For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

l_lupos's avatar
l_lupos
Icon for Nimbostratus rankNimbostratus
Mar 16, 2017

F5 Viprion with 2 blades Intra Cluster Mirroring

This question is regarding blade failover of F5 Viprion 2400 chasis with 2 2150 blades. Intra cluster mirroring

 

  • Setup is we have an F5 Viprion with 2 blades, 1 trunk(2 members, 1 interface for each blade)
  • 1 Virtual Server TCP and Client SSL Profile, port translation disabled, connection mirroring for intra cluster mirroring is also enabled. Pool member is a backend server for bank application. Clients are ATM machines connecting via TCP connection with TLS enabled.
  • Initially the connection from ATM machine going to F5 is OK. But I noticed something, the connection table on 2 blades are different.
  • When we reloaded the primary blade to test, the secondary blade assumes the primary role but it did not mirror the connection from the Primary blade to Secondary blade. Hence the ATM Machine disconnected, and then re initiates the connection to the secondary blade but it took minutes.
application delivery
LTM

6 Replies

  • l_lupos's avatar
    l_lupos
    Icon for Nimbostratus rankNimbostratus
    Apr 27, 2017

    Can we mirror connections from primary blade to secondary blade via connection mirroring setting on F5 Virtual server?

     

  • l_lupos's avatar
    l_lupos
    Icon for Nimbostratus rankNimbostratus
    Apr 27, 2017

    We are using standard virtual server and in version 12.1.2.

     

  • aries22's avatar
    aries22
    Icon for Altocumulus rankAltocumulus
    Sep 28, 2017

    As per F5 documents, L7 connections will not be mirrored. Only VS with fastL4 profiles can be mirrored.

    What we noticed is that active connections are catered by blade. If you issue the 

    tmsh show sys conn
    command, it will show you all the active connections and to which blade it is being catered. So it is wrong to assume that all active connections will only be processed by the primary blade. They will be distributed to all the blades regardless if they are primary or standby.

    In l.lupos' case, since Viprion LTM was used for SSL offloading, if the primary blade (blade1) fails, all active connections catered by that blade will be disconnected. So via 

    tmsh show sys conn
    , only the active connections on blade2 will remain. Since blade2 will assume Primary role, connections which were dropped from blade 1 will reconnect and will be processed by blade2.