Forum Discussion
NimbostratusSSL Orchestrator and Layer 2 Service Integration
Has anyone encountered issues with rSeries Big IP Tenant with the integration of a layer 2 service? In my case, I cannot make the service to come up even though I have the exact VLAN name and tagging set in the OS bare metal, and exactly the same VLAN and tagging configured in the tenant.
7 Replies
DanSkowCirrus
Here's some notes based on my recent struggles with getting L2 services to come up after migrating SSLO from iSeries to rSeries... You need to complete the following:
- If using L2 Services with SSLO, deploy the new rSeries Tenant with the appropriate MAC Block Size (aka MAC Pool). You will need 2 MAC addresses for each L2 service, and 1 for each additional VLAN. Each rSeries tenant can be assigned one of the following MAC Block sizes (Small/Medium/Large, 8/16/32)
- IMPORTANT IF YOU HAVE MORE THAN 30 VLANS:
- Unique MAC Addresses from the MAC Pool are assigned alphabetically how they appear in the Tenant GUI, with VLANs starting a capitalized letter appearing before VLANs starting with a lowercase letter
- If your L2 SSLO VLANs appear low enough in the alphabetical list, they won't be assigned a unique MAC Address, and the L2 service will not pass the health check, even if you have the Tenant Deployment configured with a Large MAC Block
- You can confirm if you're running into this issue by running this command and checking if your SSLO VLANs have a MAC address that's shared with other VLANs: tmsh show net vlan | grep "Interface Name\|Mac Address"
- If you're running into this issue, you'll need to delete the SSLO config, delete the SSLO VLANs on the Host and Tenants, recreate the SSLO VLANs with different names that will appear at the top of the alphabetical list, then recreate the SSLO config, then run these commands to force the F5 to reassign the MACs from it's MAC Pool:
- tmsh modify ltm global-settings general share-single-mac global
- tmsh modify ltm global-settings general share-single-mac unique
- The L2 SSLO VLANs will need to be created on the new rSeries hosts prior to the migration from iSeries.
- Kevin_Stewart
Employee
Did you create the MAC pool at the F5OS host and assign to the tenant?
https://clouddocs.f5.com/sslo-deployment-guide/sslo-11/chapter3/page3.01.html - KevinGallaugher
Hi RedBaron,
Did you assign a Self IP to the VLAN? That will cause them to not appear in the Services screen when creating a Layer 2 Service. Creating the vlan name and tag in F5OS is all that is required. You do not need to make any other network changes in the Tenant.
RedBaronKevin, I finally got to talk to you !
Anyway, here's the dilemma, 2 rSeries with a single tenant each in HA mode. Building the orchestrator requires the interface mapping, VLAN name and tag, mac address bank, and verify the listeners at the rSeries level as you know. Inside the tenant, same VLAN name and tag number manually entered, identical to the rSeries entries. Building the topology, no issues, however, once we deploy it....kaboom, interfaces up, services down on both. We walked line by line in the configuration, rebuild it 3 times, and still the same issue. One thing I discovered was that the active node, the interception rule field was completely empty !, the standby is fully populated, but the service is still down ! Weird. No changes needed, just need to make this layer 2 service work so we can provide the customer with full functionality of the system built. Somehow, the services don't seem to work, red red, but the interfaces up. Another thing, the services are not even generated arp entries on both tenants cli prompt. Strange things indeed !
- KevinGallaugher
Hi Red Baron,
I don't know what would cause this strange behavior. You should open a case with Technical Support.
Kevin
- Melissa_C
Moderator
Hello RedBaron​,
I noticed you haven't gotten any response yet and wanted to let you know I am working to find someone who may be able to help you. While I do that if you have any update please make sure to add that to your post.
Thank you for being a part of our community!
-Melissa
