BIGIP active/active redundancy

Question

Hi,&nbsp;
&nbsp;I'm trying to get active/active working and have got both devices in active mode but I'm having issues specifing which VIPs should be on which unit from what I can gather its done via SNATS which I have setup.  So I have a VIP on the snat for unit 1 and all works fine, if I force unit 1 offline then the VIP works via unit 2 as you would expect, but if I chamge the VIP to use the snat for unit 2 with both units online then the VIP does not work.  Any ideas?&nbsp;
&nbsp;My understanding from reading old posts is that active/active is not recommened, my boss would like to see something in documention from f5 stating this is there any?&nbsp;
&nbsp;Cheers.&nbsp;&nbsp;

hoolio · Answer

Hi Festah, 
&nbsp;  
&nbsp; I don't know of any official articles which document reasons not to use Active-Active, but it's generally not a best practice for these reasons: 
&nbsp;  
&nbsp; - You need to manually assign virtual servers to each unit so it's not easy to keep both units equally utilized initially or over time. 
&nbsp; - There is a concern that both units will be used past 50% utilization.  If that happens and then one unit fails, the remaining unit won't be able to support the load. 
&nbsp; - You must associate a virtual address (for a virtual server or SNAT) with a specific unit ID.  That´s also the case for network/wildcard virtual servers (i.e. required for outgoing traffic).  So only one unit can act as a default gateway for such purposes.  This is forcing you to use serverside SNAT or nPath in most deployments or to specify different default gateways on your servers to respond via the original unit.  
&nbsp; - Using VLAN groups will also be difficult in active/active, because both active units now create a layer 2 loop.   
&nbsp; - For W2k8 pool members, the server will ignore the gratuitous ARP in a failover – forcing you to use MAC Masquerading.  This is considered a security enhancement by Microsoft and cannot be disabled.   So if the servers are in a directly connected subnet to the LTM and running 2k8 active/active may not work for them. 
&nbsp;  
&nbsp; I'm sure there are other reasons that active-active isn't a best practice architecture, but these are some of the main reasons I could find. 
&nbsp;  
&nbsp; Aaron 
&nbsp;  &nbsp;

Forum Discussion

BIGIP active/active redundancy

Recent Discussions

Default retry time inband monitor

how to monitor the axfr master response

Http / https health monitor issue

I used the wrong email account when take Application Delivery Exam (101)

F5 looses the token for the first call

Related Content

Advent Calendar, IPA alert, Active Cyber Defense, call ChatGPT

Exploit PowerShell, Ransomware Attack Report, Active Cyber Defense, Attack to GPS

Azure Active Directory and BIG-IP APM Integration

Re: BigIP Report

Re activate license failed

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS