For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BPetronio_11363's avatar
BPetronio_11363
Icon for Nimbostratus rankNimbostratus
Apr 19, 2010

Network FailOver + Fail-Safe

Hello,       I had physically installed F5 on the client, and try to perform Hardware FailOver and Network FailOver with a separate Vlan (directly connected, no switch).   Fro...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 20, 2010

 

Hello,

 

 

I had physically installed F5 on the client, and try to perform Hardware FailOver and Network FailOver with a separate Vlan (directly connected, no switch).

 

From my understanding, Network FailOver is only recommended when Hardware FailOver is not possible. There are no other reason to perform NetFailOver ?

 

 

I had configured the Fail-Safe to Internal Vlan, which is connected in Layer2 to a stack switch (2 physical switch as 1 logical one), and then to the FW cluster(in ha a-p mode too). In terms of Layer3, only F5 and FW have ip address in that Vlan, but i can see a virtual mac address from FW switching ports all the time... weird.

 

 

I was expecting that when i shutdown the port where Internal Vlan connect to the switch, the active F5 switched to standby and the Standby F5 switchde to Active. What it happens is that both stays in Standby?!?!?!

 

 

I did not test to disconnect the HW FailOver cable. Could it be the reason of the problem?

 

 

What kind of troubleshooting can I do in order to solve this problem ? I follow the HA wizard in the GUI, with the explanation of askf5, ha documentation…

 

 

Best Regards,

 

Bruno Petrónio

 

 

 

Hi Bruno,

 

 

I'd suggest using hardwire failover if the units are physically close enough to each other. I don't think there is any real advantage to network failover if you have the option of using hardwire failover.

 

 

See SOL7066 for some good detail on VLAN failsafe behavior:

 

 

SOL7066: Overview of VLAN failsafe

 

https://support.f5.com/kb/en-us/solutions/public/7000/000/sol7066.html

 

 

Is there any device on the internal VLAN which responds to ARP requests? If not, what about ICMP? If not, neither unit will go active.

 

 

 

For example, unwanted VLAN failsafe events can occur if VLAN failsafe is enabled on a VLAN with no default gateway or pool members, and the VLAN only contains devices that do not respond to ARP requests, ICMPv6 neighbor discovery probes, or multicast pings. To help prevent this behavior, you can assign a health monitor to at least one node on that VLAN. This practice will help to consistently populate the ARP tables on both BIG-IP units in the pair, and give a more accurate view of VLAN availability.

 

 

 

Aaron