Skip to main content Logo (IEC resistor symbol) logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Keepalived notify script, execute action on failover

Published: 26-10-2014 | Author: Remy van Elst | Text only version of this article

Table of Contents

Keepalived supports running scripts on VRRP state change. This can come in handy when you need to execute an action when a failover occurs. In my case, I have a VPN running on a Virtual IP and want to make sure the VPN only runs on the node with the Virtual IP.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

If you want to set up a simple keepalived cluster, see my tutorial on that.

The VPN uses strongswan and is a simple ipsec site to site VPN. The two nodes are datacenter redundant. The nodes function as NAT/firewall proxies for a backend network. The backend servers need access to some other servers only reachable over the VPN.

A notify script can be used to take actions, not only removing or adding an IP to an interface. It can for example start or stop a daemon, depending on the VRRP state.

It is defined in the keepalived config like this:

vrrp_instance Example_VRRP {
    notify /usr/local/sbin/

The script can be written in any language as long as it is executable. It receives the following parameters:

This is the bash script I use for the strongswan VPN:

case $STATE in
        "MASTER") /usr/sbin/service strongswan start
        "BACKUP") /usr/sbin/service strongswan stop
        "FAULT")  /usr/sbin/service strongswan stop
                  exit 0
        *)        /sbin/logger "ipsec unknown state"
                  exit 1
Tags: cluster , heartbeat , high-availability , keepalived , network , strongswan , tutorials , vpn , vrrp