Two LTM working in active/passive. Getting weird log on passive LTM

Question

I am using only 2 vlans, 171 external and 169 internal. Vlan group is configured for these both vlans. Its been a year recently i am getting these logs on passive LTM continuously. 
  Mar 19 02:16:01 www notice tmm4[12647]: 01230114:5: port movement detected for 02:23:e9:87:b6:c3, vlan /Common/External_vlan_171 none to vlan /Common/External_vlan_171 none
 Mar 19 02:16:01 www notice tmm4[12647]: 01230114:5: port movement detected for 02:23:e9:87:b6:c3, vlan /Common/Internal_vlan_169 none to vlan /Common/Internal_vlan_169 none

Both are connected directly through dedicated HA vlan but this mac is not of those ports. This mac address is of niether LTM Nor cisco switch interfaces. But in cisco switch arp mac-table this mac address was learned through the interface connected with active LTM. So Passive LTM through cisco switch is learning something from active LTM. What does this log means and is it serious?
Here is the mac of cisco switch
 * 169      0223.e987.b6c3    dynamic   10         F    F  Eth1/28

muhammad_irfan1 · Answer

please anyone

stephanmanthey · Answer

Hi Muhammad,&nbsp;
F5 is using two vendor MAC ranges (legacy products on 00:01:d7 and current product generation on 00:23:e9).&nbsp;
Replacing the 2nd bit to be send, i.e. by changing the MAC address to start with "02" (with ethernet the least significant bit will be send first) as with 02:23:e9 indicates as self administered MAC address. VLAN group configurations are automatically using this type of MAC addresses.&nbsp;
The shown MAC address is an address hold on the active BIG-IP and learned by the Cisco switch.&nbsp;
Personally I´ve never been a fan of using VLAN groups as they are hard to troubleshoot, not used often in the field and it´s easy to run in loop issues.&nbsp;
If you do not notice high throughput spikes simultaneously to the log messages I won´t be concerned and would assume they are caused by G-ARPs or ARP replies sent by the active unit.&nbsp;
I just noticed your other post on this subject 4 month ago and recommend to open a support case.&nbsp;
Thanks, Stephan&nbsp;

nitass · Answer

have you configured vlan group proxy exclusion list and disabled bridge in standby option?&nbsp;
sol11812: Failure to specify non-floating self IP addresses in the VLAN group Proxy Exclusion List may cause misdirected monitor traffic&nbsp;
https://support.f5.com/kb/en-us/solutions/public/11000/800/sol11812.html&nbsp;
sol8248: The Bridge in Standby option is enabled by default in a VLAN group&nbsp;
https://support.f5.com/kb/en-us/solutions/public/8000/200/sol8248&nbsp;

nitass_89166 · Answer

have you configured vlan group proxy exclusion list and disabled bridge in standby option?&nbsp;
sol11812: Failure to specify non-floating self IP addresses in the VLAN group Proxy Exclusion List may cause misdirected monitor traffic&nbsp;
https://support.f5.com/kb/en-us/solutions/public/11000/800/sol11812.html&nbsp;
sol8248: The Bridge in Standby option is enabled by default in a VLAN group&nbsp;
https://support.f5.com/kb/en-us/solutions/public/8000/200/sol8248&nbsp;

muhammad_irfan1 · Answer

Proxy exclusion is configured thanks you, you pointed me towards that few months back. But i will check bridge mode tomorrow and if it was enabled then i will disable it.

Forum Discussion

Two LTM working in active/passive. Getting weird log on passive LTM

7 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Especial Load Balancing Active-Passive Scenario (II)

Getting Started

Getting Started with BIG-IP Next: Fundamentals

Getting Started with iControl: Working with Statistics

Get Started with WAAP Security Incidents