MongoDB secondary replica permanently in not reachable/healthy state

mongodb

I have a standard 3 node MongoDB replica set:

10.0.2.35 – Primary
10.0.3.169 – Secondary
10.0.1.48 – Secondary

I'm currently not able to connect to them as a replica set, I can only connect through the primary. If I run rs.status() on the primary, I repeatedly get:

{
        "set" : "ecReplica",
        "date" : ISODate("2018-04-23T19:12:10.014Z"),
        "myState" : 1,
        "term" : NumberLong(-1),
        "heartbeatIntervalMillis" : NumberLong(2000),
        "members" : [
                {
                        "_id" : 0,
                        "name" : "ip-10-0-3-169:27017",
                        "health" : 1,
                        "state" : 2,
                        "stateStr" : "SECONDARY",
                        "uptime" : 10717677,
                        "optime" : Timestamp(1524510722, 15),
                        "optimeDate" : ISODate("2018-04-23T19:12:02Z"),
                        "lastHeartbeat" : ISODate("2018-04-23T19:12:08.186Z"),
                        "lastHeartbeatRecv" : ISODate("2018-04-23T19:12:09.656Z"),
                        "pingMs" : NumberLong(1),
                        "syncingTo" : "ip-10-0-2-35:27017",
                        "configVersion" : 405240
                },
                {
                        "_id" : 1,
                        "name" : "ip-10-0-1-48:27017",
                        "health" : 0,
                        "state" : 6,
                        "stateStr" : "(not reachable/healthy)",
                        "uptime" : 0,
                        "optime" : Timestamp(0, 0),
                        "optimeDate" : ISODate("1970-01-01T00:00:00Z"),
                        "lastHeartbeat" : ISODate("2018-04-23T19:12:09.116Z"),
                        "lastHeartbeatRecv" : ISODate("2018-04-23T19:12:08.404Z"),
                        "pingMs" : NumberLong(0),
                        "authenticated" : false,
                        "configVersion" : -1
                },
                {
                        "_id" : 2,
                        "name" : "ip-10-0-2-35:27017",
                        "health" : 1,
                        "state" : 1,
                        "stateStr" : "PRIMARY",
                        "uptime" : 10717680,
                        "optime" : Timestamp(1524510722, 15),
                        "optimeDate" : ISODate("2018-04-23T19:12:02Z"),
                        "electionTime" : Timestamp(1524486537, 1),
                        "electionDate" : ISODate("2018-04-23T12:28:57Z"),
                        "configVersion" : 405240,
                        "self" : true
                }
        ],
        "ok" : 1
}

When I ssh into the primary, I see the following error in /var/log/mongodb/mongod.log:

2018-04-23T19:23:54.326+0000 I REPL [ReplicationExecutor] Error in heartbeat request to ip-10-0-1-48:27017; Unauthorized not authorized on admin to execute command { replSetHeartbeat: "ecReplica", pv: 1, v: 405240, from: "ip-10-0-2-35:27017", fromId: 2, checkEmpty: false }

Additional info

Connectivity

I can connect to all 3 nodes individually using Mongo Shell and Robo3T using SSH tunneling, but I can't connect to the 3 as a replica set.

Production servers apparently connects successfully to the replica set.

telnet

telnet 10.0.1.48 27017 from 10.0.2.35 works.

/etc/mongod.conf

The config files are almost exactly equal, the only difference is in the net section:

Node 10.0.1.48:

# network interfaces
net:
  port: 27017
  bindIp: [127.0.0.1,10.0.3.169,10.0.2.35]

Node 10.0.3.169:

# network interfaces
net:
  port: 27017
  bindIp: [10.0.1.48,10.0.2.35,127.0.0.1]

Node 10.0.2.35:

# network interfaces
net:
  port: 27017
  bindIp: [127.0.0.1,10.0.3.169,10.0.1.48]

NOTICE: the security section is empty, so this is not a key-file issue.

db.version()

3.2.0

Infrastructure

All nodes are running in the same AWS VPC, while they're in different Availability Zones, they belong to the same Security Group and use the same Network ACLs and Route Tables.

This is an inherited setup, it has been live for more than 2 years.

What am I missing?

Best Answer

It seems that your settings is still auth disabled in ReplicaSet.

To enable it, simply add a security.keyFile in settings or use --keyFile in command line option.

Here is an example showing how to generate such file:

openssl rand -base64 756 > <path-to-keyfile>
chmod 400 <path-to-keyfile>

then add to mongod.conf the path of the genreated keyfile:

security:
   authorization: enabled
   keyFile: /path/to/keyfile

restart the mongod service, right now your mongo should be auth enabled.

for more information about keyFile, refer to Enforce Keyfile Access Control in a Replica Set

MS Clustering

The decision of where to put the public, heart-beat, inter-node communication, and quorum drive is significant. Also cluster architecture makes a difference; you pick different quroum options if the two nodes are in adjacent racks than if they were in completely different datacenters.

Put the heartbeat on the same interface/subnet as the public interface

This theory holds that if you lose your public interface, you want the heartbeat to fail because this node is effectively down to users.

Put the heartbeat on it's own private interface/subnet

This theory holds that something outside of the cluster is arbiting who is doing what role, and unnecessary node-death is to be avoided.

Put the WFS on the heartbeat network

If the two nodes are in the same overall network (the same set of switches is supporting the non-public networks for both nodes) then putting the WFS on the heartbeat network doesn't introduce any new vulnerabilities.

If the two nodes are in different network fault domains (such as different datacenters), this is a bad idea. The heartbeat network provides the 'node majority' quorum option, and the WFS provides the 'File Share Majority' quorum option. You really want both options to be in separate fault domains.

Your revised diagram makes sense if both nodes are in the same data-center, though I myself would but the heartbeat on the public side.

MongoDB

MongoDB is a bit simpler. With even numbers of nodes, you absolutely want a third node to act as tie-breaker. They're pretty clear about that. However, your diagram states:

Up to 12 replica members (7 can vote).

7 is an odd number. You don't require an Arbiter.

Unlike Microsoft clusters, Mongo's cluster voting doesn't care about multiple avenues of network to break voting deadlocks. Because of this, separate arbitration and cluster-internal networks do not provide any meaningful increase in robustness. The only reason you'd want a separate arbitration network is if replication traffic was expected to be so heavy that election-packets (the heartbeat, actually) would get pushed so far down the stack that it would miss the 10 second timeout.

When does the replication from primary to secondary happen in mongodb

Mongo syncs instantly, so there is something wrong with your Replica set.

MongoDB replica sets are something that you need to get right from when they are first set up. If they aren't set up correctly, they can be difficult to fix.

Configuration of the Replica Set should (normally) be done from the master only. If your Set isn't live yet, the best option may be to re-create it.

Also, not sure what robomongo is, but you're probably better off using the native mongo client to find out what is going on.

The rs.status() command should give you output like this

rs0:SECONDARY> rs.status()
{
"set" : "rs0",
"date" : ISODate("2014-03-10T10:42:27Z"),
"myState" : 2,
"syncingTo" : "mongo-master:27017",
"members" : [
    {
        "_id" : 0,
        "name" : "mongo-master:27017",
        "health" : 1,
        "state" : 1,
        "stateStr" : "PRIMARY",
        "uptime" : 3008469,
        "optime" : Timestamp(1394448146, 1),
        "optimeDate" : ISODate("2014-03-10T10:42:26Z"),
        "lastHeartbeat" : ISODate("2014-03-10T10:42:26Z"),
        "lastHeartbeatRecv" : ISODate("2014-03-10T10:42:26Z"),
        "pingMs" : 1
    },
    {
        "_id" : 3,
        "name" : "mongo-slave3:27017",
        "health" : 1,
        "state" : 2,
        "stateStr" : "SECONDARY",
        "uptime" : 3012206,
        "optime" : Timestamp(1394448146, 1),
        "optimeDate" : ISODate("2014-03-10T10:42:26Z"),
        "self" : true
    },
    {
        "_id" : 4,
        "name" : "mongo-slave4:27017",
        "health" : 1,
        "state" : 2,
        "stateStr" : "SECONDARY",
        "uptime" : 890533,
        "optime" : Timestamp(1394448146, 1),
        "optimeDate" : ISODate("2014-03-10T10:42:26Z"),
        "lastHeartbeat" : ISODate("2014-03-10T10:42:26Z"),
        "lastHeartbeatRecv" : ISODate("2014-03-10T10:42:26Z"),
        "pingMs" : 0,
        "syncingTo" : "mongo-master:27017"
    }
],
"ok" : 1
}