Forum Discussion

Brandon_79990's avatar
Brandon_79990
Icon for Nimbostratus rankNimbostratus
Mar 27, 2012

Active/Passive pair on LTM and ARP updates on failover

Hello everybody,

 

 

I have looked around for this answer for a while, but I havent found anything that can fix my problem.

 

 

In a one-armed scenario, I have 2 Big-IP LTMs configured in an Active/Passive config. I have multiple virtual servers configed and they are working relatively well. When I failover to my standby F5 device (which is connected to a different Cisco switch) failover completes on the F5 devices but my new active LTM does not offer the Virtual Servers service. In summary: I can ping a virtual server (ie, Sharepoint) prior to failover, but after failover it does not ping.

 

 

My networking guys looked on the switch for the standby unit that wont work, and they are not seeing the Virtual Servers MACs in the ARP table.

 

 

I saw a previous post about not having portfast on the ports, but we have that configured as it is an access port w/out vlan tagging.

 

 

Any ideas? I reviewed the Active/Passive set up manual again, but everything looks good in the HA config. The Virtual Address List do have the ARP checkbox enabled.

 

 

Thanks!

 

  • Hi Brandon,

     

     

    It sounds like the switches might not be learning the new MAC address for the newly active unit. When the new unit goes active it should send gratuitous ARPs for all of the addresses it now owns. You could configure MAC masquerading to ease this process.

     

     

    sol7214: Configuring MAC masquerading

     

    http://support.f5.com/kb/en-us/solutions/public/7000/200/sol7214.html

     

     

    Aaron
  • Thanks Aaron!

     

     

    I had read about MAC masquerading as a possibility but wasn't sure if that was right for our deployment. I went ahead and configured it. After the following process everything worked:

     

     

    configure MAC masquerading

     

    make the standby node the active node

     

    clear ARP on the switches/core

     

    move the active node back (or just keep it where its at)

     

     

     

    For others' future reference, in v11.1 the process to configure MAC masquerading changed a bit:

     

    http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13145.html?sr=20405614

     

     

    Thanks again
  • Thanks for confirming the fix. I didn't realize you were on 11.x. Here's a related SOL for people upgrading to 11.x from previous versions:

     

     

    sol13145: Change in Behavior: The BIG-IP system now associates masqueraded MAC address with traffic group

     

    https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13145.html

     

     

    Aaron