Keepalived Blocking SSH? Troubleshoot Your High Availability Setup

Experiencing SSH connectivity issues after setting up Keepalived? It’s a common headache when configuring dynamic IP failover. This guide breaks down the common culprits and provides actionable steps to resolve them, ensuring a robust and accessible high-availability infrastructure. You’ll find solutions to common problems and guidance for a smooth Keepalived implementation.

Understanding Why Keepalived Might Block SSH

Keepalived dynamically manages IP addresses, which, if not configured correctly, can disrupt network services like SSH. Here's a breakdown of potential problems:

Firewall Issues: The firewall on your server might be blocking traffic to the floating IP address after Keepalived takes over. This is especially true if you have strict rules in place.
Incorrect Interface Binding: Keepalived might be assigning the virtual IP to the wrong network interface leading to SSH requests being sent to the previous IP without returning.
Routing Conflicts: Problems with your network routing configuration can prevent SSH traffic from reaching the active server.

Diagnosing the Root Cause: A Step-by-Step Approach

Before diving into solutions, pinpoint the exact cause.

Check Firewall Rules: Verify your firewall allows SSH traffic from your client IP address to the virtual IP. Ensure the rule is active on both servers.
Inspect Keepalived Logs: Examine the Keepalived logs (/var/log/keepalived.log) for clues about IP address assignments, script execution, and any errors. These logs provide valuable insights into Keepalived's behavior.
Network Configuration: Confirm that the subnet mask is configured correctly on both the interface and the virtual IP address.
Run TCPdump: Use tcpdump on both servers to monitor SSH traffic on the relevant interface and IP addresses. This will show you where the traffic is getting lost.

Solutions: Unblocking SSH Access

Here are solutions to address the common scenarios:

Adjust Firewall Rules for Virtual IP: Update your firewall rules to explicitly allow SSH traffic to the virtual IP address on the correct interface (e.g., ens3). A misconfigured firewall is a common cause.
```
# Example using iptables (adjust for your firewall)
iptables -A INPUT -i ens3 -p tcp --dport 22 -s <your_client_ip> -d <virtual_ip> -j ACCEPT
```
Verify Interface Binding in Keepalived Configuration: Double-check that the interface parameter in your keepalived.conf file specifies the correct network interface (e.g., ens3).
Address Routing Issues: The provided configuration includes virtual_routes. Ensure the gateway specified (10.0.0.138) is correct and reachable from both servers. Incorrect routing can prevent traffic from flowing correctly.

Long-Tail Keywords and Keepalived SSH Explained

Keepalived SSH Connection Issues: This longer phrase captures users specifically facing problems with SSH access.
Keepalived Virtual IP Not Accessible: This targets users struggling to reach any services on the virtual IP.

Based on the initial configurations presented:

unicast_peer: This setting is deprecated; consider using mcast_src_ip and multicast communication instead for improved stability and reduced configuration complexity if you're facing communication issues between the two Keepalived instances.
virtual_router_id: Ensure this ID is unique within your network to avoid conflicts.
Script Security: While enable_script_security is included, ensure the check-docker script is properly secured and only performs necessary checks to avoid potential vulnerabilities.

Actionable Steps for Success

Implement one fix at a time: After each change, test your SSH connection to verify the solution.
Document your configuration: Keep detailed records of your Keepalived setup, including firewall rules and routing configurations and the check script to facilitate future troubleshooting.
Regularly test failover: Simulate server failures to ensure Keepalived functions as expected and SSH access remains uninterrupted. This proactive approach prevents unexpected downtime.

Solving connectivity issues in your Keepalived setup requires careful examination and methodical troubleshooting. By following these steps and focusing on firewall rules, interface bindings, and routing configurations, you can ensure high availability and consistent SSH access to your servers.

Keepalived Blocking SSH? Troubleshoot Your High Availability Setup

Understanding Why Keepalived Might Block SSH

Keepalived dynamically manages IP addresses, which, if not configured correctly, can disrupt network services like SSH. Here's a breakdown of potential problems:

Firewall Issues: The firewall on your server might be blocking traffic to the floating IP address after Keepalived takes over. This is especially true if you have strict rules in place.

Incorrect Interface Binding: Keepalived might be assigning the virtual IP to the wrong network interface leading to SSH requests being sent to the previous IP without returning.

Routing Conflicts: Problems with your network routing configuration can prevent SSH traffic from reaching the active server.

Diagnosing the Root Cause: A Step-by-Step Approach

Before diving into solutions, pinpoint the exact cause.

Check Firewall Rules: Verify your firewall allows SSH traffic from your client IP address to the virtual IP. Ensure the rule is active on both servers.

Inspect Keepalived Logs: Examine the Keepalived logs (/var/log/keepalived.log) for clues about IP address assignments, script execution, and any errors. These logs provide valuable insights into Keepalived's behavior.

Network Configuration: Confirm that the subnet mask is configured correctly on both the interface and the virtual IP address.

Run TCPdump: Use tcpdump on both servers to monitor SSH traffic on the relevant interface and IP addresses. This will show you where the traffic is getting lost.

Solutions: Unblocking SSH Access

Here are solutions to address the common scenarios:

Adjust Firewall Rules for Virtual IP: Update your firewall rules to explicitly allow SSH traffic to the virtual IP address on the correct interface (e.g., ens3). A misconfigured firewall is a common cause.

# Example using iptables (adjust for your firewall)
iptables -A INPUT -i ens3 -p tcp --dport 22 -s <your_client_ip> -d <virtual_ip> -j ACCEPT

Verify Interface Binding in Keepalived Configuration: Double-check that the interface parameter in your keepalived.conf file specifies the correct network interface (e.g., ens3).

Address Routing Issues: The provided configuration includes virtual_routes. Ensure the gateway specified (10.0.0.138) is correct and reachable from both servers. Incorrect routing can prevent traffic from flowing correctly.

Long-Tail Keywords and Keepalived SSH Explained

Keepalived SSH Connection Issues: This longer phrase captures users specifically facing problems with SSH access.

Keepalived Virtual IP Not Accessible: This targets users struggling to reach any services on the virtual IP.

Based on the initial configurations presented:

unicast_peer: This setting is deprecated; consider using mcast_src_ip and multicast communication instead for improved stability and reduced configuration complexity if you're facing communication issues between the two Keepalived instances.

virtual_router_id: Ensure this ID is unique within your network to avoid conflicts.

Script Security: While enable_script_security is included, ensure the check-docker script is properly secured and only performs necessary checks to avoid potential vulnerabilities.

Actionable Steps for Success

Implement one fix at a time: After each change, test your SSH connection to verify the solution.

Document your configuration: Keep detailed records of your Keepalived setup, including firewall rules and routing configurations and the check script to facilitate future troubleshooting.

Regularly test failover: Simulate server failures to ensure Keepalived functions as expected and SSH access remains uninterrupted. This proactive approach prevents unexpected downtime.