Hi guy, I have a problem after change mgmt IP. It's HA connection lost (result in IP conflict and downtime) I have to change management IP address of BIG-IP redundant pair. But when we change it, HA connection lost and it's become active/active which cause us a downtime of application. I have configsync and failover unicast IP is 2.2.2.2 (peer is 2.2.2.1) which connect directly with each other. How can this occur? Is really changing mgmt IP of the box cause it HA connection lost? Note. In v. 10.2.4 , we can change it just fine. Now we currently Running v.11.4.1 HF5

picture is show in this link http://upic.me/show/53708329

I would suggest you read how to setup HA in V11. It is no longer really a HA Pair, but a cluster. This may give you an idea of what all changes you need to make in order to get this working in V11. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-admin-11-4-0/3.htmlunique_2103230074 One thing to check for is your trust list on each device. From the above link you need to see what you have configured under " Device Management > Device Trust, and then either Peer List or Subordinate List" You trust the management IP address of the other devices in the cluster. So if you are changing the management IP address, you need to update the trust list.

@giltjr So it's mean after changing management IP . Device will active/active (Downtime will occur for sure.) and then we must update a trust list (not sure if we have to create a new sync group) to make a BIG-IP sync each other again. Am I correct?

I would have to think and read about everything that needs to be updated and how quickly it must be updated in order to prevent an outage when changing the management IP address. Basically all F5's in the cluster would need to be updated at the "same" time. You would also need to make sure the DSN entries for the F5's are updated so that when the F5's do their DNS lookups they get back the new addresses. You may want to open a case with F5 support to see the best way to do this. However, do you really have an outage? I would think that one of the F5's would keep responding.

Service disruption is possible in such an operation. See ">SOL7312: Overview of the management port. To prevent the devices going into active-active, you can force-offline the standby device before operation. See ">SOL15122: Overview of the Force Offline option.

HA Connection lost after change Management IP address

Emo_Gokay_22518
Historic F5 Account
May 11, 2017
It is expected to lose the HA setup after changing the management IP on a device that is part of HA. More importantly how was the management IP changed, I would do it in the following order: I hope this helps.

Reassign new mgmt. IP or change mgmt. IP to F5 that is in HA pair or environment

Create UCS file and download them to your PC from both units
Put the F5 in question in standby mode
Force it offline and KEEP it OFFLINE till you finish this process
Break the HA between those Units by resetting the trust on both units (they will read “standalone”)
Make sure that unit in question is and stays in “OFFLINE” state
Re-assign the new mgmt. IP and make sure you have access to it with the new IP
Make sure that unit in question is still and stays in “OFFLINE” state
Rebuild the HA with the new mgmt. IP from the active unit
Add the units/hostnames in the sync-failover group
Sync the units from the active “self” and check the “override config” check box
if successful they should be in sync
test the sync feature by creating a test http monitor on the active and sync it over
if that replicates it on the offline F5 it is working and you can delete the test monitor and sync
now you can release the unit in question from “OFFLINE” state
if you need to re-assign new IP on the active unit as well, perform failover so the initial active becomes standby and repeat the process above starting from step 3
kridsana
Cirrocumulus
Dec 11, 2014
FYI about trouble I got today

If you have configuration on traffic-group about "Auto failback" . you can't just re-add peer list because BIG-IP can't delete the old peer somehow.

Problem solved with delete auto failback before change MGMT IP.

Thank you very much
nitass
Employee
Dec 08, 2014
Did I have to reset device trust ? Or just add peer list with the new MGMT IP is enough (It will update automatically) ?

i understand you do not need to reset (i.e. add device again and it will update the existing device).

And If I have to reset device trust and create a new sync-failover group. what option I have to choose between retain authority and create a new certificate in device trust menu?

it is just whether you want to keep ca certificate (dtca.crt) or create a new one. if there are only 2 devices, either should be fine.
kridsana
Cirrocumulus
Dec 08, 2014
Last two question.

Did I have to reset device trust ? Or just add peer list with the new MGMT IP is enough (It will update automatically) ?

And If I have to reset device trust and create a new sync-failover group. what option I have to choose between retain authority and create a new certificate in device trust menu?

Thank you very much
nitass_89166
Noctilucent
Dec 01, 2014
but this have error log repeatly. "bigip-ve06 notice sod[5511]: 010c0062:5: Config digest module error: Traffic group device not found.."

it is benign which could be fixed in 12.0.

ID474149 Take care of non-self device mgmt IP address change in SOD
- kridsana
  Cirrocumulus
  Dec 01, 2014
  It's seem I using command "bigstart restart sod" and then this log gone. I will monitor for a bit.
nitass
Employee
Dec 01, 2014
but this have error log repeatly. "bigip-ve06 notice sod[5511]: 010c0062:5: Config digest module error: Traffic group device not found.."

it is benign which could be fixed in 12.0.

ID474149 Take care of non-self device mgmt IP address change in SOD
- kridsana
  Cirrocumulus
  Dec 01, 2014
  It's seem I using command "bigstart restart sod" and then this log gone. I will monitor for a bit.
kridsana
Cirrocumulus
Dec 01, 2014
After test via release offline method. It's seem work fine.

but this have error log repeatly. "bigip-ve06 notice sod[5511]: 010c0062:5: Config digest module error: Traffic group device not found.."

Is this some known issue or else?
kridsana
Cirrocumulus
Dec 01, 2014
So it's seem I must offline one box >> change mgmt >> reset all config in device management (reset device tust) and re-config a new >> release offline and failover to finish the job.

I will test in a lab and tell a result soon.
kridsana
Cirrocumulus
Dec 01, 2014
@Jie

Thank you very much. I will look into it.

@ nitass

We use 4200 v. 11.4.1 HF5 with Active/Active mode and not use hardwire failover. If we use hardwire failover (by using patch cable. not crossover cable). Is this Active/Active state will work fine like Active/Standby?
nitass
Employee
Nov 30, 2014
changing mgmt ip affects active/standby status because mgmt ip is embedded in failover packet as identifier.

besides forcing offline, hardware serial failover is another option (to prevent service interruption when changing mgmt ip) but platform must not be viprion and contains only two devices in group.