For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mariappan_S_156's avatar
Mariappan_S_156
Icon for Nimbostratus rankNimbostratus
Jan 05, 2015

APM - ACTIVE/ACTIVE - NOT SUPPORTED

Hi all,

 

Currently we are using two f5 4000 devices on active/standby mode and ssl vpn (APM) for remote users and LTM as LB for exchange 2013 on LAN environemnt users. We have a plan for configure both devices on active/active mode for some license reason. from the below url we come know apm will not supported for active/active mode,

 

Please share all your view on this.

 

[https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-0/3.html]

 

Access Policy Manager (APM) is not supported in an Active-Active configuration. APM is supported in an Active-Standby configuration with two BIG-IP systems only.

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
deployment
design
performance
security

3 Replies

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jan 05, 2015

    Mariappan,

     

    Unfortunately, right now it is as written - APM is not supported in Active/Active configuration, so you will not be able to configure both devices in Active/Active mode. What license reasons are you referring to? Active/Active is generally not the best idea when we're talking about a pair of devices due to a greater possibility to overwhelm a second device in case of failover if the capacity is not provisioned properly. It makes more sense in a greater cluster - at least 3 or more devices - but I would advise against Active/Active deployment on a pair of devices unless there is some absolute compelling reason for that(even when it is supported).

     

  • Pedro_Haoa's avatar
    Pedro_Haoa
    Ret. Employee
    Apr 10, 2017

    Hi,

     

    You can overcome this issue creating 2 Virtual Servers for the same VPN-SSL service. So then, you can use BIG-IP DNS to load balance your incoming VPN-SSL traffic to both internal BIG-IP APMs. Then you have an Active-Active Deployment with 2 BIG-IPs processing SSL/TLS VPN Traffic.

     

    Ex.: For service vpn.pedrohaoa.cl, you can have one VS:200.100.50.X:443 and another VS:100.50.25.Y and LB your incoming traffic with BIG-IP DNS to deliver traffic to both BIG-IP APMs, each one with one VS in Active-Standby mode.

     

    BIG-IP DNS+APM can creates the Active-Active Layer that you need.