepalived on the master and confirm the VIP returns to the master.

high-availability Network Linux vrrp Keepalived firewalld CentOS7

Written by

Full-Stack Internet Architecture

Introducing full-stack Internet architecture technologies centered on Java

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.