Hey all,

https://conntrack-tools.netfilter.org/manual.html#sync-aa

conntrackd allows you to deploy an symmetric Active-Active setup based on a static approach. For example, assume that you have two virtual IPs, vIP1 and vIP2, and two firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the firewall FW1 and the vIP2 to the FW2.

@I-n-d-y Try to get it working without VyOS CLI.
Provide the required contrack config. As I'm not sure that it will work correctly at all.

I have a similar setup where I have two VyOS VMs used as VPN routers with some firewalling enabled. Since I use OSPF for dynamic routing I am not able to synchronize the sessions between both routers so in case one VPN router fails the other one can't take over flawlessly. Having conntrack-sync configuration separated from VRRP would be a great benefit.

Created a related feature request but for VRRP here
https://vyos.dev/T5745

I had entered the command as you have suggested and I think it's working somehow.

Yes I mean sudo ip vrf exec FOO /usr/sbin/conntrackd -C /run/conntrackd/conntrackd.conf

It has been a while since I had setup the HA VRF. I attached the interfaces on both routers to use this VRF but then conntrack-sync wasn't woking anymore. Do you mean if I had also tried to manually start the service and configure it to use this VRF?

Did you try to start this service in VRF?

Make sure conntrack-sync works with active-active HA configuration with BGP environment & IPv6

Sorry it took so long! I've cherry-picked it into crux, will be in 1.2.6.

Bump

@syncer Any chance of getting this merged into 1.2.2?

Any chance of getting this merged into 1.2.2?