For a given vip is it possible to define pool of servers that are active and also some pool of members that passive. Basically this is what I want to do: 1. Define active pool of servers for a vip 2. Define passive pool of servers for a vip 3. When all the members in pool go down then make passive pool active Is it possible to do that in LTM? If it's possible then when one of the pool members (previously active) become active again does it switch it back?

Hi Manc, Yes it's definitely doable with LTM. You can do this either 2 ways : iRule or point-n-click configuration. Point-n-click method Basically you setup a single pool that is configured for Priority Load balancing For Example: You have 4 servers and you want 2 of the servers active all the time, but as soon as 2 of them fail due to the health check, then the other 2 servers come on line. If the 2 primary servers come back then return the traffic. The structure would be Pool A Server 1 Priority 100 ratio 1 Server 2 Priority 100 ratio 1 Server 3 Priority 50 ratio 1 Server 4 Priority 50 ratio 1 You would probably add persistence so that you don't abruptly move connections during a failback and rather wait for the existing connection to close. However, this all depends entirely on the application requirements for persistence. There are more details on how to do this on the F5 Configuration Guide you can find on http://ask.f5.com iRule Method The reason why you would want to use iRules is that is basically allows you even more granular control over how you want configure your active/passive configuration. Here is a simple example when CLIENT_ACCEPTED { if { [active_members active_pool ] >= 1 } { pool active_pool } else { pool passive_pool } } This iRule assumes you have defined 2 different pools. I hope this helps Bhattman

There is another available option that is close to what you are requestion using the Priority Activation Groups. It will keep a specified number of servers available and on-line (basically keeping your load distributed rather than continually loading it onto the last server and slowing down performance until it either fails, is taken off-line, or the other active servers become available again). Available option on the Pool settings. Under Load Balancing the "Priority Group Activation" to "Less than..." and then select the number of members you always want active. Then go to each node and change the Priority Group for each server. Example: If I set the Priority Activation Group to Less than 3 the Load Balancer will always keep 3 servers available. (Higher the Activation Group the higher the preference) 10.10.10.1 - Priority Activation Group 3 10.10.10.2 - Priority Activation Group 3 10.10.10.3 - Priority Activation Group 3 10.10.10.4 - Priority Activation Group 2 10.10.10.5 - Priority Activation Group 2 10.10.10.6 - Priority Activation Group 2 10.10.10.7 - Priority Activation Group 1 10.10.10.8 - Priority Activation Group 1 10.10.10.9 - Priority Activation Group 1 If one server in Group 3 dies, then a server from Group 2 will be begin to take traffic. If two servers in Group 3 die, then two servers in Group 2 will be begin to take traffic. and so on.... This is basically an Active / Standby ability.

Thanks! Is it possible to configure it such that Group 2 server takes over only when all the servers in Group 3 are down?

I believe so... This is the description giving for Priority Activation Groups: Specifies, when enabled, that the system load balances traffic across activated members of their priority group. To enable priority group activation, select Less than from the list, and type the number of members below which the system activates the group. Once you enable priority group activation, you can use options on the Member Properties screen to assign each member to a priority group. The system sends traffic to members in priority-group order. I believe that if you select Less than 0, that it will not activate anything in the next group until there are 0 available members of the previous group. NOTE: As soon as a member of a Higher Priority Group recovers, traffic will begin flowing back to the Higher Priority Group. (This should happen with new connections. It will not shift the current traffic currently connected to servers in a Lower Priority Group). I would suggest testing it to verify (I've never drained one group to zero before transferring the load to a new group. I use it more as an Hot Standby Activation), but it should do what you are wanting. You can see the current load on each member of a pool by going to the following: v9.x Overview -> Statistics Statistics Type: Pools v10.1.x Overview -> Statistics -> Local Traffic Statistics Type: Pools

Can LTM be used to configure Active and Passive Servers?

shawn306_84070
Nimbostratus
Apr 08, 2011
Ok so here is the setup....

One pool that has two members

10.40.0.75 : This is going to be the primary box that people will be connecting to and should have all the traffic going to

10.40.40.18: This will be the DR box so in case the primary goes down this one will pick up the traffic.

I set the priority group for 10.40.0.75 to 1

I set the priority group for 10.40.40.18 to 0

I want one member active at all times. So should priority group activation be set to Less than 1 active member or 2 ?
Michael_Yates
Nimbostratus
Apr 11, 2011
Less than 1 would be the Active / Hot Standby configuration that you are looking for.
shawn306_84070
Nimbostratus
Apr 11, 2011
Michael,

Many thanks !!!!!

Shawn
james_lee_31100
Nimbostratus
May 14, 2015
I have similar requirement for this

1) when node 10.0.21.201 is up, it is always taking traffic 2) if node 10.0.21.201 is down, node 10.0.21.255 will take traffic 3) when node 10.0.21.201 is back online, load balancer will direct traffic to node 10.0.21.201

I tested it works for case 1 and 2, not case 3?

Any suggestions?

ltm pool /Common/pool-ambari_8441 { load-balancing-mode least-connections-member members { /Common/10.0.21.201:8441 { address 10.0.21.201 priority-group 3 } /Common/10.0.21.255:8441 { address 10.0.21.255 } } min-active-members 1 monitor /Common/MON-ambari-8441 }
DR_A__18839
Historic F5 Account
May 15, 2015
Getting a stateful load balancer to do this will be "challenging". And it is worth noting that in all but a handful of scenarios (one maybe?) completely undesired.

To know whether it is even possible, we would need the Virtual config to see whether persistence is enabled and what profiles were in-use (possibly need their config also; iRules too?) to assess whether it was possible to use Performance Layer4 type Virtual.

Best case scenario, this might be possible by following the nPath configuration instructions (search on AskF5 should bring this up; worth noting that the name "nPath" has fallen out of favor, so it will commonly be referred to as DSR, or Direct Server Return) -- note that you aren't really doing nPath, but by configuring the F5 for nPath will allow it to not be stateful. This means each packet will be considered for load balancing individually, and that the F5 will no longer be stateful at_all outside of the response packet for a given egressed packet to the pool member (basically, you're configuring us as a dumb router, not a load balancer).

Coming back from the "how" to briefly visit on the "whether": Configuring an F5 Virtual to behave like a dumb L3 device is typically not possible and/or undesired in all but a gateway pool type scenario. The antithesis of this type of configuration would be a secure web shopping cart. As always, I highly recommend testing via a lab, or if needs be, via a "test" virtual that will impact only test traffic to ensure proper operation.
james_lee_31100
Nimbostratus
May 15, 2015
Thanks Don, I am not sure why nPath in the picture, could you give an example?

Here is the vip configuration, no persistence. ltm virtual /Common/priv-np-int-sjambari_8441 { destination /Common/10.0.22.6:8441 ip-protocol tcp mask 255.255.255.255 pool /Common/pool-int-sjambari_8441 profiles { /Common/tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled }
- james_lee_31100
  Nimbostratus
  May 15, 2015
  and client is on the same subnet as those servers
DR_A__18839
Historic F5 Account
May 15, 2015
Maybe also possible that slow ramp + PGA is effecting distribution expectations? Review SOL16242 for applicability to your situation: https://support.f5.com/kb/en-us/solutions/public/16000/200/sol16242.html

(never saw reference to instability of your alternate pool member, so not a direct match unless that was omitted)

Or, perhaps you just didn't wait more than 10s?

nPath has nothing to do with this. I noted nPath config on the F5 would allow a shift between pool members of active traffic, but also noted that this is nonsensical unless we're dealing w/L3 pool members gw/router type devices (something I find unlikely given the provided config).

I can only think of a few possible causes for the described behavior: active traffic, a form of persistence, slow ramp, or perhaps even a bug.

Persistence is stated as a non-issue (not in-use; and my cursory glance of config agrees). Slow ramp may be an issue (if you didn't wait 10s), but the bug on slow ramp + PGA doesn't seem to fit (see the final req in the SOL). I don't know the environment, what you're trying to pass, nor your level of expertise, so I'm tossing out more-or-less random ideas.

FWIW: A traffic capture during the 3rd case scenario would answer a lot of questions and garner significant understanding.

If I were wanting to figure this out, I'd use a traffic capture command similar to the following to get further insight: tcpdump -nnei0.0:p -c1000 host 10.0.22.6 and tcp port 8441

Assuming a more modern TMOS version, :p should adequately fetch the related SNAT'd server side connections for the filtered for client side virtual traffic.

In your lab repro, stop the primary pool member, start the tcpdump on the active F5, start the client test traffic, restore service to the primary pool member, wait ~15s (slow ramp + 5s), then stop the capture.

Good luck!

If you choose to post the results of the traffic capture to this thread, I highly suggest scrubbing the output to meet your security standards (as I'm sure you've already done with the provided configuration). I personally don't see a problem with posting this sort of thing, but I'm not your security policy administrator. ;)

If you do want to scrub, I suggest saving the txt output capture to a file, and then running a sed line similar to: sed 's/[mac1]/F5_server_MAC/g;s/[mac2]/primary_pool_MAC/g;s/[ip1]/primary_pool_ip/g' capture.txt

Where "[mac1]" is the literal MAC address of the F5 server_side MAC address, and so on.

Beyond that, if my tcpdump or sed command are incorrect, you have my apologies. I didn't test them.
james_lee_31100
Nimbostratus
May 15, 2015
No Luck..

I might think of this way, any sharp eyes could help, there is any issues with this Irule

set primary_down 0

when client_accepted { tcp::collect 15 }

when CLIENT_DATA { if { [active_members pool-ambari_8441] < 1 } { pool pool-ambari-standby_8441 set primary_down 1 } elseif { [active_members pool-ambari_8441] == 1 and primary_down == 1 ] } { lb::down pool pool-ambari-standby_8441 pool pool-ambari_8441 lb::up pool pool-ambari-standby_8441 } else { pool pool-ambari_8441

} TCP::release TCP::collect }
nitass
Employee
May 16, 2015
1) when node 10.0.21.201 is up, it is always taking traffic

2) if node 10.0.21.201 is down, node 10.0.21.255 will take traffic

3) when node 10.0.21.201 is back online, load balancer will direct traffic to node 10.0.21.201

I tested it works for case 1 and 2, not case 3?

i might be lost but isn't it how priority group works? for case 3, as long as it is a new connection, it should be forwarded to the higher priority pool member i.e. 10.0.21.201.

or do you want to forward existing connection to higher priority pool member when it comes back online?
james_lee_31100
Nimbostratus
May 17, 2015
You are right, Nitass.. We need to forward existing connection to higher priority pool members when it comes back online.