Network FailOver + Fail-Safe

 

Hello,

 

 

I had physically installed F5 on the client, and try to perform Hardware FailOver and Network FailOver with a separate Vlan (directly connected, no switch).

 

From my understanding, Network FailOver is only recommended when Hardware FailOver is not possible. There are no other reason to perform NetFailOver ?

 

 

I had configured the Fail-Safe to Internal Vlan, which is connected in Layer2 to a stack switch (2 physical switch as 1 logical one), and then to the FW cluster(in ha a-p mode too). In terms of Layer3, only F5 and FW have ip address in that Vlan, but i can see a virtual mac address from FW switching ports all the time... weird.

 

 

I was expecting that when i shutdown the port where Internal Vlan connect to the switch, the active F5 switched to standby and the Standby F5 switchde to Active. What it happens is that both stays in Standby?!?!?!

 

 

I did not test to disconnect the HW FailOver cable. Could it be the reason of the problem?

 

 

What kind of troubleshooting can I do in order to solve this problem ? I follow the HA wizard in the GUI, with the explanation of askf5, ha documentation…

 

 

Best Regards,

 

Bruno Petrónio

 

 

 

Hi Bruno,

 

 

I'd suggest using hardwire failover if the units are physically close enough to each other. I don't think there is any real advantage to network failover if you have the option of using hardwire failover.

 

 

See SOL7066 for some good detail on VLAN failsafe behavior:

 

 

SOL7066: Overview of VLAN failsafe

 

https://support.f5.com/kb/en-us/solutions/public/7000/000/sol7066.html

 

 

Is there any device on the internal VLAN which responds to ARP requests? If not, what about ICMP? If not, neither unit will go active.

 

 

 

For example, unwanted VLAN failsafe events can occur if VLAN failsafe is enabled on a VLAN with no default gateway or pool members, and the VLAN only contains devices that do not respond to ARP requests, ICMPv6 neighbor discovery probes, or multicast pings. To help prevent this behavior, you can assign a health monitor to at least one node on that VLAN. This practice will help to consistently populate the ARP tables on both BIG-IP units in the pair, and give a more accurate view of VLAN availability.

 

 

 

Aaron

Bruno,

 

 

As far as I'm aware, with both Network failover and Hardware failover then hardware failover is pretty much redundant. That's because failover will only occur if the hardware cable's voltage and the network pulse is lost. Hardware failover always take precedence. So in your case you've disconnected the vlan but because hardware failover is being used then the standy won't be aware of a failover and remain in standby.

 

 

I believe if the 2 appliances are close enough then f5 recommend hardware failover.

 

 

Rgds

 

N

Thank You all for your replys.

 

 

@Aaron:

 

If on F5-1, when Fail-Safe Vlan was triggered(shtdown the switch port) it change active to standby, then the 1st F5 notes Vlan in down state.

 

Shouldnt this F5 pair aware the standby unit to perform active role ? If not, in which circunstancies the standby unit will stay in active ? Is that information passed trhough what mechanism ? FailOver Vlan ? HW failover cable ?

 

 

@nathan:

 

If i had no trigger performed by Fail-Safe Vlan, i guess it will be like u wrote, but even if i dont use Network FailOver, i guess i could configure Fail-Safe Vlan to perform the FailOver trigger, or thats not the way it works ?

 

 

 

I realise that i will not get any advantages with Network FailOver. So i will drop this configuration task.

 

Network mirroring and a dedicated Vlan for FailOver, should be configured in the same way ? My interest is to perform statefull failover for some VS.

 

 

 

Best Regards,

 

Bruno Petrónio

Hello,

 

 

I have 4 VIPRION System (2 in each site) and I want to configure site failover in case all the servers behind VIPRION system in one site are down or partially down, the other site take over and handle traffic

 

 

Site A -->

 

 

User Traiifc --> 1x VIPRION PB200 Active --> HTTP Servers (96 servers)

 

1x VIPRION PB200 Standby

 

 

Site B -->

 

 

User Traiifc --> 1x VIPRION PB200 Active --> HTTP Servers (96 servers)

 

1x VIPRION PB200 Standby

 

 

 

Any idea what is the best way to do that. I need it to be done automatically, automatic failover.

 

 

Can I do it like if the servers running behind the viprion are partially down that the VIPRION itself shuts down its ports connected to external network and the router will in turn redirect the traffic to the other VIPRION system in site B?

 

 

Cheers,

 

Neo

Neo: I would use GTM for this specific use case.

 

-Matt