F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Oleksandr_Malo1's avatar
Oleksandr_Malo1
Icon for Altostratus rankAltostratus
Jan 31, 2020
Solved

LTM and ASM configuration synchronization without Sync-Failover enabled

Hi everybody,   My question is related to the point of configuration synchronization of LTM and ASM modules between two VE appliances. We have 2 VE VMs in two different geographically dispersed D...
application delivery
ASM Advanced WAF
LTM
security
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Feb 02, 2020

Can you explain how your configuration is currently working - is external traffic distributed between the two DCs, so that each BigIP carries part of the traffic?

Are the devices being synced so that as a fall-back, all the traffic can be passed through one working DC?

 

In general, it does not make sense to build LTM object synchronization groups that are not also failover groups. LTM synchronization includes things like IP addresses and vlans, which would normally be expected to be different in different failover zones (i.e DCs), so syncing them across isn't really useful.

 

Such restrictions are not required for things like ASM, APM and GTM, which is why they have separate sync groups, and config can be synced across disparate DataCenters.

 

 

  • Oleksandr_Malo1's avatar
    Oleksandr_Malo1
    Icon for Altostratus rankAltostratus
    Feb 03, 2020

    Hi Simon,

     

    Thank you for the reply.

     

    External traffic is distributed based on destination networks with an approximate ratio of 50/50 and DCs operate in acitve/active mode (A kind of usual active/active scenario but failover is based on dynamic routing - BGP).

     

    It means that we have the list of vserver subnets - range "A" and "B". Range "A" subnets are active in DC1 and announced by BGP towards upstream peers. At the same time range "A" subnets are also announced with the worse priority via BGP at DC2. Thus in case of a DC1 network issues range A subnets will be still reachable via DC2. Accordingly we have range "B" subnets that are announced via both DCs but at DC2 BGP priority for this range is better than at DC1.

     

    The list of vserver IPs for each DC is identical. Target (aka real servers) are reachable from both DC1 and DC2 F5 appliances (extended or stretched VLAN capability is utilized between DCs). Hence the the list of real VM IPs and hostnames (as long as pools) is also the same for both F5s.

     

    We do not require session mirroring and BGP convergence delay is fine for us in case network failure occurs and all traffic goes either to DC1 or DC2. The main reason I asked my question was that for me it makes sense to perform LTM (node, pool, vserver) and ASM (policy) setup just once at either DC1 or DC2 node and just replicate configuration to the neighbor node without doing the same job twice.

     

    I hope my explanation was straightforward enough :)