Bigip F5 Ltm - High Availability _ Dsc (v11 19d64

h (tps/:www.r3netc.om)

(http://sdntraining.com/?utm_source=FIR3NET&utm_medium=Banner1&utm_campaign=Ad&utm_content=Security)

Home (/)  Articles (/Articles.html)  Loadbalancers  F5 BIG-IP (/Loadbalancers/F5-BIG-IP/)  BigIP F5 LTM - High Availability / DSC (v11.x)

BigIP F5 LTM - High Availability / DSC (v11.x) Written on 29 July 2014. Posted in F5 BIG-IP (/Loadbalancers/F5-BIG-IP/)

One of the new features, within v11.x of the Tra c Management Operating System (TMOS) is Device Service Clustering (DSC). Over the previous HA (High Availability) features within v10.x, i.e active-standby, connection mirroring etc., DSC also provides the ability to perform, multi-node clustering, Active-Active (and Active-Standby) setup,

greater granularity over which data is synchronized

h (tps/:www.r3netc.om)

SCOPE Within this article we will explain the key components to DSC, the con guration steps and also the main commands used to troubleshoot problems.

COMPONENTS DSC is built upon 5 main components. They are, Devices - Represents either a physical or virtual instance of a BigIP system. Device Groups - A group of devices that synchronize and (based on the device group type) also failover their con guration. There are 2 types of device groups, Sync-Failover - Both the con guration data and the failover objects are synchronized ; Utilizes tra c groups (i.e failover objects). Sync-Only - Only the con guration data is synchronised. Tra c Groups - A collection of failover objects (i.e virtual server, self IP) that runs on one of the devices within the (SyncFailover) Device Group. Should the device become unavailable the failover object is the served by the other device within the Device Group. Device Trust - Represents a trust relationship between devices also known as a trust domain. This is achieved via certi cate based authentication. Device Trust is a prerequisite for both device groups and tra c groups.           Note : The initial trust of each device is performed over the management interface. Folders - Folders contain con guration objects for the necessary partition in which they reside. This provides greater granularity over what con guration that you decide to synchronize between devices. Both the default and the top level folder is root.

Note : Each of these items can be located via the GUI under 'Device Management'.

h (tps/:www.r3netc.om)

 

SYNCHRONIZATION Unlike v10.x and below, TMOS v11 now uses rsync internally to perform synchronization between devices. Also unlike v10 which used t/443 for synchronizing data, v11 uses t/4353. The available options and also the ways in which you can issue a synchronization.

OPTIONS The various options for synchronization can be found under 'Device Groups' and 'Devices'. DEVICE GROUPS Automatic Sync (via Properties ) - Automatically synchronize objects between devices based on the modi ed time. The most recently modi ed object is synchronized to the other device. Because the modi ed time is used as the trigger NTP (i.e time synchronization) must be con gured. Full Sync (via Properties ) - Rather then only synchronizing the con guration objects that have been modi ed, the whole con guration is synchronized.

Network Failover (via Failover ) - Determines whether a network probe is sent between the devices to ensure neighbor h (tps/:wcable ww.r3nebased tc.om) failover*. status. This is instead of uses * As cable based failover mandates only 1 device can ever be active cable based failover doesn't an Active-Active based setup (i.e more then 2 tra c groups). DEVICES Con g Sync (via Device Connectivity) - De nes which interface is used for synchronization. Its recommended by F5 that this is a dedicated link. Failover (via Device Connectivity) - De nes which port is used for the network failover probes. Mirroring (via Device Connectivity) - De nes which interfaces are used for mirroring. It is recommended that a secondary address is also con gured to provide redundancy should the primary fail.

ISSUING A SYNC Manual DSC synchronization can be performed via either the command line or the WebUI. To perform a manual synchronization within the WebUI go to 'Device Management / Overview'. From this screen you will be presented with an overview of the synchronization state across your devices and device groups. The will also see the following options, Sync Device to Group - Synchronizes any objects that have been recently modi ed to the other devices within the device group. Sync Group to Device - Synchronizes any objects that have been recently modi ed from the devices within the group. Overwrite Con guration - When performing the above action(s) synchronize the con guration regardless of when it has been modi ed.

DEPLOYMENT MODES There are 2 main types of deployment modes with DSC, Active-Standby and Active-Active.

AC TIVE-STANDBY

With an Active-Standby based deployment tra c is only processed by a single device. This is achieved via single tra c group, which h (tps/:ww w.r3netc.ometc) ) reside within. This tra c group is then active on one of the nodes. Should this node all failover objects (virtual servers, self-ips fail its HA checks the tra c group will be marked as standby and the tra c group on the other node promoted to active.  

 

AC TIVE-AC TIVE With an Active-Active based deployment tra c is processed by both devices. This is achieved via 2 Tra c Groups, (based on the example below) one Tra c Group is placed as active on Node 1 and the other as active on Node 2. Your failover objects are then assigned to either of the tra c groups, i.e Virtual Server A in tra c group 1 and then Virtual Server B in Tra c Group 2. This results in Node 1 processing tra c for Virtual Server A, and Node 2 processing tra c for Virtual Server B.

Note : It is important to ensure that both nodes are running under 50% capacity. This ensures if either of the devices fail then at the point all tra c is processed by the single node that the devices capacity is not reached.  

h (tps/:www.r3netc.om)

 

CONFIGURATION The rst step in con guring DSC is to con gure a Trust Domain. Then we con gure the tra c groups for either a active-active or active-standby deployment. DEVICE TRUST 1. Goto 'Device Management' / 'Device Trust' / 'Peer List'. 2. Click 'Add'. 3. Enter the IP and credentials of the peer device. 4. Click 'Retrieve Device Information' DEVICE GROUP 1. Goto 'Device Management' / 'Device Groups'.

2. Click 'Create'. h (tps/:www.r3as netc.othe m) 'Group Type', and then add all devices to the 'Included' list. 3. Enter name, select 'Sync-Failover' 4. Enable 'Network Failover'. SYNCHRONIZE 1. Goto 'Device Management' / 'Overview'. 2. Click 'Sync Device to Group'. 3. Click 'Sync'. 4. Wait for the Sync Status of both devices to turn green.

Note : To con gure the IP used for Con gSync and Mirroring, along with the the IP, VLAN and Port for Network Failover go to 'Device Management' / 'Devices' / '' / Device Connectivity.  

AC TIVE-STANDBY Once the trust domain is con gured the oating IP for each VLAN needs to be con gured. A SSIGN TR AFFIC GROUP 1 1. Goto 'Network' / 'Self IPs'. 2. Create a oating Self IP for each VLAN (i.e Internal and External). 3. For each self IP created con gure the 'Tra c Group' as 'tra c-group1- oating'. In this example we will only be using a single Tra c Group, because of this any virtual servers that are created will be placed into the default (single tra c group).

Note : Should you require MAC Masquerading, a single tra c group can still be used. However this will result in the same MAC address being d for all Self-IPs within the tra c group which may complicate future troubleshooting.

AC TIVE-AC TIVE Once the trust domain is con gured the oating IP for each VLAN needs to be con gured. Once done an additional tra c group is also created. A SSIGN TR AFFIC GROUP 1

1. Goto 'Network' / 'Self IPs'. (tpeach s/:www.VLAN r3netc.om)(i.e Internal and External). 2. Create a oating Self IP forh 3. For each self IP created con gure the 'Tra c Group' as 'tra c-group1- oating'. CRE ATE TR AFFIC GROUP 2 1. Goto 'Device Management' / 'Tra c Groups'. 2. Create a new Tra c Group called 'tra c-group-2' using all the default settings. DEMOTE TR AFFIC GROUP 2 1. Select 'tra c-group-2' from the list and select 'Force to Standby'. The tra c group list will now show your current device running 1 tra c group as active and 1 tra c group as standby. A SSIGN TR AFFIC GROUP 2 1. Via 'Local Tra c / Virtual Servers / Virtual Address List' select the Virtual Server that you want to assign to 'tra c-group-2'. 2. Via 'Local Tra c / Virtual Servers / Virtual Server List' select your Virtual Server. Within the tra c group section select 'tra cgroup-2'. ENABLE SNAT 1. Under 'Source Address Translation' select Automap*. Once complete the default tra c-group will be active on one node and tra c-group-2 will be active on the node. *As the SelfIP is assigned to tra c-group-1 without Automap the tra c would be sent through the wrong device.

VE ISSUES When con guring DSC on Virtual LTMs (when using the steps above)  you may nd that both sides show as disconnected. I have only found this in the lab for VE devices on both v11.4 and v11.5. To resolve this you will need to change each of the devices certi cates to a self-signed certi cate and also perform the steps in a slighty di erent order.

STEPS

h (tps/:www.r3netc.om)

Below provides a summary of the required steps. 1. Generate new self signed cert for each device - Goto Device Management / Device Trust / Local Domain. Select “Generate New Self-Sign Authority”. 2. Create Sync Interface - Create a new VLAN that will be used for synchronization, mirroring, and network failover on both devices. 3. Con gure Con gSync/Mirroring - Con gure the interfaces that will be used for mirroring, con g sync and network failover on both devices. 4. Con gure Device Group - Create a Sync-Failover device group on Node 1 and only add local device. Enable Network Failover. 5. Con gure Trust - On Node 1 con gure  the Trust Domain. 6. Update Device Group - On Node 1 add the remote peer to the device group. 7. Tra c Group Assignment - Assign the tra c groups accordingly. 8. Synchronize - One Node 1 perform an initial synchronization via Sync Device to Group in "Device Management' / 'Overview".

TROUBLESHOOTING CHECKS If your are facing issues with your HA setup, the following should be checked, NTP is working correctly. Check connectivity between peer addresses. Check Self IPs used as peer addresses reside in route domain 0. Ensure the following protocols/ports are permitted between nodes. Note : No matter which Port lockdown setting used these ports are permitted. UDP/1026 (network failover) T/1028 (connection & persistence mirroring) T/4353 (CMI – peer communication) Reset and Rebuild your Trust Domain.

COMMANDS

tmsh tmsh tmsh tmsh tmsh

run run run run run

h (tps/:www.r3netc.om) sniff-updates config-sync watch-devicegroup-device watch-sys-device watch-trafficgroup-device

/cm /cm /cm /cm /cm

tmsh show /cm traffic-group tmsh show /cm sync-status

REFERENCES http://.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html (http://.f5.com/kb/enus/solutions/public/13000/900/sol13946.html) 12 Comments

1 

Fir3net.com

Sort by Newest

⤤ Share

 Recommend



the discussion… WITH

OR SIGN UP WITH DISQUS ?

Name

Tarun Singh • 2 years ago

I am still not able to configure HA on VE. Both VE getting disconnected as soon as i add peer to trust domain. i am using 11.3 version and i followed the steps provided by you for VE. Please help me creating HA for VE and troubleshoot it. Thanks, Tarun

△ ▽ • Reply • Share › Dinesh Kumar > Tarun Singh • 2 years ago

Dear,

Dear,

(VE tps/:ww w.r3innetc.o m) scenario its working perfectly. There is bug inh but real △ ▽ • Reply • Share › Felix001 > Tarun Singh • 2 years ago

Can you ensure both units are using 2048bit keys. If not recreate via CLI and ensure there are no 1024bit keys in use. If this is still presenting an issue, reset both boxes back to default.

△ ▽ • Reply • Share › guest1234 • 2 years ago

Hello, What if the peer VLAN has gone down and both f5 boxes are in standby mode. Is there any workaround for the F5 HA feature that when the pool is not reachable for both devices, not to make the 2 boxes enter the standby mode.

△ ▽ • Reply • Share › Felix001 > guest1234 • 2 years ago

Try HA groups.

△ ▽ • Reply • Share › guest123 • 2 years ago

hi can we configure high availability between a hardware and a VM bigip LTM ? thank you

△ ▽ • Reply • Share › Felix001 > guest123 • 2 years ago

Yep as long the software versions are the same your be fine

△ ▽ • Reply • Share › guest123 > Felix001 • 2 years ago

thank you for your reply.. can i use any BigIP Virtual edition with any bigIP hardware box ?

△ ▽ • Reply • Share › cnoyes72 • 3 years ago

I get "This device is not found" when trying to add the peer unit's management IP to the peer list. From the CLI I can ping it so I'm not sure what the problem could be.

△ ▽ • Reply • Share ›

Vijay • 3 years ago

h (tps/:www.r3netc.om)

Thanks...good to watch about F5.. iam just a beginner

△ ▽ • Reply • Share › stfu • 3 years ago

Early in the article the port for syncing data is not correct - should be 4353.

△ ▽ • Reply • Share › Felix001 > stfu • 3 years ago

Great. Thanks for letting me know. This has been updated.

△ ▽ • Reply • Share › ✉ Subscribe d Add Disqus to your siteAdd DisqusAdd

🔒 Privacy

back to top Tags: BIG-IP F5 (/tag/19-big-ip-f5.html), DSC (/tag/79-dsc.html)

(http://www..com/Protection/Status.aspx?ID=bf4475b8-9010-4516-a707-

6cfbe96736e7&refurl=https://www. r3net.com/Loadbalancers/F5-BIG-IP/bigip-f5-ltm-high-availability-v11x-dsc.html)

h (tps/:www.r3netc.om)

-21%

-40%

RP 190.000 -50%

RP 1.325.900 -55%

RP 229.500 -50%

RP 179.550 -30%

RP 229.500 -20%

RP 349.650 -50%

RP 399.600

RP 229.500

h (tps/:www.r3netc.om)

-21%

-40%

RP 190.000

RP 1.325.900

-21%

-40%

-50%

-55%

-50%

-30%

h (tps/:www.r3netc.om)

(http://www.host-tracker.com)