Forum Discussion
frankcheong_304
Nimbostratus
NimbostratusIntermittent Connection Problem Between Active/Stanby LTM 1600 and a pair of Cisco 2960
I have a pair of LTM 1600 (namely LTM-A & LTM-B) running in active/standby mode and a two pair of Cisco2960 (namely WAN-2960-A, WAN-2960-B, LAN-2960-A & LAN-2960-B). My setup is as below:-
Network Interconnection:-
LTM-A Interface 1.1 -> WAN-2960-A Port 1
LTM-B Interface 1.1 -> WAN-2960-B Port 1
LTM-A Interface 2.1 (Fibre) -> LTM-B Interface 2.2 (Fibre)
LTM-A Interface 2.2 (Fibre) -> LTM-B Interface 2.2 (Fibre)
LTM-A Interface 1.3 (internal-trunk) -> LAN-2960-A Port 1 (ether-channel Port-channel 3)
LTM-A Interface 1.4 (internal-trunk) -> LAN-2960-A Port 2 (ether-channel Port-channel 3)
LTM-B Interface 1.3 (internal-trunk) -> LAN-2960-B Port 1 (ether-channel Port-channel 3)
LTM-B Interface 1.4 (internal-trunk) -> LAN-2960-B Port 2 (ether-channel Port-channel 3)
LAN-2960-A Port 3 (ether-channel Port-channel 5) -> LAN-2960-B Port 3 (ether-channel Port-channel 5)
LAN-2960-A Port 4 (ether-channel Port-channel 5) -> LAN-2960-B Port 4 (ether-channel Port-channel 5)
LTM-A & LTM-B:-
Trunk List: trunk interface 2.1 & 2.2 named as Fibre, trunk interface 1.3 & 1.4 named as internal-trunk
Trunk Setting: LACP: Enable, LACP Mode: Active, LACP Timeout: Long, Link Selection Policy: (Auto), Frame Distribution Hash: (Source/Destination IP Address)
VLAN List:
Internal, Tag: 4093, Untagged Interface: internal-trunk, MTU:1500, Fail-safe: Enable, Fail-safe-timeout: 15, Action: Failover
External, Tag: 10, Untagged Interface: 1.1, MTU: 1500, Fail-safe: Enable, Fail-safe-timeout:15, Action: Failover
pri-failover, Tag: 4092, Untagged Interface: Fibre, Fail-safe: Disable
All interface running at 1G full-duplex
part of show run for LAN-2960-A & LAN-2960-B:-
LAN-2960-Ashow run
vtp domain f5-private
vtp mode transparent
spanning-tree mode pvst
spanning-tree extend system-id
port-channel load-balance src-dst-ip
vlan 4093
name f5-private-vlan
!
interface Port-channel3
switchport trunk native vlan 4093
switchport mode trunk
no keepalive
flowcontrol receive desired
!
interface Port-channel5
switchport access vlan 4093
switchport mode access
!
interface GigabitEthernet1/0/1
switchport trunk native vlan 4093
switchport mode trunk
flowcontrol receive desired
spanning-tree portfast disable
channel-group 3 mode active
!
interface GigabitEthernet1/0/2
switchport trunk native vlan 4093
switchport mode trunk
flowcontrol receive desired
spanning-tree portfast disable
channel-group 3 mode active
!
interface GigabitEthernet1/0/3
switchport access vlan 4093
switchport mode access
spanning-tree portfast disable
channel-group 5 mode desirable non-silent
!
interface GigabitEthernet1/0/4
switchport access vlan 4093
switchport mode access
spanning-tree portfast disable
channel-group 5 mode desirable non-silent
!
interface GigabitEthernet1/0/5 - 1/0/24
switchport access vlan 4093
switchport mode access
spanning-tree portfast
!
interface Vlan4093
ip address 192.168.96.1 255.255.255.0
!
LAN-2960-Ashow vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/25, Gi1/0/26, Gi1/0/27
Gi1/0/28
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
4093 f5-private-vlan active Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Po5
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1005 trnet 101005 1500 - - - ibm - 0 0
4093 enet 104093 1500 - - - - - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
LAn-2960-Ashow vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : f5-private
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Configuration last modified by 0.0.0.0 at 3-8-93 22:38:54
Feature VLAN:
--------------
VTP Operating Mode : Transparent
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
Configuration Revision : 0
All server have dual interface connecting to LAN-2960-A and LAN-2960-B using interface bonding mode 6 miimon=100. Found that there are consistent packet drop for both LTB as below:-
Interface Statistics Bits Packets Multicast Errors Drops
Name Status In Out In Out In Out In Out In Out Collisions
mgmt DOWN 0 0 0 0 0 0 0 0 0 0 0
1.1 UP 358.4G 4.5T 291.9M 446.2M 8.2M 5.9K 0 0 59.0K 444 0
1.2 DOWN 0 0 0 0 0 0 0 0 0 0 0
1.3 UP 2.2T 196.1G 241.1M 153.9M 880.0K 26.6K 0 0 309.9K 1.5K 0
1.4 UP 2.4T 277.5G 249.8M 164.9M 111.5K 16.7K 0 0 58.6K 821 0
2.1 UP 19.0M 19.0M 20.4K 20.4K 17.7K 17.8K 0 0 0 0 0
2.2 UP 11.6G 11.9G 11.6M 11.7M 16.7K 16.7K 0 0 0 0 0
ON LAN-2960-A there are 408 packet drop on interface 1 and 175 packet drop on interface 2 (connecting LTM) while all other interface record 0 packet drop. I would like to know what seems to be the problem? I have also tried to swapping another UTP cable while still encounter intermittent connection drop. Am my configuration correct?
frankcheong_304More to add, actually the LTM is running in route mode which all server points to the LTM as the default gateway. In addition, the Internal LAN is solely a subnet dedicated for F5 load balancing and thus only one vlan 4093 with IP (192.168.*) exist. While the External WAN consist of a lot of different subnet but the native VLAN is 10 with IP (10.1.*). I have tried using access mode for Port-channel 3 for both LAN-2960-A and LAN-2960-B but still encounter similar packet drop. Just wonder which part of the configuration could go wrong causing such intermittent connection problem.- mikand_61525Just guessing now but couldnt part of the problem be that you didnt setup any vlan-configuration between your F5's (currently only state-sync)?
I mean your Internal (4093) must exists on the "Fibre" bonding aswell. Otherwise you end up with assymetric situations where the lan-switch2 sends data to ltm-b when ltm-b is passive which gives that it receives the packet but doesnt know what to do with it which ends up with a drop.
If you enable the 4093-vlan on the "Fibre" between ltm-a and ltm-b then the passive unit will send the packet to the active unit for processing (if im not mistaken).
Sidenote: Why no bonding for the F5 -> WAN-switches? - frankcheong_304That means the failover (Fibre) VLAN also need to use VLAN 4093 in addition to its own VLAN 4092, right?
For WAN-Switches, I also would like to bond it but would like to fix all the problem first. - mikand_61525Yes.
Do you use your VLAN4092 as HA-network between the LTM's? - frankcheong_304What do you mean by using VLAN 4092 AS HA-Network between the LTM?
BTW, What about VLAN 10? Should I also include VlAN 10 into the failover Fibre Trunk? - mikand_61525Instead of using the serial for HA (High Availability) communications one can use one or many networkconnections instead (or using both in case your LTM devices are close to each other).
Regarding VLAN10, sure - depends on how the setup is for External.
Another method (I think) is to use current setup of just VLAN 4092 between your LTMs and setup static routing. But in that I case I dunno what will happen if a packet is sent to the device which is currently set in passive mode (perhaps im confusing this with how HSRP/VRRP works where the passive device turns into a L2 device so the L3 stuff is performed at the active unit). 
nitassEmployee
on LAN-2960-A, G1/0/1 and G1/0/2 are connected to LTM-A internal trunk, aren't they?
since on LTM-A, internal VLAN is untagged, just curious why you need "switchport mode trunk" on LAN-2960-A.- frankcheong_304Hm.... Can I ask a stupid question? In my scenario, my F5 is running in route mode, would F5 still needed to participate in VLAN stuff ? Of I can use switchport mode access in my LAN-2960-A and LAN-2960-B to skip all the VLAN stuff? And BTW, actually the external switch is running in switchport mode access too.
- nitasswould F5 still needed to participate in VLAN stuff ?if you have dedicated interface for each vlan, vlan tagging is not needed.
I can use switchport mode access in my LAN-2960-A and LAN-2960-B to skip all the VLAN stuff?yes.
since on LTM-A, internal VLAN is untagged, just curious why you need "switchport mode trunk" on LAN-2960-A.by the way, does this make any change about packet drop? - frankcheong_304Actually, I have tried both switchport mode access and switchport mode trunk, the result is similar.
While setting the correct VLAN no for external and internal interface on F5 provide much different result. Actually I have untagged the interface and I thought it shouldn't affect anything. But the result is not, when I disregard the VLAN no (does not match with cisco 2960), the network even goes down for a while some times.
It seems like the F5 participate in VLAN stuff even in my route mode setup scenario.
Anyway, do you think I better try to include external VLAN (10) and internal VLAN (4093) on the failover VLAN ? That means failover VLAN include 10, 4092 and 4093 also. For I don' have much idea over here, coz the fail over interface is a fibre direct connection.