For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gonzalo_Arce_17's avatar
Gonzalo_Arce_17
Icon for Nimbostratus rankNimbostratus
Mar 31, 2016

vlan failsafe don`t work on vcmp guest

Hello,

 

I have a 2x5250V (VCMP). I have installed three guests (Prod,dmz and QA) on both of them host. These Guests are connected on the same Vlans for HA & the following vlan for each guest:

 

prod1/prod2 guest are in failover active/standby, external vlan2, internal vlan12, ha vlan30 dmz1/dmz2 guest are in failover active/standby, external vlan3, internal vlan13, ha vlan30 qa1/qa2 guest are in failover active/standby, external vlan2, internal vlan12, ha vlan30

 

When I shutdown the physical port-channel for the vlan 2 and 3 on the switch, the Guests Prod1 and Dmz1 successfully commute with vlan failsafe but guest qa not switch.

 

The active traffic groups located to qa don't switch to standby status and the application does not work properly. on guest qa only work gateway failsafe.

 

How can I do to work vlan failsafe to switch to the neighbord (qa1-->qa2)?

 

Thank you

 

application delivery
LTM
vcmp
vlan failsafe

2 Replies

  • IanB's avatar
    IanB
    Icon for Employee rankEmployee
    Mar 31, 2016

    I'm not sure I fully understand your question, but I think you're staying that you have three pairs of vcmp guests, and two of them are working with vlan failsafe, but the third is not ? Is that correct ?

     

    If so, I suggest you run tcpdump -i on both guests, to see what traffic is still being seen there, compared with the traffic seen on the other two vlans. Is the VLAN really totally inactive ?

     

    VLAN failsafe is a timer that resets every time it receives a packet. If it reaches half of the timeout value, it starts sending ARP requests out to try and elicit a response. At 3/4s of the timeout, it starts pinging 224.0.0.1 to try and get a response. If none of that works, it will trigger failover.

     

    Note that the vlan failsafe configuration is not part of the shared configuration, so make sure you have configured the same values on both guests.

     

    Overview of VLAN failsafe

     

    Note that VLAN failsafe can be problematic if both devices share the same VLAN, as the gratuitous packets from one device end up keeping the other one alive. In such a situation, Gateway failsafe is more appropriate, but that can have problems too, where the loss of the common gateway router causes both devices to go standby, since both see it as being down.

     

  • tatmotiv's avatar
    tatmotiv
    Icon for Cirrostratus rankCirrostratus
    Mar 31, 2016

    VLAN failsafe will watch for traffic on the VLAN and generate some traffic itself (ARP requests) after some time when it has detected a possible loss of connectivity. When running VLAN failsafe on several vCMP guests on the same vCMP host that share one VLAN with VLAN failsafe activated, the traffic generated on one guest by the VLAN failsafe mechanism itself will be detected by the other vCMP guests' VLAN failsafe mechanisms. This is due to the fact that the vCMP guests themselves are connected with each other via the virtual switch within the vCMP hypervisor. Thus, inter-guest traffic will not need to leave the vCMP host, so VLAN failsafe will never get triggered in this constellation, even if there is a "real" loss of connectivity (e.g. switch outage).