Archive

Archive for October, 2013

VRRP on oVirt not working

October 18th, 2013 No comments

I’m using oVirt as KVM hypervisor and wanted to setup some high-available FreeBSD and pfSense Clusters with CARP/uCARP. Unfortunately, neither CARP nor uCARP were working. I could see VRRP advertisements on my KVM hypervisor coming in from one pfSense/FreeBSD VM…

kvm# tcpdump -i vnet13 -s 1500 -n -X  |grep -i vrrp
tcpdump: WARNING: vnet13: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vnet13, link-type EN10MB (Ethernet), capture size 1500 bytes
11:17:46.386437 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
11:17:47.353269 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
11:17:48.363266 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36

…but these VRRP packets never reached the interface of the secondary pfsense/FreeBSD VM. It turns out that a new network-filters feature in oVirt prevented VRRP packets from getting forwarded. This feature was introduced in oVirt 3.2 and prevents guests from spoofing other mac-addresses than these which are assigned by the oVirt engine. A very kind guy on the oVirt mailinglist told me about this.

The fix is to disable the anti-spoofing feature on the oVirt engine (assuming running oVirt 3.3):

  1. On oVirt engine run: engine-config -s EnableMACAntiSpoofingFilterRules=false –cver=3.3
  2. Restart the ovirt-engine service: systemctl restart ovirt-engine
  3. Restart the VMs

Thanks to Moti Asayag from RedHat for this useful answer.

css.php