www fir3net com loadbalancers f5 big ip bigip f5 ltm high av

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Home Articles Loadbalancers F5 BIG-IP BigIP F5 LTM - High Availability / DSC (v11.x)

HAProxy ReportingGet live and historic reports for

the haproxy load balancer.

Home Articles Contact

Us

Tools


BigIP F5 LTM - HighAvailability / DSC (v11.x)Written on 29 July 2014. Posted in F5 BIG-IP

One of the new features, within v11.x of the Trac ManagementOperating System (TMOS) is Device Service Clustering (DSC). Over theprevious HA (High Availability) features within v10.x, i.e active-standby,connection mirroring etc., DSC also provides the ability to perform,

multi-node clustering,Active-Active (and Active-Standby) setup,greater granularity over which data is synchronized

SCOPEWithin this article we will explain the key components to DSC, theconguration steps and also the main commands used to troubleshootproblems.

COMPONENTS

ARTICLE INFO

VENDOR BigIPF5

PLATFORM LTMVERSION 11.x

HAProxyReporting

Get live and historic reportsfor the haproxy load

balancer.


DSC is built upon 5 main components. They are,

Devices - Represents either a physical or virtual instance of a BigIPsystem.Device Groups - A group of devices that synchronize and (based onthe device group type) also failover their conguration. There are 2types of device groups,

Sync-Failover - Both the conguration data and the failoverobjects are synchronized ; Utilizes trac groups (i.e failoverobjects).Sync-Only - Only the conguration data is synchronised.

Trac Groups - A collection of failover objects (i.e virtual server, selfIP) that runs on one of the devices within the (Sync-Failover) DeviceGroup. Should the device become unavailable the failover object is theserved by the other device within the Device Group.Device Trust - Represents a trust relationship between devices alsoknown as a trust domain. This is achieved via certicate basedauthentication. Device Trust is a prerequisite for both device groupsand trac groups.

Note : The initial trust of each device is performed over themanagement interface.

Folders - Folders contain conguration objects for the necessarypartition in which they reside. This provides greater granularity over


what conguration that you decide to synchronize between devices.Both the default and the top level folder is root.

Note : Each of these items can be located via the GUI under 'DeviceManagement'.

SYNCHRONIZATIONUnlike v10.x and below, TMOS v11 now uses rsync internally to perform


synchronization between devices. Also unlike v10 which used tcp/443 forsynchronizing data, v11 uses tcp/4353.

The available options and also the ways in which you can issue asynchronization.

OPTIONS

The various options for synchronization can be found under 'DeviceGroups' and 'Devices'.

DEVICE GROUPS

Automatic Sync (via Properties Panel) - Automatically synchronizeobjects between devices based on the modied time. The mostrecently modied object is synchronized to the other device. Becausethe modied time is used as the trigger NTP (i.e time synchronization)must be congured.Full Sync (via Properties Panel) - Rather then only synchronizing theconguration objects that have been modied, the wholeconguration is synchronized.Network Failover (via Failover Panel) - Determines whether a networkprobe is sent between the devices to ensure neighbor status. This isinstead of uses cable based failover*.

* As cable based failover mandates only 1 device can ever be active cablebased failover doesn't support an Active-Active based setup (i.e more then


based failover doesn't support an Active-Active based setup (i.e more then2 trac groups).

DEVICES

Cong Sync (via Device Connectivity) - Denes which interface is usedfor synchronization. Its recommended by F5 that this is a dedicatedlink.Failover (via Device Connectivity) - Denes which port is used for thenetwork failover probes.Mirroring (via Device Connectivity) - Denes which interfaces are usedfor mirroring. It is recommended that a secondary address is alsocongured to provide redundancy should the primary fail.

ISSUING A SYNC

Manual DSC synchronization can be performed via either the commandline or the WebUI. To perform a manual synchronization within the WebUIgo to 'Device Management / Overview'. From this screen you will bepresented with an overview of the synchronization state across yourdevices and device groups.

The will also see the following options,

Sync Device to Group - Synchronizes any objects that have beenrecently modied to the other devices within the device group.Sync Group to Device - Synchronizes any objects that have been


recently modied from the devices within the group.Overwrite Conguration - When performing the above action(s)synchronize the conguration regardless of when it has beenmodied.

DEPLOYMENT MODESThere are 2 main types of deployment modes with DSC, Active-Standbyand Active-Active.

ACTIVE-STANDBY

With an Active-Standby based deployment trac is only processed by asingle device. This is achieved via single trac group, which all failoverobjects (virtual servers, self-ips etc) reside within. This trac group is thenactive on one of the nodes. Should this node fail its HA checks the tracgroup will be marked as standby and the trac group on the other nodepromoted to active.


ACTIVE-ACTIVE

With an Active-Active based deployment trac is processed by bothdevices. This is achieved via 2 Trac Groups, (based on the example below)one Trac Group is placed as active on Node 1 and the other as active onNode 2. Your failover objects are then assigned to either of the tracgroups, i.e Virtual Server A in trac group 1 and then Virtual Server B inTrac Group 2.

This results in Node 1 processing trac for Virtual Server A, and Node 2processing trac for Virtual Server B.

Note : It is important to ensure that both nodes are running under 50%capacity. This ensures if either of the devices fail then at the point all tracis processed by the single node that the devices capacity is not reached.


CONFIGURATIONThe rst step in conguring DSC is to congure a Trust Domain. Then wecongure the trac groups for either a active-active or active-standby


deployment.

DEVICE TRUST

1. Goto 'Device Management' / 'Device Trust' / 'Peer List'.2. Click 'Add'.3. Enter the IP and credentials of the peer device.4. Click 'Retrieve Device Information'

DEVICE GROUP

1. Goto 'Device Management' / 'Device Groups'.2. Click 'Create'.3. Enter name, select 'Sync-Failover' as the 'Group Type', and then add all

devices to the 'Included' members list.4. Enable 'Network Failover'.

SYNCHRONIZE

1. Goto 'Device Management' / 'Overview'.2. Click 'Sync Device to Group'.3. Click 'Sync'.4. Wait for the Sync Status of both devices to turn green.

Note : To congure the IP used for CongSync and Mirroring, along withthe the IP, VLAN and Port for Network Failover go to 'Device Management'


/ 'Devices' / '' / Device Connectivity.ACTIVE-STANDBY

Once the trust domain is congured the oating IP for each VLAN needs tobe congured.

ASSIGN TRAFFIC GROUP 1

1. Goto 'Network' / 'Self IPs'.2. Create a oating Self IP for each VLAN (i.e Internal and External).3. For each self IP created congure the 'Trac Group' as 'trac-group1-

oating'.

In this example we will only be using a single Trac Group, because of thisany virtual servers that are created will be placed into the default (singletrac group).

Note : Should you require MAC Masquerading, a single trac group canstill be used. However this will result in the same MAC address beingadvertised for all Self-IPs within the trac group which may complicatefuture troubleshooting.

ACTIVE-ACTIVE

Once the trust domain is congured the oating IP for each VLAN needs tobe congured. Once done an additional trac group is also created.



1. Goto 'Network' / 'Self IPs'.2. Create a oating Self IP for each VLAN (i.e Internal and External).3. For each self IP created congure the 'Trac Group' as 'trac-group1-

oating'.

CREATE TRAFFIC GROUP 2

1. Goto 'Device Management' / 'Trac Groups'.2. Create a new Trac Group called 'trac-group-2' using all the default

settings.

DEMOTE TRAFFIC GROUP 2

1. Select 'trac-group-2' from the list and select 'Force to Standby'.

The trac group list will now show your current device running 1 tracgroup as active and 1 trac group as standby.


1. Via 'Local Trac / Virtual Servers / Virtual Address List' select theVirtual Server that you want to assign to 'trac-group-2'.

2. Via 'Local Trac / Virtual Servers / Virtual Server List' select your


Virtual Server. Within the trac group section select 'trac-group-2'.

ENABLE SNAT

1. Under 'Source Address Translation' select Automap*.

Once complete the default trac-group will be active on one node andtrac-group-2 will be active on the node.

*As the SelfIP is assigned to trac-group-1 without Automap the tracwould be sent through the wrong device.

VE ISSUESWhen conguring DSC on Virtual LTMs (when using the steps above) youmay nd that both sides show as disconnected. I have only found this in thelab for VE devices on both v11.4 and v11.5.

To resolve this you will need to change each of the devices certicates to aself-signed certicate and also perform the steps in a slighty dierentorder.

STEPS

Below provides a summary of the required steps.

1. Generate new self signed cert for each device - Goto Device


Management / Device Trust / Local Domain. Select Generate NewSelf-Sign Authority.

2. Create Sync Interface - Create a new VLAN that will be used forsynchronization, mirroring, and network failover on both devices.

3. Congure CongSync/Mirroring - Congure the interfaces that will beused for mirroring, cong sync and network failover on both devices.

4. Congure Device Group - Create a Sync-Failover device group onNode 1 and only add local device. Enable Network Failover.

5. Congure Trust - On Node 1 congure the Trust Domain.6. Update Device Group - On Node 1 add the remote peer to the device

group.7. Trac Group Assignment - Assign the trac groups accordingly.8. Synchronize - One Node 1 perform an initial synchronization via Sync

Device to Group in "Device Management' / 'Overview".

TROUBLESHOOTING

CHECKS

If your are facing issues with your HA setup, the following should bechecked,

Verify NTP is working correctly.Check connectivity between peer addresses.Check Self IPs used as peer addresses reside in route domain 0.


Ensure the following protocols/ports are permitted between nodes.Note : No matter which Port lockdown setting used these ports arepermitted.

UDP/1026 (network failover)TCP/1028 (connection & persistence mirroring)TCP/4353 (CMI peer communication)

Reset and Rebuild your Trust Domain.

COMMANDS

tmsh run /cm sniff-updatestmsh run /cm config-synctmsh run /cm watch-devicegroup-devicetmsh run /cm watch-sys-devicetmsh run /cm watch-trafficgroup-device

tmsh show /cm traffic-grouptmsh show /cm sync-status

REFERENCEShttp://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html

Comments Community


Join the discussion

Reply

guest1234 12 days ago

Hello,

What if the peer VLAN has gone down and both f5 boxes are in standby mode. Is there any workaround for the F5 HAfeature that when the pool is not reachable for both devices, not to make the 2 boxes enter the standby mode.

Reply

guest123 22 days ago

hi can we configure high availability between a hardware and a VM bigip LTM ? thank you

Reply

Rick Porter 22 days ago> guest123Yep as long the software versions are the same your be fine

Reply

guest123 > Rick Porterthank you for your reply.. can i use any BigIP Virtual edition with any bigIP hardware box ?

cnoyes72 3 months ago

Recommend

Share

Share

Share

Share


Reply

I get "This device is not found" when trying to add the peer unit's management IP to the peer list. ping it so I'm not sure what the problem could be.

Reply

Vijay 3 months ago

Thanks...good to watch about F5.. iam just a beginner

Reply

stfu 3 months ago

Early in the article the port for syncing data is not correct - should be 4353.

Reply

Rick Porter 3 months ago> stfuGreat. Thanks for letting me know. This has been updated.

Share

Share

Share

Share


2 comments 8 months ago

Rick Porter Article has been updated.....

How do I create an IPSO backup via clish ?1 comment 8 months ago

Aman Singh what is the difference between clish and supershell?

SubscribeAdd Disqus to your sitedPrivacy


blog comments powered byDISQUS

back totop

ABOUT THE AUTHOR

R DONATO


Ricky Donato is the Founder and Chief Editor ofFir3net.com. He currently works as a NetworkSecurity engineer and has a keen interest inautomation and the cloud.

You can nd Ricky on Twitter @f3lix001

LATEST ARTICLES

What is HTTP Strict Transport Security (HSTS) ?

How do I Ignore Case in VIM ?

Cisco - What is vPC (Virtual Port Channel)

Python - Show dierences between 2 Lists

Python - Split a String into a Dictionary

JQuery - Hide id if Class is Visible

What is Auto-Scaling?

POPULAR ARTICLES

Check Point Commands

Proxy ARP SPLAT

IPSO - Commands

How to set the Time / Date and Timezone in CentOS

ASA 8.3 - Auto NAT Examples

Conguring Windows 2008 R2 as an NTP Server

vSphere - Creating User and Group Permissions


Python - Check for Items across Sets

HTTP Pipelining vs Domain Sharding

BIGIP - Advanced Firewall Manager (AFM)

Juniper Netscreen Commands

VI shows the error Terminal too wide within Solaris

Conguring Wireless Connectivity within Backtrack4 r2

About Sitemap Partners Login

Built with HTML5 and CSS3 Secured by Incapsula

www fir3net com loadbalancers f5 big ip bigip f5 ltm high av

Documents

device trust

types of device groups

device groupsautomatic

device groupsand trac

group of devices

browser pro version

device service clustering

conguration data