I have bought the Lab license and have two versions of 12.1 running on ESXI servers. I have issue though, against the F5 best practices, im wanting to cluster both these F5's, one in each DC.
Each has an Internal, External, Mgmt and HA interface. For the HA Self IP's they are below.
F5-1 - HA self IP 172.16.73.3/29 F5-2 - HA self IP 172.16.73.11/29
I have a static route on each F5 routing the HA network of the other F5 to the local HA gateway - this gateway is an ASA and has 2 paths to the other DC and handles failover routing.
I go to Device Trust > Peer List > Add Peer - it successfully finds the other F5 using the HA IP's above, but when i try create a sync failover group and add both devices - when press sync device to group it just says "Sync Failed"
Sync Summary StatusSync Failed SummaryA validation error occurred while syncing to a remote device Details Sync error on TC-: Load failed from HAR- 01070666:3: Static route duplicates Self IP 172.16.73.8 / 255.255.255.248 implied route Recommended action: Review the error message and determine corrective action on the device
So it looks like its trying to sync the static routes for the HA connectivity then finding out the static route its importing clashes with its own HA network. Any ideas how to get around this? Can i choose to exempt a static route from the config sync?
Its looks like that you have static route configured on the device and same subnet is used for HA network. If yes, Please remove the static route and try to sync from the active box.
Could you please provide me full configuration. how you configured these boxes?
I tried routing the HA self IP to each other instead of the whole subnet - now i got a different error.
StatusSync Failed SummaryA validation error occurred while syncing to a remote device Details Sync error on HAR-: Load failed from TC- 01070330:3: Static route gateway 172.16.73.9 is not directly connected via an interface. Recommended action: Review the error message and determine corrective action on the device
I have it working with having both HA self IP's on the same network and trunking the network between the DC's using a vlan. This is OK until the leased line goes down then both boxes will become active. Atleast before by using different HA networks i could route them via the ASA which would handle the failover if the leased line died and route it via the MPLS.
How can i achieve redundancy using the MPLS link with the F5's? IS there a secondary HA link/method i can use?
Many thanks if you know the answer 🙂
The routes are sync objects, so they will be the same in both units. For your configuration, does not matter which way you sync, you will get the same error. So the first error you got, the unit can’t add the new route because is the same as the local connected route via the self ip.
Second error is because how routing works, you can’t create a route to a default gateway that is not direct connected (you need an self ip in that network). In one unit that route works, but in the other unit does not work when you sync the configuration.
You already found out the main problem in have HA between datacenters. If the link between datacenters go down, you have an active/active situation, and that is bad if you have an active/standby setup. The other problems is how you float the floating ips between the units, as you need to have layer 2 connection between the datacenters. There is a possibility to that without floating ips, and having the virtual addresses announced via routing protocols (like RIP/OSPF/etc…), but you still have the problem with active/active situation. I saw this option with routing protocols been used in a production network, but is not good at all.
The best option is to use GTM/DNS, the product is exactly for this scenario, to load balance between datacenters. If within the data center you use only one LTM, or a pair, does not matter. A pair is recommended, as a extra layer of redundancy.
See this link about GTM/DNS:
A 3 years old post, but for those who are still struggeling with routing ConfigSync interfaces and routing table management in a Device-group, here is the solution that worked for me:
-create a user partition
-In this partition properties-->Redundant Device Configuration :
Set Device Group to None
Set Traffic Group to traffic-group-local-only
Now switch to this partition
Go to Network-->Route and create the route to the configsync ip of the peer
Repeat the same steps for the other peer
Hope this help.
Ilyas, thank you for this - i had the same issue and switching user local partition device group to NONE resolved it, i am able to run config sync.
If anyone has the same issue, my software version is 22.214.171.124 and it is AWS VE version.
Well, 3 years in network is not that long, we still use 30 years old protocols.
I did have this problems recently, but fix in another way that did not need to have routes conflict.
Anyway, thanks for sharing this.