Gateway Failsafe and default gateways

Cirrostratus

Apr 14, 2017

Hi,

I am not sure if RD is exactly what can solve the case here. Maybe it will be easier with some diagram. It's based on my understanding of description from https://support.f5.com/csp/article/K15367

Especially:

The first step of configuring the gateway fail-safe feature is to create one gateway pool for each BIG-IP system in the failover pair. Each gateway pool must consist of the upstream gateway(s) the system is connected to. For example, if bigip1 is connected to upstream gateway 10.10.1.1 and bigip2 is connected to upstream gateway 10.20.2.2, then you must configure two gateway pools; gateway_pool1 consists of pool member 10.10.1.1:any and gateway_pool2 consists of pool member 10.20.2.2:any.

Configuration:

For simplicity there is no redundancy, and tagged VLANs used to spare interfaces.
Both devices have VLAN ext defined on interface 1.1, but BIG-IP1 with tag 100, BIG-IP2 with tag 200
There is no floating IP configured for VLAN ext - would be difficult as each device is using different subnet for VLAN ext SelfIP
VS are all defined in separate subnet - different from both devices SelfIP subnets
R1 has route to 10.30.1.0/24 set to BIG-IP1 SelfIP 10.10.1.10
R2 has route to 10.30.1.0/24 set to BIG-IP2 SelfIP 10.20.2.20
gateway_pool1 attached to BIG-IP1 is set with pool member 10.10.1.1:any
gateway_pool2 attached to BIG-IP2 is set with pool member 10.20.2.2:any

I can't see any problem with traffic coming from Internet (assuming external configuration directing traffic to R1 when BIG-IP1 is ACTIVE and R2 when BIG-IP2 is ACTIVE).

R1 will route it to BIG-IP1 SelfIP, then internally it will be directed to given VS in 10.30.1.0/24 subnet, then to Node via VLAN int.

Returning traffic (based on assumption Auto Last Hop is enabled) will ignore any routing entries and be directed back to R1 MAC.

In case of R1 failure discovered by BIG-IP1 failover to BIG-IP2 will be performed. Sure all TCP sessions will be terminated but...

Now external mechanism will direct Internet traffic to R2 and then to BIG-IP2.

Great for incoming traffic, but what about traffic sourced from VLAN int?

Assuming kind of wildcard ForwardingIP VS enabled on VLAN int we have problem. If DG will be configured to 10.10.1.1 then it will be the same on both devices (will be synced).

So it will work if BIG-IP1 is ACTIVE but not when BIG-IP2 is ACTIVE.

Can imagine setup when we have def_gateway_pool containing:

10.10.1.1:any
10.20.2.2:any

and wildcard PerfomanceL4 VS on VLAN int.

Assuming than when BIG-IP1 is ACTIVE only 10.10.1.1 will be marked as UP then traffic should reach Internet.

When BIG-IP2 will be ACTIVE only 10.20.2.2 will be UP so again traffic should reach Internet.

But it seems to be a bit flawed concerning communication sourced from BIG-IP itself, like update checking, NTP, IPI updates etc.

BIG-IP1 should not have problem, DG is OK, but BIG-IP2 will have problem, DG will not work.

So is there other way to solve this? AM I missing/misunderstanding something?

Piotr

Forum Discussion

Gateway Failsafe and default gateways

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Whats new in NGINX Gateway Fabric 1.2?

API Gateway Mapping - Gartner - F5

Load Balancing Omnissa Unified Access Gateway with BIG-IP LTM

Using BIG-IP Kubernetes Gateway API Controller

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS