Forum Discussion
F5 Connection Mirroring question
Hello,
show sys connection type mirror
This command should show the mirror connections on the Stanby?
LTM BIG-IP
Thank you
Hello,
No, the connections are not mirrored !
To share in case it might help someone someday: I had a TG conf problem, the VS was configured in the TG1 and nexthop (floating self-ip) in the TG2, I configured everything in TG1, and it works.
Thank you Mohamed_Ahmed_Kansoh M_Saeed
Hi cpt_ri_F5 ,
yes it shows the connections that should be mirrored to the devices in HA Group , Please have a look here : https://my.f5.com/manage/s/article/K84303332#:~:text=You%20can%20use%20tmsh%20to,type%20mirror%20all%2Dproperties%20command.FYI : Not all connections got mirrored by adding mirrior option with HA Configuration under device management only.
But you need to add IP for mirrioring in HA Configuration.
and you must enable mirror feature within Virtual server or src address presistence profile , by doing this you are selecting specifc type of traffic related to specific virtual server or source address presistence.
But be careful Mirror may impact your device performance specially with heavy traffic Virtual servers.- cpt_ri_F5Cirrostratus
Hello, thanks for your feedback
I see connections only on the Active
I checked the configuration, it looks ok,
I see : Aborts + Errors on Standby
Primary Secondary : connectedActive:In Sync] ~ # tmsh show sys ha-mirror
--------------------------------------------------------------------------------------------------------------------
Sys::HA Mirror Status
--------------------------------------------------------------------------------------------------------------------
Traffic Group TMM Primary Secondary Aborts Overflows Errors Buffered L4 Mirror L7 Mirror L7 Failed
--------------------------------------------------------------------------------------------------------------------
traffic-group-1 [0.0] connected connected 0 0 0 0 4 0 0
traffic-group-1 [0.1] connected connected 0 0 0 0 0 0 0
traffic-group-1 [0.2] connected connected 0 0 0 0 2 0 0
traffic-group-1 [0.3] connected connected 0 0 0 0 2 0 0!
Standby:In Sync] ~ # tmsh show sys ha-mirror
--------------------------------------------------------------------------------------------------------------------
Sys::HA Mirror Status
--------------------------------------------------------------------------------------------------------------------
Traffic Group TMM Primary Secondary Aborts Overflows Errors Buffered L4 Mirror L7 Mirror L7 Failed
--------------------------------------------------------------------------------------------------------------------
traffic-group-1 [0.0] connected connected 4 0 2 0 0 0 0
traffic-group-1 [0.1] connected connected 4 0 2 0 0 0 0
traffic-group-1 [0.2] connected connected 4 0 2 0 0 0 0
traffic-group-1 [0.3] connected connected 4 0 2 0 0 0 0Hi cpt_ri_F5 ,
Have you configured the mirroring within specific ( Virtual server , Source address persistence ... ) ?you can't rely only Connection mirroring with HA Setup.
- cpt_ri_F5Cirrostratus
Hello Mohamed_Ahmed_Kansoh
Yes in virtual server, i use auto-map, no persistence. I see connections mirroring only on the Active.
Thanks
Hi cpt_ri_F5 ,
Alright,
That's most properly means that Mirroring links are suffering to mirror these connections.
what is the IP which used for mirroring ? Is it the MGMT interface or a specific VLAN ?
-I would recommend selecting specific Vlan for HA ( Not Internal/External )
-Also If you can use ( Back-to-Back ) Connectivity between HA pair .
-Also Use LAGs or Link aggregation for HA to increase the BW and leverage the Fault tolerance of HA.
Please check this Article explians what I'm trying to say and much more troubleshooting : https://my.f5.com/manage/s/article/K54622241
- cpt_ri_F5Cirrostratus
Helo Mohamed_Ahmed_Kansoh Thank you for your help,
I use both HA links which works correctly, status, syn conf, failover...Active:
sys state-mirroring {
addr 10.0.1.10 >>> vlan: HA
secondary-addr 10.0.2.10 >>> vlan: HA_BAKStandby:
sys state-mirroring {
addr 10.0.1.20 >>> vlan: HA
secondary-addr 10.0.2.20 >>> vlan: HA_BAKI have already executed K54622241, nothing special except no traffic for tcpdump
Thank you.HI cpt_ri_F5 ,
Interesting !
Is it a back to back HA Connectivity ?
I mean both devices are directily connected or there is FW between them ?
I believe there is no ACKs for mirroring connections.
- cpt_ri_F5Cirrostratus
Let me check this next week, thank's
Do you think there is a difference between the two modes (HA ok)?cpt_ri_F5 ,
Yes the Back-to-back connectivity is much reliable and effiective than the existance of other hops in path ( such as FWs or L3 SWs )
- cpt_ri_F5Cirrostratus
ok, but why can only the mirroring connection pose a problem? both HA links are stable, syn ok failover ok...
Mirroring is another story.
It consume Bigip resources specially in heavy environments.
Why ?
Let we imagine you have 100K connections in Active unit connection table , you see that as 100K connections only but at the same time Active unit handles 200K Connections because it processes 100K and move/mirror the same 100 K connections to the other unit.
Imagine you have a virtual server receive 1 or 2 millions of traffic and so on this of course will impact you and degrade sys performance.
Mirror Active connections is not an easy task like triggering failover or even doing incremental config sync.
You need a robust connectivity between HA pairs also I prefare to use a back to back connectivity for that- cpt_ri_F5Cirrostratus
Hello Mohamed_Ahmed_Kansoh,
It's clear, for this requirement, I have only 1 connexion that want to replicate!
- cpt_ri_F5Cirrostratus
Hello,
No, the connections are not mirrored !
To share in case it might help someone someday: I had a TG conf problem, the VS was configured in the TG1 and nexthop (floating self-ip) in the TG2, I configured everything in TG1, and it works.
Thank you Mohamed_Ahmed_Kansoh M_Saeed
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com