F5 High Availablity

I wouldn't expect this to be a spanning tree issue. It sounds a lot more like an ARP problem that can be remedied by MAC Masquerading. When the active unit comes back and you have an outage, check the logs on the standby unit and see if you're rejecting traffic. Also, check ARP tables on your switches and see whose MAC the Virtual Server IPs are mapped to. When I had similar problems, the active unit didn't send out gratuitous ARPs to let everyone know it was again the primary. If it doesn't realize it failed over, it won't necessarily do that.

 

 

https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7214.html

I think he's saying that the active unit comes back online, not back as active. In this case, if the traffic had already been failed over to the other unit and working fine, it shouldn't be an arp problem as the formerly active unit will (should) not be responding to the virtual arp requests. It could be a stp problem, but only if you have the ports the LTM connects to configured as network ports instead of host ports. These should always be host ports unless you're using vlan groups. And if not, no reason to have stp enabled.

Posted By Jason Rahm on 01/26/2011 03:58 AM

 

I think he's saying that the active unit comes back online, not back as active. In this case, if the traffic had already been failed over to the other unit and working fine, it shouldn't be an arp problem as the formerly active unit will (should) not be responding to the virtual arp requests. It could be a stp problem, but only if you have the ports the LTM connects to configured as network ports instead of host ports. These should always be host ports unless you're using vlan groups. And if not, no reason to have stp enabled.

 

He's using preferred redundancy state though. If the active unit comes back, the standby unit will return to standby and is not going to answer any requests.

Hi Chris and Jason thanks for your response.

 

 

In our case we have trunked the F5 ports on our cisco switches but we havent enabled Spanning Tree port fast on the switch ports and F5 is currently running spanning tree instance

 

 

I have heard this issue from my predecessor so I am unable to check logs to findout if this triggered STP

 

 

Probably we should enable Spanning Tree port fast on the cisco switches to prevent this

 

 

Also I have seen the ARP issue in an other environment. I had forced the unit 1 to be standby and the unit 2 took over and when I pushed the unit 2 back to standby then unit 1 became active but clients were not able to reach our VIPs from outside and we had to clear ARP on our firewall to fix the issue

 

 

I have few other questions regarding Redundancy State Preference as well. I will ask them in a different thread

 

 

Thanks,

 

Chandru

 

 

Doing LACP on both ends?

Yes LACP is enabled on both ends

Posted By Chris Miller on 01/26/2011 06:56 AM

 

Posted By Jason Rahm on 01/26/2011 03:58 AM

 

I think he's saying that the active unit comes back online, not back as active. In this case, if the traffic had already been failed over to the other unit and working fine, it shouldn't be an arp problem as the formerly active unit will (should) not be responding to the virtual arp requests. It could be a stp problem, but only if you have the ports the LTM connects to configured as network ports instead of host ports. These should always be host ports unless you're using vlan groups. And if not, no reason to have stp enabled.

 

He's using preferred redundancy state though. If the active unit comes back, the standby unit will return to standby and is not going to answer any requests.

 

ah, missed that part. Carry on. Nothing to see here.

 

Posted By Chandru on 01/26/2011 09:11 AM

 

Yes LACP is enabled on both ends

 

Then I wouldn't expect any Spanning Tree issues, unless you saw a loop somewhere or you logged messages accordingly. Seems like an excellent example of why MAC Masquerading is a best practice and could/should be a default.