F5 Connection Mirroring question

cpt_ri_F5 · ‎16-Nov-2023

Hello,

show sys connection type mirror

This command should show the mirror connections on the Stanby?

LTM BIG-IP

Thank you

cpt_ri_F5 · ‎20-Nov-2023

Hello,
No, the connections are not mirrored !
To share in case it might help someone someday: I had a TG conf problem, the VS was configured in the TG1 and nexthop (floating self-ip) in the TG2, I configured everything in TG1, and it works.
Thank you @Mohamed_Ahmed_Kansoh @M_Saeed

View solution in original post

M_Saeed · ‎16-Nov-2023

@cpt_ri_F5 it on standby it would be by verification of mirroring status #tmsh show sys ha-mirror

If status is connected, so your connection would be mirrored on failure incident according to your current runingg sys connection table.

Mohamed_Ahmed_Kansoh · ‎16-Nov-2023

Hi @cpt_ri_F5 ,
yes it shows the connections that should be mirrored to the devices in HA Group , Please have a look here : https://my.f5.com/manage/s/article/K84303332#:~:text=You%20can%20use%20tmsh%20to,type%20mirror%20all....

FYI : Not all connections got mirrored by adding mirrior option with HA Configuration under device management only.

But you need to add IP for mirrioring in HA Configuration.
and you must enable mirror feature within Virtual server or src address presistence profile , by doing this you are selecting specifc type of traffic related to specific virtual server or source address presistence.

But be careful Mirror may impact your device performance specially with heavy traffic Virtual servers.

_______________________
Regards
Mohamed Kansoh

cpt_ri_F5 · ‎17-Nov-2023

Hello, thanks for your feedback
I see connections only on the Active
I checked the configuration, it looks ok,
I see : Aborts + Errors on Standby
Primary Secondary : connected

Active:In Sync] ~ # tmsh show sys ha-mirror
--------------------------------------------------------------------------------------------------------------------
Sys::HA Mirror Status
--------------------------------------------------------------------------------------------------------------------
Traffic Group TMM Primary Secondary Aborts Overflows Errors Buffered L4 Mirror L7 Mirror L7 Failed
--------------------------------------------------------------------------------------------------------------------
traffic-group-1 [0.0] connected connected 0 0 0 0 4 0 0
traffic-group-1 [0.1] connected connected 0 0 0 0 0 0 0
traffic-group-1 [0.2] connected connected 0 0 0 0 2 0 0
traffic-group-1 [0.3] connected connected 0 0 0 0 2 0 0

!
Standby:In Sync] ~ # tmsh show sys ha-mirror
--------------------------------------------------------------------------------------------------------------------
Sys::HA Mirror Status
--------------------------------------------------------------------------------------------------------------------
Traffic Group TMM Primary Secondary Aborts Overflows Errors Buffered L4 Mirror L7 Mirror L7 Failed
--------------------------------------------------------------------------------------------------------------------
traffic-group-1 [0.0] connected connected 4 0 2 0 0 0 0
traffic-group-1 [0.1] connected connected 4 0 2 0 0 0 0
traffic-group-1 [0.2] connected connected 4 0 2 0 0 0 0
traffic-group-1 [0.3] connected connected 4 0 2 0 0 0 0

Mohamed_Ahmed_Kansoh · ‎17-Nov-2023

Hi @cpt_ri_F5 ,

Have you configured the mirroring within specific ( Virtual server , Source address persistence ... ) ?

you can't rely only Connection mirroring with HA Setup.

_______________________
Regards
Mohamed Kansoh

cpt_ri_F5 · ‎17-Nov-2023

Hello @Mohamed_Ahmed_Kansoh

Yes in virtual server, i use auto-map, no persistence. I see connections mirroring only on the Active.

Thanks

Mohamed_Ahmed_Kansoh · ‎18-Nov-2023

Hi @cpt_ri_F5 ,
Alright,

That's most properly means that Mirroring links are suffering to mirror these connections.

what is the IP which used for mirroring ? Is it the MGMT interface or a specific VLAN ?

-I would recommend selecting specific Vlan for HA ( Not Internal/External )
-Also If you can use ( Back-to-Back ) Connectivity between HA pair .
-Also Use LAGs or Link aggregation for HA to increase the BW and leverage the Fault tolerance of HA.

Please check this Article explians what I'm trying to say and much more troubleshooting : https://my.f5.com/manage/s/article/K54622241

_______________________
Regards
Mohamed Kansoh

cpt_ri_F5 · ‎18-Nov-2023

Helo @Mohamed_Ahmed_Kansoh Thank you for your help,
I use both HA links which works correctly, status, syn conf, failover...

Active:
sys state-mirroring {
addr 10.0.1.10 >>> vlan: HA
secondary-addr 10.0.2.10 >>> vlan: HA_BAK

Standby:
sys state-mirroring {
addr 10.0.1.20 >>> vlan: HA
secondary-addr 10.0.2.20 >>> vlan: HA_BAK

I have already executed K54622241, nothing special except no traffic for tcpdump
Thank you.

Mohamed_Ahmed_Kansoh · ‎18-Nov-2023

HI @cpt_ri_F5 ,

Interesting !

Is it a back to back HA Connectivity ?
I mean both devices are directily connected or there is FW between them ?

I believe there is no ACKs for mirroring connections.

_______________________
Regards
Mohamed Kansoh

cpt_ri_F5 · ‎18-Nov-2023

Let me check this next week, thank's
Do you think there is a difference between the two modes (HA ok)?

Mohamed_Ahmed_Kansoh · ‎18-Nov-2023

@cpt_ri_F5 ,

Yes the Back-to-back connectivity is much reliable and effiective than the existance of other hops in path ( such as FWs or L3 SWs )

_______________________
Regards
Mohamed Kansoh

cpt_ri_F5 · ‎18-Nov-2023

ok, but why can only the mirroring connection pose a problem? both HA links are stable, syn ok failover ok...

Mohamed_Ahmed_Kansoh · ‎19-Nov-2023

Mirroring is another story.

It consume Bigip resources specially in heavy environments.

Why ?

Let we imagine you have 100K connections in Active unit connection table , you see that as 100K connections only but at the same time Active unit handles 200K Connections because it processes 100K and move/mirror the same 100 K connections to the other unit.

Imagine you have a virtual server receive 1 or 2 millions of traffic and so on this of course will impact you and degrade sys performance.

Mirror Active connections is not an easy task like triggering failover or even doing incremental config sync.

You need a robust connectivity between HA pairs also I prefare to use a back to back connectivity for that

_______________________
Regards
Mohamed Kansoh

cpt_ri_F5 · ‎19-Nov-2023

Hello @Mohamed_Ahmed_Kansoh,
It's clear, for this requirement, I have only 1 connexion that want to replicate!

Mohamed_Ahmed_Kansoh · ‎19-Nov-2023

@cpt_ri_F5 ,
Have you issued ( #tmsh show sys connections ) on the standby unit to see if these connections have been mirrored or not ?

_______________________
Regards
Mohamed Kansoh

cpt_ri_F5 · ‎20-Nov-2023

Hello,
No, the connections are not mirrored !
To share in case it might help someone someday: I had a TG conf problem, the VS was configured in the TG1 and nexthop (floating self-ip) in the TG2, I configured everything in TG1, and it works.
Thank you @Mohamed_Ahmed_Kansoh @M_Saeed

M_Saeed · ‎21-Nov-2023

@cpt_ri_F5Gr8 news , TGs always represents a high concern (virtual address, floating self, ..etc)

DevCentral

F5 Connection Mirroring question

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

F5 Connection Mirroring question

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards