Public bug reported: A bug in keepalived 1.2.7 causes VRRP peers to ignore each other's VRRP packets leading to a "multi-master" situation. The logs show the following:
Aug 13 11:30:53 lb04 Keepalived_vrrp[22093]: bogus VRRP packet received on eth0 !!! Aug 13 11:30:53 lb04 Keepalived_vrrp[22093]: VRRP_Instance(PRIV) ignoring received advertisment... Aug 13 11:30:54 lb04 Keepalived_vrrp[22093]: receive an invalid ip number count associated with VRID! Aug 13 11:30:54 lb04 Keepalived_vrrp[22093]: bogus VRRP packet received on eth0 !!! Aug 13 11:30:54 lb04 Keepalived_vrrp[22093]: VRRP_Instance(PRIV) ignoring received advertisment... Aug 13 11:30:55 lb04 Keepalived_vrrp[22093]: receive an invalid ip number count associated with VRID! >From 1.2.8 changelog: * Ryan O'Hara fixed pointer arithmetic for VRRP packet. When using IPSEC AH authentication, the pointer arithmetic used to get the location of the VRRP packet is incorrect. The address of the IPSEC header must be cast as (char *) in order to get correct address of the VRRP packet. Without this patch, vrrp_in_chk() will fail to verify incoming VRRP packets when IPSEC AH is enabled. Please either update the package or backport the fix. The fix involves updating a single line in vrrp.c: --- keepalived-1.2.7/keepalived/vrrp/vrrp.c.orig 2012-08-16 16:21:28.000000000 -0700 +++ keepalived-1.2.7/keepalived/vrrp/vrrp.c 2014-08-13 13:09:48.289648524 -0700 @@ -238,7 +238,7 @@ if (vrrp->auth_type == VRRP_AUTH_AH) { ah = (ipsec_ah *) (buffer + ihl); - hd = (vrrp_pkt *) (ah + vrrp_ipsecah_len()); + hd = (vrrp_pkt *) ((char *) ah + vrrp_ipsecah_len()); } else { hd = (vrrp_pkt *) (buffer + ihl); } Attached is a patch (keepalived_debian_ah.patch) to be applied to the debian directory, patches the series file and puts the above patch in place. OS: Ubuntu 14.04 LTS Package: keepalived 1:1.2.7-1ubuntu1 ** Affects: keepalived (Ubuntu) Importance: Undecided Status: New ** Patch added: "keepalived_debian_ah.patch" https://bugs.launchpad.net/bugs/1356575/+attachment/4176871/+files/keepalived_debian_ah.patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keepalived in Ubuntu. https://bugs.launchpad.net/bugs/1356575 Title: VRRP AH auth_type broken in 1.2.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/keepalived/+bug/1356575/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs