Forum Discussion
trungleon_11288
Nimbostratus
NimbostratusUnstable with Virtual Servers when running Active/Standby F5 Big-IP LTM 3600 ver 11.1
Hi all,
Our system have two F5 Big-IP LTM 3600 running under TMOS ver 11.1 with Active/Standby Mode. They have information as followings:
1. F5_01:
VLAN DMZ (Internal) Self IP: 10.5.255.252/16
VLAN DMZ (Internal) Floating IP: 10.5.255.254/16
VLAN LTM (External) Self IP: 10.6.255.252/16
VLAN LTM (External) Floating IP: 10.6.255.254/16
2. F5_02:
VLAN DMZ (Internal) Self IP: 10.5.255.253/16
VLAN DMZ (Internal) Floating IP: 10.5.255.254/16
VLAN LTM (External) Self IP: 10.6.255.253/16
VLAN LTM (External) Floating IP: 10.6.255.254/16
In additional, we have the the Virtual Servers: 10.6.1.10/16 attaches to the Pool that is included 06 web members port 8080 (10.5.1.61/16 -> 10.5.1.67/16). Of course, the Gateway for each web member is 10.5.255.254/16 (Floating IP for VLAN DMZ).
But now, when the Client access to the Virtual Servers: 10.6.1.10, it's very unstable (sometimes run and sometime can't).
The following process:
1. Accessable with 10.6.1.10 -> this mean can ping 10.6.1.10 from outside.
2. Inaccessable with 10.6.1.10 -> this mean can't ping 10.6.1.10 from outside.
So we need from your support to solve this issues.
Best Regards,
Trungleon
11 Replies
trungleon_11288I would like to update more imformation as follows:
F5_01 has LTM+ASM license active module but F5_02 just has only LTM license active module. Is this reason lead to the unstable for the Virtual Server IP?
Thanks so much.
koenning_107182Hi Trungleon,
from the described situation, without further data, it is quite hard to diagnose.
What is the default gw for the BIG-IP LTM ? Errors like this could happen if you not configure a default gw, and autolasthop then sends the traffic to the wrong mac of the upstream load shared l3 device. But that would be just one out of hundreds possible causes.
How does your routing look like ?
Cheers,
Christian- trungleon_11288Hi Koenning,
The default GW for both F5 BigIP LTM 3600 is 10.6.1.1. The address in ASA inside interface (VLAN LTM).
The upstream Layer 3 devices are Cisco ASA Firewall Failover Active/Standby. With ip inside interface (10.6.1.1 active and 10.6.1.2 standby).
Mayble something wrong with MAC address of Virtual Servers: 10.6.1.10.
Can i use the Floating IP_LTM: 10.6.255.254 instead of 10.6.1.10 for Virtual Servers?
Thanks, - nitass
Employee
are you using asm? if so, have you checked /var/log/asm?
have you ever failed over to unit02? did the issue still happen?
Can i use the Floating IP_LTM: 10.6.255.254 instead of 10.6.1.10 for Virtual Servers?yes but i do not think it is relevant.
sol10388: Support and precedence for self IP addresses used with virtual servers and NATs
http://support.f5.com/kb/en-us/solutions/public/10000/300/sol10388.html - trungleon_11288Hi nitass,
Unit 01 is using LTM&ASM module (has license LTM&ASM)
while Unit 02 is using LTM module (just has license for LTM)
The Failover State very unstable, it's often disconnect and reconnect frequently so the role is also switchover (Active<->Standby) with each other frequently too. Therefore, the virtual servers: 10.6.1.10 can't access from outside at that time.
This is the local traffic log from the Standby Unit:
=====================================
HA Connection with peer 10.5.255.253:1028 lost.
HA Connection with peer 10.5.255.253:1028 lost.
Connection to CMI peer 10.5.255.253 has been removed
CMI reconnect timer: enabled
Attempting to connect to CMI peer 10.5.255.253 port 6699
CMI reconnect timer: disabled, all peers are connected
HA Connection with peer 10.5.255.253:1028 established.
HA Connection with peer 10.5.255.253:1028 established.
======================================
The problem mayble related to the MAC Masquerade Address. Do you think so, Nitass? 
TechgeeegDear Trungleon,
I will prefer you to do the following as first step kick out of the of boxes completely from the network and let all of the operations run from unit1 . If it goes fine kick out unit1 and bring in unti2 and checkthe same. If this process shows any disconnection or problem then you may have a problem in network as well.
At first place what is the reason tha two boxes are licensed differently... and lets say even if they are licensed differently are both the modules LTM& ASM provisioned on Unit 1 or not if its only LTM module provisioned on both of the modules then it should work fine... If the boxes have different modules provisioned them make it same for both of the boxes. Are you not using serial cable for fail-over that only the network disruption is causing fail-over. If you are using only network fail-over and there is no serial cable avaliable then try to configure it on a separate port and see if it works fine.
If you have done any Mac-address binding on the Firewall level remove it.
Regards,- trungleon_11288Hi Techgeeeg,
I'm using the network & serial cable for the Failover link on both unit under ver TMOS 11.1. I have taken out one unit and all network cable related, then removed the HA configuration. At that time, only one unit is run with stand alone mode but the upstream link aggregation (L1.1, L1.2, L1.3, L1.4) to Switch was still unstable. They were been switchover up to down and reconnect frequently. Really, I didn't know what was going on with them, even though i have checked network cable, upstream devices carefully.
Now, I have decided to boot the Unit to diiferent volume with TMOS 10.2.2 and everything is OK. I'm afraid of the operation with TMOS 11.1, maybe it can't stable operation with my device (BIG-IP LTM 3600).
Thanks. - nitasswas unit falied over unexpectedly even using serial failover? from the log, i do not see failover state changing (e.g. active/standby). you know port 1028 is for mirroring data.
by the way, when configuring network failover, have you had two unicast pairs (one is using mgmt interface and the other one is using tmm interface)? - trungleon_11288Hi Nitass,
Yes, the status is disconneted and reconnect even i have been using the network&serial cable. The worst case, it's failed. Of course, I rknow the port 1028 for mirroring data and 1026 for failover.
For the network failover configuration, i also configured two unicast pair: one for the mgmt peer, and another for local adress of vlan Internal (DMZ).
Rgds, - TechgeeegHi Trungleon,
When using multiple ports are trunk/etherchannel the duplex has to be fixed in case of cisco switch or else this type of behaviour shows up I am sure you are aware of it .... but with your comment that the setup is working fine with TMOS 10.2.2 this comment rules out. This problem needs to be addressed properly what exactly is giong on... TMOS 11.1 has problems I will agree to it. If you wish to continue with ver. 11.1 I prefer you better open a case with F5 Support.
Regards,
