Forum Discussion

neil_t_66364's avatar
neil_t_66364
Icon for Nimbostratus rankNimbostratus
Mar 26, 2015

Two sync-falover groups (LTM) and one sync-group (for asm sync) setup

Hi All, I'm trying to create a setup where I have two pairs of F5s running ASM and LTM with the LTMs sync'd in two groups (sync-failover) and the ASMs sync'd in a single sync-only group. The url be...
application delivery
ASM Advanced WAF
LTM
security
gsharri's avatar
gsharri
Icon for Altostratus rankAltostratus
Mar 27, 2015

Hi Neil,

 

1. Will this setup work when I have multiple customers setup using many route domains, partitions and traffic groups.

Route domains and traffic groups should not pose a problem. Any admin partition which contains an ASM security policy will be synced to all ASMs in the sync-only group. Note that only the security policies sync not any LTM config. If an admin partition contains virtual servers, pools, etc they will not sync. Also keep in mind that the sec policy must be in /Common or the same partition as the virtual server to which it is assigned.

 

2. When the configuration is not the same on each of the failover groups

I'm not sure what you're asking here. Please clarify.

 

3. When the naming of ViPs is not the same on each failover group

VIP names do not matter. What will happen is that after the initial sync of the sec policies to an LTM/ASM HA pair using different VIP names the policies will not be assigned to any VIP. You must manually assign the policies to the correct VIP.

 

4. Do I need to default one pair to factory-default when creating this setup as when I try to create a trust to the second pair of devices I get an error stating the device already belongs to a traffic group.

All four bigips must be in the same device trust domain with each other and a bigip may only be in one trust domain at a time. Apparently what you have now is two HA pairs each in their own trust domain. You will need to break one of the HA pairs sync-failover device group and remove the trust while taking care not to have them active-active (assuming you have active-standby right now). You can force the standby unit offline so it won't go active after deleting the device group. See this article for an overview: SOL15757.

 

After the device group/trust is torn down on one pair then add them to the device trust of the remaining HA pair. Once all four are in a trust together then recreate the sync-failover dev group for the second HA pair and create the sync-only dev group including all four. Then assign the sync-only group for ASM sync.

 

Be aware that you should always use the same bigip to configure trusts. For example if the remaining HA pair are bigipA-bigipB and bigipA was were the trust was originally created then you must use bigipA to add bigipC & D (the HA pair you tore down) to the trust group.

 

Scott