Forum Discussion

rafaelbn's avatar
rafaelbn
Icon for Cirrostratus rankCirrostratus
Sep 16, 2022
Solved

Disabling Auto Last Hop on VLAN

Hello Guys!

We have an internet facing LTM with public IPs. Currently, this LTM's default route points to a VRRP address (we have 2 routers for redundancy).

On the same public VLAN, we have multiple virtual-servers.

We are scheduling a maintenance window to bounce both routers and it came to us that since auto-last-hop is enabled (default configuration all around), if we bounce the master router, this LTM is going to return the traffic to the incorrect MAC address for all established connections (we have some long lived VS connections).

Following article K9487, we are planning to disable auto-last-hop on the internet facing VLAN.

My question is: When I disable auto-last-hop on that VLAN, will this affect currently established connections or will it only affect new connections?

Thanks, Rafael.

  • Changing that value will impact new connections, those connections already in the connection table will continue to return to the auto-last-hop setting established. You can do a couple things about that:

    • Evaluate your virtual server tcp/udp profile timeout settings for those virtuals served on that particular vlan and if you are not supporting any seriously long-lived connections, you could set the idle timeouts artificially low temporarily to bleed old connections off safely, then clear any remaining connections to the virtuals in that vlan. This would be less impactful
    • Make no changes to your idle timeouts, and wait until immediately before your routers, then clear the connections on the virtual servers being served on that vlan. You can script it if there are too many to clear manually. This would be more impactful.

2 Replies

  • Changing that value will impact new connections, those connections already in the connection table will continue to return to the auto-last-hop setting established. You can do a couple things about that:

    • Evaluate your virtual server tcp/udp profile timeout settings for those virtuals served on that particular vlan and if you are not supporting any seriously long-lived connections, you could set the idle timeouts artificially low temporarily to bleed old connections off safely, then clear any remaining connections to the virtuals in that vlan. This would be less impactful
    • Make no changes to your idle timeouts, and wait until immediately before your routers, then clear the connections on the virtual servers being served on that vlan. You can script it if there are too many to clear manually. This would be more impactful.