Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

daboochmeister3's avatar
daboochmeister3
Icon for Nimbostratus rankNimbostratus
Apr 28, 2026

VIP control across data centers - how to ensure only 1 VIP is up at a time?

Hi -- at a very high level, we have a need for two VIPs (one in each data center), with automated orchestration so that only 1 VIP is up at a time.

In more detail, we are setting up VIPs to proxy syslog UDP; and having two data centers, and for maximum redundancy, our thought is to have a VIP in each data center, and configure all syslog clients to send to both VIPs.  Note that we want to configure the client's syslog destination using IPs, not hostnames, to eliminate DNS as a point of failure.

(anycast would be perfect for this, but isn't workable from a technical perspective, since we use OSPF within the data centers; and GSLB [via GTMs, DNS controllers] is not an option, since we don't want to rely on DNS resolution for the syslog destinations)

However, one further req't is that we can't allow duplicate syslog transmission; the SIEM we're using can only accept one set of syslog records - it lacks deduplication.  So, as a result, it's important that only one or the other of the VIPs be proxying the syslog received from a device.

We can accomplish this manually, by always having one of the VIPs force offline.  However, we're looking to automate this, so that we don't have windows where no syslog is processed, during the wait for someone to login and enable the backup VIP.

So - what are the techniques others have used to orchestrate availability of VIPs such that only 1 is available?

Would this be accomplished if we were to establish a new device group, with the LTM from each data center in it?  Can you HAVE a device group across WAN links like that, without risk of split-brain effects?

Or, can we use iRules to somehow accomplish this?  E.g. in one data center's VIP, have a client-accepted rule that performs an external monitor check of the other data center's VIP, and rejects the packet if that VIP is up?

Any thoughts welcome!

2 Replies

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    May 01, 2026

    Hi daboocmeister3,

    In DC2:

    A new pool is used to monitor the virtual server in DC1. (A specific UDP monitor may be required.)

    The number of active members in the pool is checked using an iRule, and if DC1 is up, incoming traffic is rejected.

    when CLIENT_ACCEPTED {
  if { [active_members /Common/pool_syslog_dc1_vip] == 1 } {
    reject
  }
}

    When DC1 VS is down, it is necessary to thoroughly test whether the monitor is functioning properly.

     

    Another option instead of using iRule on DC2:

    By using an external monitor, if the VS is up on DC1, the member is marked as down (reverse monitor). The syslog server on DC2 is monitored using a different monitor. Pool uses two monitors.

  • zamroni777's avatar
    zamroni777
    Icon for MVP rankMVP
    May 07, 2026

    for the ospf/bgp integration, you can use Route Health Injection
    https://my.f5.com/manage/s/article/K15923612

    in f5 dc1, create a vserver and add dc2 syslog vserver as the pool member.
    add above new dc1 vserver as negative/reversed health monitor target of syslog dc2 pool.

    you can use these either 1 of these 2 monitor config to create negative/reversed health monitor.