Forum Discussion

Chandru_14793's avatar
Chandru_14793
Icon for Nimbostratus rankNimbostratus
Jan 25, 2011

F5 High Availablity

Hi,

 

 

Currently we have F5 unit1 to be in active mode and unit 2 be in standby mode

 

 

We have seen when the active unit fails and standby unit becomes active and whenever the active unit comes back online we are seeing some outage. I believe it is due to STP

 

 

We currently have the Redundancy state preference to Active in unit1 and standby in unit 2. We also have STP instance (instance 0) running on the F5s.

 

 

We are using Network based failover

 

 

how can we avoid the outages when the active unit (unit 1) comes back online

 

 

Chandru

 

  • I wouldn't expect this to be a spanning tree issue. It sounds a lot more like an ARP problem that can be remedied by MAC Masquerading. When the active unit comes back and you have an outage, check the logs on the standby unit and see if you're rejecting traffic. Also, check ARP tables on your switches and see whose MAC the Virtual Server IPs are mapped to. When I had similar problems, the active unit didn't send out gratuitous ARPs to let everyone know it was again the primary. If it doesn't realize it failed over, it won't necessarily do that.

     

     

    https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7214.html
  • I think he's saying that the active unit comes back online, not back as active. In this case, if the traffic had already been failed over to the other unit and working fine, it shouldn't be an arp problem as the formerly active unit will (should) not be responding to the virtual arp requests. It could be a stp problem, but only if you have the ports the LTM connects to configured as network ports instead of host ports. These should always be host ports unless you're using vlan groups. And if not, no reason to have stp enabled.
  • Posted By Jason Rahm on 01/26/2011 03:58 AM

     

    I think he's saying that the active unit comes back online, not back as active. In this case, if the traffic had already been failed over to the other unit and working fine, it shouldn't be an arp problem as the formerly active unit will (should) not be responding to the virtual arp requests. It could be a stp problem, but only if you have the ports the LTM connects to configured as network ports instead of host ports. These should always be host ports unless you're using vlan groups. And if not, no reason to have stp enabled.

     

    He's using preferred redundancy state though. If the active unit comes back, the standby unit will return to standby and is not going to answer any requests.
  • Hi Chris and Jason thanks for your response.

     

     

    In our case we have trunked the F5 ports on our cisco switches but we havent enabled Spanning Tree port fast on the switch ports and F5 is currently running spanning tree instance

     

     

    I have heard this issue from my predecessor so I am unable to check logs to findout if this triggered STP

     

     

    Probably we should enable Spanning Tree port fast on the cisco switches to prevent this

     

     

    Also I have seen the ARP issue in an other environment. I had forced the unit 1 to be standby and the unit 2 took over and when I pushed the unit 2 back to standby then unit 1 became active but clients were not able to reach our VIPs from outside and we had to clear ARP on our firewall to fix the issue

     

     

    I have few other questions regarding Redundancy State Preference as well. I will ask them in a different thread

     

     

    Thanks,

     

    Chandru

     

     

  • Posted By Chris Miller on 01/26/2011 06:56 AM

     

    Posted By Jason Rahm on 01/26/2011 03:58 AM

     

    I think he's saying that the active unit comes back online, not back as active. In this case, if the traffic had already been failed over to the other unit and working fine, it shouldn't be an arp problem as the formerly active unit will (should) not be responding to the virtual arp requests. It could be a stp problem, but only if you have the ports the LTM connects to configured as network ports instead of host ports. These should always be host ports unless you're using vlan groups. And if not, no reason to have stp enabled.

     

    He's using preferred redundancy state though. If the active unit comes back, the standby unit will return to standby and is not going to answer any requests.

     

    ah, missed that part. Carry on. Nothing to see here.

     

  • Posted By Chandru on 01/26/2011 09:11 AM

     

    Yes LACP is enabled on both ends

     

    Then I wouldn't expect any Spanning Tree issues, unless you saw a loop somewhere or you logged messages accordingly. Seems like an excellent example of why MAC Masquerading is a best practice and could/should be a default.