Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Chenhong's avatar
Chenhong
Icon for Nimbostratus rankNimbostratus
2 years ago

r5900 SSLO L2 service abnormal

Hello,I exchanged the r5900 for the i5800 SSLO.When the r5900 came online,L2 service status is Down,and other pools status is normal.Now it's rolled back,L2 service is normal on i5800.

Now I use another r5900 to test.I cabling IN and OUT interface on sslo directly,and L2 service status is still abnormal.

Has anyone seen this kind of problem before?

Any help is appreciated!! Thanks.

 

3 Replies

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    2 years ago

    Better chase support as F5 rSeries support for SSLO is a new thing.

     

    Other than that if the topology is Layer 2 with vwire maybe there is the issue as vwire needs to be added to the tenant in rSeries and it could still have some issues.

     

    2.7. Creating Layer 2 Topologies (f5.com)

     

    Network Settings,Network Settings,Network Settings,Network Settings,Network Settings,Network Settings,Network Settings (f5.com)

     

     

    Also the SSLO migration is not great as maybe on 10.1(17.1) with snapshots it is the most easy but from a platform like iSeries to rSeries tenant better configure the topology from the start on the tenant.

    Platform Migration and SSL Orchestrator (f5.com)

    Creating Snapshots,Creating Snapshots (f5.com)

      • DanSkow's avatar
        DanSkow
        Icon for Cirrus rankCirrus
        1 hour ago

        Adding to this based on my recent struggles with migrating SSLO from iSeries to rSeries... You need to complete the following:

        • If using L2 Services with SSLO, deploy the new rSeries Tenant with the appropriate MAC Block Size (aka MAC Pool). You will need 2 MAC addresses for each L2 service, and 1 for each additional VLAN. Each rSeries tenant can be assigned one of the following MAC Block sizes (Small/Medium/Large, 8/16/32)
        • IMPORTANT IF YOU HAVE MORE THAN 30 VLANS:
          • Unique MAC Addresses from the MAC Pool are assigned alphabetically how they appear in the Tenant GUI, with VLANs starting a capitalized letter appearing before VLANs starting with a lowercase letter
          • If your L2 SSLO VLANs appear low enough in the alphabetical list, they won't be assigned a unique MAC Address, and the L2 service will not pass the health check, even if you have the Tenant Deployment configured with a Large MAC Block 
          • You can confirm if you're running into this issue by running this command and checking if your SSLO VLANs have a MAC address that's shared with other VLANs: tmsh show net vlan | grep "Interface Name\|Mac Address"
          • If you're running into this issue, you'll need to delete the SSLO config, delete the SSLO VLANs on the Host and Tenants, recreate the SSLO VLANs with different names that will appear at the top of the alphabetical list, then recreate the SSLO config, then run these commands to force the F5 to reassign the MACs from it's MAC Pool:

            • tmsh modify ltm global-settings general share-single-mac global

            • tmsh modify ltm global-settings general share-single-mac unique

        • The L2 SSLO VLANs will need to be created on the new rSeries hosts prior to the migration from iSeries.