Forum Discussion

Sallz's avatar
Icon for Nimbostratus rankNimbostratus
Mar 11, 2022

BIG-IP Device-group synchronization

We normally deploy Big IP host devices as standalone, how come the guest devices sync with eachother when underlying host devices are not connected, I am coming from Palo alto world where they have HA cables connected and do the high availibilty syncing. How it happens in f5 over standalone hosts?



3 Replies

  • Hello, in factory-default configurations BIG-IP software includes a local trust domain with one member, which is the local device.

    You will always see this group in sync in a standalone scenario, but if you check "Device Management  Overview" you'll notice that there is actually only one device (again, local) in the group. 

    Also, according to K16509:

    starting from BIG-IP 11.6.0, the datasync-global-dg device group is automatically created on systems in any of the following scenarios:

    • You provision the BIG-IP ASM system on a new BIG-IP 11.6.0 installation.
    • You upgraded BIG-IP ASM systems from previous versions to BIG-IP ASM 11.6.0 (or later).
    • You added a BIG-IP 11.6.0 (or later) system to a trust domain that has another device with the datasync-global-dg device group.
    • You upgraded to BIG-IP 11.6.0 (or later), a BIG-IP system that belongs to a trust domain that has another device with the datasync-global-dg device group.

    After the datasync-global-dg device group is created on the systems, the device group automatically adds all devices in the same trust domain to itself. This includes devices that are not provisioned with the BIG-IP ASM system. The main purpose of the datasync-global-dg device group is to synchronize the system client-side scripts as well as the system cryptographic keys across all of the devices in the same trust domain. Therefore, this device group is essential in order to maintain the consistency of the system scripts and keys across all devices in the trust domain, and must not be removed from the devices.

    • Sallz's avatar
      Icon for Nimbostratus rankNimbostratus

      This is great info, what confuses me, how two standalone hosts (no physcial connection between them) are allowing the vcmp guests to be HA pair, while hosts are totally isolated?

      • vCMP Hosts don't need to be an HA pair. They will act as your hypervisor, providing physical resources and physical network connectivity to the Guest instances you're virtualizing on top.

        If no HA VLAN is tagged, I would suspect HA between your Guests was built via management interface. You can check this by going into "Device Management > Devices" menu and checking ConfigSync, Mirroring and Failover IP's for both "self" and "peer" objects.


        Edit: fixed typos, sorry I'm on mobile.