Forum Discussion

Nimbostratus

Oct 31, 2023

r5900 SSLO L2 service abnormal

Hello,I exchanged the r5900 for the i5800 SSLO.When the r5900 came online,L2 service status is Down,and other pools status is normal.Now it's rolled back,L2 service is normal on i5800. Now I use ano...

application delivery

security

Kevin_Stewart

Employee

Jan 26, 2024

Once quick note here, L2 inspection service support was enabled for the r5XXX platform with:

F5OS-A 1.3.1 (minimum)
BIG-IP 15.1.8+ and 17.1.0+

The tenant-based rSeries and VELOS platforms require a "MAC pool" configuration to support inline L2 inspection services.

https://clouddocs.f5.com/sslo-deployment-guide/sslo-11/chapter3/page3.01.html

DanSkow

Cirrus

Apr 22, 2026

Adding to this based on my recent struggles with migrating SSLO from iSeries to rSeries... You need to complete the following:

If using L2 Services with SSLO, deploy the new rSeries Tenant with the appropriate MAC Block Size (aka MAC Pool). You will need 2 MAC addresses for each L2 service, and 1 for each additional VLAN. Each rSeries tenant can be assigned one of the following MAC Block sizes (Small/Medium/Large, 8/16/32)
IMPORTANT IF YOU HAVE MORE THAN 30 VLANS:
- Unique MAC Addresses from the MAC Pool are assigned alphabetically how they appear in the Tenant GUI, with VLANs starting a capitalized letter appearing before VLANs starting with a lowercase letter
- If your L2 SSLO VLANs appear low enough in the alphabetical list, they won't be assigned a unique MAC Address, and the L2 service will not pass the health check, even if you have the Tenant Deployment configured with a Large MAC Block
- You can confirm if you're running into this issue by running this command and checking if your SSLO VLANs have a MAC address that's shared with other VLANs: tmsh show net vlan | grep "Interface Name\|Mac Address"
- If you're running into this issue, you'll need to delete the SSLO config, delete the SSLO VLANs on the Host and Tenants, recreate the SSLO VLANs with different names that will appear at the top of the alphabetical list, then recreate the SSLO config, then run these commands to force the F5 to reassign the MACs from it's MAC Pool:
  - tmsh modify ltm global-settings general share-single-mac global
  - tmsh modify ltm global-settings general share-single-mac unique
The L2 SSLO VLANs will need to be created on the new rSeries hosts prior to the migration from iSeries.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

r5900 SSLO L2 service abnormal

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

F5 Visual Studio Code extension not listing Big IP device partitions for 17.5.1.5 QKViews

SSL Orchestrator and Layer 2 Service Integration

r5900 SSLO L2 service abnormal

TCPDUMP in BigIP for traffic coming from distrbuited cloud.

Catch Dynamic CRL Errors and Return Friendly Page

Related Content

SSL Orchestrator Service Extensions: DoH Guardian

r5900 Tenant BIG-IP 15.1.5 -> 15.1.10.2 Upgrade

F5 Container Ingress Services (CIS) deployment using Cilium CNI and static routes

Per-app failover for Kubernetes-based services using F5 Distributed Cloud Services

Key Steps to Securely Scale and Optimize Production-Ready AI for Banking and Financial Services

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS