The F5 LTM provides the ability to configure a HA (High-Availability) based setup. Configuring HA ensures that traffic is still processed even in the event of a failure (such as a software or hardware).
Within this article we will explain and discuss a Active / Standby HA F5 setup. This allows one unit to pass traffic (Active) whilst the other acts as standby ready to take the role of active should a fail-over event occur.
Table of Contents
Communication
There are 2 HA communication methods. These methods provide the mechanism for which each node determines whether they should be placed into an Active or Standby status.
Hardware Failover – Each F5 LTM provides a front panel port for which a failover cable can be used to interconnect both systems. The failover cable is a specially pinned BD9 cable and is only used to pass a voltage (which the active system supplies). If the backup device detects that there is no voltage on its corresponding port the failover mechanism is initiated.
Network Failover – Network failover overcomes the ~50 ft cable limitation imposed with Hardware failover. A network pulse is sent via UDP 1026. If the back device does not receive the network pulse within the given time period then the failover mechanism is initiated.
Network failover is configured within ‘System / High Availability / Network Failover’.
Communication Types
There are 3 types of network communication that can occur between a BIG-IP LTM pair. These are:
Synchronisation (of configuration) between nodes via TCP 443.
Mirroring (connections and persistence) information via TCP 1028.
Network failover uses UDP 1026.
HA Table
Failed events are written to the HA table. Processes monitor this table continuously for failed instances and the necessary action is taken. These actions are configured with the High Availability feature options.
Failover Triggers
There are numerous events that are monitored. Such as :
Daemon Heartbeats – By default six of the core LTM daemons are monitored. In the event of failure the daemon is either restarted or the device is rebooted. The defaults can be configured via ‘System > High Availability > Failsafe > System Servcies’
VLAN Failsafe – When enabled traffic transversing the VLAN is monitored. BigIP also initiates traffic (ICMP Echo`s) in an attempt to receive/generate traffic. If no traffic is received on the VLAN (within the given time period) the designated action is taken.
Switchports – The switchboard is monitored. If an error is detected the Traffic Management process is aborted.
Stateful Failover
Stateful failover ensures that each device has a copy of the state information (such as connection information, persistence data etc). At the point of failover connections through the newly prompted node can continue.
Note : It is also worth noting that mirroring is enabled on a per profile basis.
Mirroring – Mirroring is the feature used to synchronise the active devices real time connection and/or persistence state information to the standby system.
Connection Mirroring – Connection mirroring is enabled on a per virtual server basis and is disabled by default (due to the overhead required).
Persistence Mirroring – Though Persistence Monitoring is disabled by default it typically should always be enabled apart from when cookie persistence is being used.
SNAT Connection Mirroring – SNAT mirroring is configured from within each SNAT. The active system must keep track of the ports and connections held within the connection table. In the event of failover the newly promoted node must have a copy of these records to ensure that SNAT connections are maintained.
MAC Masquerading
At the point of failover BIGIP sends a gratuitous ARP to ensure that neighbouring ARP caches are updated. This however can cause issues when the gratuitous ARP is ignored and subsequent traffic is sent to the old MAC address. MAC Masquerading allows the BIGIP to maintain a virtual MAC address for each VLAN.
MAC Masquerading is configured via the ‘VLAN / Advanced’ configuration section. A typical value that is used when configuring MAC Masquerading is to set the first byte of the MAC address to 0x02 i.e if the MAC address of one of your systems is 00:00:00:00:00:01 the Masqueraded MAC address would be 02:00:00:00:00:01.
Configuration Example
Within this example we will configure a HA setup using network failover.
Note : The following configuration settings were pulled from the bigip.conf and bigip_base.conf configuration files.
##################
##### UNIT 1 #####
##################
self 172.16.1.80 {
netmask 255.255.255.0
unit 1
floating enable
vlan EXTERNAL
allow all
}
self 192.168.1.80 {
netmask 255.255.255.0
unit 1
floating enable
vlan INTERNAL
allow all
}
configsync {
auto detect enable
}
mgmt 2.2.2.2 {
netmask 255.255.255.0
}
vlan EXTERNAL {
tag 4094
failsafe enable
timeout 10
failsafe failover
interfaces 1.1
}
vlan INTERNAL {
tag 4093
failsafe enable
timeout 10
failsafe failover
interfaces 1.2
}
self 172.16.1.70 {
netmask 255.255.255.0
vlan EXTERNAL
allow all
}
self 192.168.1.70 {
netmask 255.255.255.0
vlan INTERNAL
allow all
}
failover {
force active disable
peer mgmt addr 1.1.1.1
unicast peer F5HA {
dest addr 172.16.1.71
port 1026
source addr 172.16.1.70
}
}
statemirror {
addr 172.16.1.70
peer addr 172.16.1.71
}
system {
gui setup disable
hostname "bigip1-unit1.home"
}
##################
##### UNIT 2 #####
##################
self 172.16.1.80 {
netmask 255.255.255.0
unit 1
floating enable
vlan EXTERNAL
allow all
}
self 192.168.1.80 {
netmask 255.255.255.0
unit 1
floating enable
vlan INTERNAL
allow all
}
configsync {
auto detect enable
}
mgmt 1.1.1.1 {
netmask 255.255.255.0
}
vlan EXTERNAL {
tag 4093
failsafe enable
timeout 10
failsafe failover
interfaces 1.1
}
vlan INTERNAL {
tag 4094
failsafe enable
timeout 10
failsafe failover
interfaces 1.2
}
self 172.16.1.71 {
netmask 255.255.255.0
vlan EXTERNAL
allow all
}
self 192.168.1.71 {
netmask 255.255.255.0
vlan INTERNAL
allow all
}
failover {
force standby disable
peer mgmt addr 2.2.2.2
unit 2
unicast peer F5HA {
dest addr 172.16.1.70
port 1026
source addr 172.16.1.71
}
}
statemirror {
addr 172.16.1.71
peer addr 172.16.1.70
}
system {
gui setup disable
hostname "bigip1-unit2.home"
}
Unit 1 – Primary
Set Redundancy / Unit ID
- Within ‘System / Platform / General Properties’ set the High Availability to ‘Redundant Pair’.
- Within ‘System / Platform / General Properties’ set the Unit ID to ‘1’.
Set Floating IP`s
- Within ‘Network / Self IPs’ create a new self IP. This will act as a VIP. Add the IP / Netmask and select Floating IP along with a Unit ID of ‘1’.
Set Failover Options
- Within ‘System / High Availability / Network Failover’ and enable Network Failover along with adding the peer management IP address (note this must exactly match the peer management IP address other wise both units will become active). Within the unicast section configure the following settings:
– Configuration Identifier: F5HA
– Local Address: <LOCAL IP ADDRESS>
– Remote Address: <PEER IP ADDRESS>
– Port: 1026
Unit 2 – Standby
Set Redundancy / Unit ID
- Within ‘System / Platform / General Properties’ set the High Availability to ‘Redundant Pair’.
- Within ‘System / Platform / General Properties’ set the Unit ID to ‘2’.
Set Floating IP`s
- Within ‘Network / Self IPs’ create a new self IP. This will act as a VIP. Add the IP / Netmask and select Floating IP along with a Unit ID of ‘1’.
Set Failover Options
- Within ‘System / High Availability / Network Failover’ and enable Network Failover along with adding the peer management IP address (note this must exactly match the peer management IP address other wise both units will become active). Within the unicast section configure the following settings:
– Configuration Identifier: F5HA
– Local Address: <LOCAL IP ADDRESS>
– Remote Address: <PEER IP ADDRESS>
– Port: 1026
Configuration Options
Below details the various configuration options available from within System / High Availability via the Web UI.
Redundancy – General Properties such as state preference etc.
ConfigSync – Defines how the configuration is synchronized between nodes.
Network Failover – Defines the parameters for Network Failover (standby unit determining the status of the active unit).
Network Mirroring – Defines the addresses that are used to mirror connections and session persistence records between the systems.
HA Group – Defines the parameters for configuring a HA group. An HA group is a set of trunks, pools, or clusters (or any combination of these) that you want the BIG-IP system to use to calculate an overall health score for a unit in a redundant system configuration
Fail-safe – Defines the various Failover Triggers. Such as VLAN Failsafe, Daemon Heartbeats etc.
Commands
Below shows some of the main commands that can be used to administer HA from the command line.
(tmsh)
run sys config-sync – push/sync config to peer
(bigpipe)
bigtop – Confirm system state
b failover standby – Force to standby mode
b ha table – show ha table
b ha table failures – show ha table failures
b config sync all – sync configuration
Files
The main crux of the HA configuration settings are defined within the file ‘bigip_base.conf’. It is important to note that this file is not synchronized between systems.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an F5 Loadbalancers expert?
Here is our hand-picked selection of the best courses you can find online:
F5 BIG-IP 101 Certification Exam – Complete Course
F5 BIG-IP 201 Certification Exam – Complete Course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial