Comment 0 for bug 1564810

Using a simple setup where I have 2 VRRP nodes with keepalived and a client VM on the same subnet that pings the VIP.

The VIP is configured using allow address pairs.

Looking at the VRF of the client machine port I can see that the VIP MAC is not updated when the master VRRP node goes down:

root@d-ocnclc-0000[lab2][aub] ~ # rt --dump 10 | grep 15.15.15.15/32
15.15.15.15/32 32 LP 40 28 2:81:ca:87:ff:66(11936)
root@d-ocnclc-0000[lab2][aub] ~ # rt --dump 10 | grep 15.15.15.15/32
15.15.15.15/32 32 LP 40 28 2:81:ca:87:ff:66(11936)
(keepalived stopped on master)
root@d-ocnclc-0000[lab2][aub] ~ # rt --dump 10 | grep 15.15.15.15/32
15.15.15.15/32 32 LP 29 29 2:81:ca:87:ff:66(11936)
root@d-ocnclc-0000[lab2][aub] ~ # rt --dump 10 | grep 15.15.15.15/32
15.15.15.15/32 32 LP 29 29 2:81:ca:87:ff:66(11936)

We can see the route change (mpls label and nh updated) but not the MAC.

As a result if an ARP request is made on the VIP by the client it gets the wrong MAC so the connection doesn't work anymore.

Using the noping tool instead of ping should show this behaviour.