Forum Discussion
NimbostratusInitial deployment question
So I inherited these two Big IP LTM products. In the past I have used Cisco Content Switches and they made sense. This is my first time working with the F5's and the documentation so far have been of no help. It is really the worst documenation so far right after Citrix.
Any ways I want to basically setup the two devices in Active/Active mode and per documentation I do not see any option for HA Wizzard. So far I have just configured the Management IP's on the two, I was able to setup a trust between the two but the configuration sync kept saying pending. I do not see any option under "Platform --> System to change the Unit ID's and the mode". It does not say anything about the licensing in the documentation so I don't think it is a licensing issue.
So can some one please point me in the right direction in accomplishing this for starters:
1- Setup the two devices in active/active mode (as I don't even see the options any where)
2- Tell me what exactly Interface Mirroring will do for me I know it is supposed to duplicate traffic to another interface why would I want to do that? Is it like port span to capture packets or something?
3- I know I have to enable network failover so ok I do that do I need to connect the TMM switch ports for the failover options to show up or like connect the two interfaces via cross over cable like 1.1 of Unit 1 to 1.1 of Unit 2?
Thank you.
36 Replies
mali77_57143Thank you Steve I fixed that.
- mali77_57143
This is what my side shows:
user@(DC-F5-01-241)(cfg-sync Disconnected)(Active)(/Common)(tmos.cm.device-group) list
cm device-group DC-F5-SFO {
devices {
DC-F5-01-241.domain.com { }
DC-F5-02-242.domain.com { }
}
type sync-failover
}
cm device-group device_trust_group {
auto-sync enabled
devices {
DC-F5-01-241.domain.com { }
DC-F5-02-242.domain.com { }
}
network-failover disabled
}
cm device-group gtm {
devices {
DC-F5-01-241.domain.com { }
}
network-failover disabled
} - nitass
Employee
1. is time in sync between both units?
2. is configsync and failover setting (device management > devices > (device) > device connectivity) correct?
if (1) and (2) are correct, can you add device to device trust again (no need to delete first. it will update device in device trust)?
if still not working, can you try to reset device trust and create device trust again? - mali77_57143Posted By nitass on 10/22/2012 09:44 AM
1. is time in sync between both units?
2. is configsync and failover setting (device management > devices > (device) > device connectivity) correct?
if (1) and (2) are correct, can you add device to device trust again (no need to delete first. it will update device in device trust)?
if still not working, can you try to reset device trust and create device trust again?
Did that when I go on the first device and look at the status of the second device from "Device Management ›› Devices" I see if offline
When I go to the Second device and do the same thing I see the first device as "Online and second one (which is self) standby
Attaching more screen shots on how I have the HA configured. - nitassVLAN Configuration (I have 1.4 connected to 1.4 with a cross over right now but I can change it if needed. However the interface still shows down)interface should not be down. can you try another cable or interface? as Steve mentioned, you can use straight cable.
sol9787: Auto MDI/MDIX behavior for BIG-IP platforms
http://support.f5.com/kb/en-us/solutions/public/9000/700/sol9787.html
after interface is up, if it still does not work, can you try to (1) add device to device trust and (2) reset trust device trust (if adding device does not help)? if problem still persists, please open a support case. - mali77_57143Posted By nitass on 10/22/2012 10:20 PM
VLAN Configuration (I have 1.4 connected to 1.4 with a cross over right now but I can change it if needed. However the interface still shows down) interface should not be down. can you try another cable or interface? as Steve mentioned, you can use straight cable.
sol9787: Auto MDI/MDIX behavior for BIG-IP platforms
http://support.f5.com/kb/en-us/solutions/public/9000/700/sol9787.html
after interface is up, if it still does not work, can you try to (1) add device to device trust and (2) reset trust device trust (if adding device does not help)? if problem still persists, please open a support case.Thank you, weird I removed the cross over cable and used a straight through cable and it came right up. Thank you for that tip. Ok so far looks like Active/Standby setup seems to be working. Now the config-sync part I have to see why that is not working. I'm using the HA Self IP's and VLAN's for that and HA VLAN is associated with 1.4 on both Untagged. Am I missing something ?
- nitassI'm using the HA Self IP's and VLAN's for that and HA VLAN is associated with 1.4 on both Untagged. that is fine. you may run "tail -f /var/log/ltm" on both units while performing configsync to see if there is any error log.
and just in case if you have not yet seen this sol.
sol13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation
http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13887.html 
What_Lies_Bene1Cirrostratus
Have you checked the Port Lockdown settings for the Self-IPs?
Did you ever check the time difference between the two devices?
Do you get any error messages?- mali77_57143Posted By nitass on 10/23/2012 06:59 AM
I'm using the HA Self IP's and VLAN's for that and HA VLAN is associated with 1.4 on both Untagged. that is fine. you may run "tail -f /var/log/ltm" on both units while performing configsync to see if there is any error log.
and just in case if you have not yet seen this sol.
sol13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation
http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13887.html
Thank you again, I setup the device as the config leader and also tried to do a forced sync from the GUI no use. I seem to not have the tail command available to me. I logged in as the local admin and still same results. Do I need to create an internal VLAN for this per the link below device uses internal VLAN.https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-redundant-systems-config-11-2-0/2.htmlconceptid
Also when I remove the Management IP from the "System --> High Availability --> Device connectivity --> Failover" and just leave the HA VLAN in there that is associated with 1.4 port (1.4 to 1.4) my failover stops working too.
- nitassthis is tail output from my units.
active [root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm [root@ve11a:Active:In Sync] config standby [root@ve11b:Standby:Changes Pending] config tail -f /var/log/ltm Oct 23 22:11:21 ve11b notice mcpd[4948]: 01071038:5: Loading keys from the file. Oct 23 22:11:24 ve11b notice mcpd[4948]: 010714a0:5: Sync of device group /Common/dg to commit id 220 5802480386252598085 /Common/ve11a.acme.com from device /Common/ve11a.acme.com complete. [root@ve11b:Standby:In Sync] config
Do I need to create an internal VLAN for this per the link below device uses internal VLAN.i do not think so. ha vlan should be fine. anyway, have you checked port lockdown (allow-service) which Steve suggested? it is set to default, isn't it?
