Home

Articles

Contact

Tools

Us

HAProxy Reporting
Get live and historic reports for
the haproxy load balancer.

Home Articles Loadbalancers F5 BIG-IP BigIP F5 LTM - High Availability / DSC (v11.x)

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

ARTICLE INFO
VENDOR

BigIP
F5
PLATFORM LTM
VERSION
11.x

HAProxy
Reporting
Get live and historic reports
for the haproxy load
balancer.

BigIP F5 LTM - High

Availability / DSC (v11.x)
Written on 29 July 2014. Posted in F5 BIG-IP

One of the new features, within v11.x of the Tra c Management

Operating System (TMOS) is Device Service Clustering (DSC). Over the
previous HA (High Availability) features within v10.x, i.e active-standby,
connection mirroring etc., DSC also provides the ability to perform,
multi-node clustering,
Active-Active (and Active-Standby) setup,
greater granularity over which data is synchronized

SCOPE
Within this article we will explain the key components to DSC, the
con guration steps and also the main commands used to troubleshoot
problems.

COMPONENTS
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

DSC is built upon 5 main components. They are,

Devices - Represents either a physical or virtual instance of a BigIP
system.
Device Groups - A group of devices that synchronize and (based on
the device group type) also failover their con guration. There are 2
types of device groups,
Sync-Failover - Both the con guration data and the failover
objects are synchronized ; Utilizes tra c groups (i.e failover
objects).
Sync-Only - Only the con guration data is synchronised.
Tra c Groups - A collection of failover objects (i.e virtual server, self
IP) that runs on one of the devices within the (Sync-Failover) Device
Group. Should the device become unavailable the failover object is the
served by the other device within the Device Group.
Device Trust - Represents a trust relationship between devices also
known as a trust domain. This is achieved via certi cate based
authentication. Device Trust is a prerequisite for both device groups
and tra c groups.
Note : The initial trust of each device is performed over the
management interface.
Folders - Folders contain con guration objects for the necessary
partition in which they reside. This provides greater granularity over
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

what con guration that you decide to synchronize between devices.

Both the default and the top level folder is root.
Note : Each of these items can be located via the GUI under 'Device
Management'.

SYNCHRONIZATION
Unlike v10.x and below, TMOS v11 now uses rsync internally to perform
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

synchronization between devices. Also unlike v10 which used tcp/443 for
synchronizing data, v11 uses tcp/4353.
The available options and also the ways in which you can issue a
synchronization.

OPTIONS
The various options for synchronization can be found under 'Device
Groups' and 'Devices'.
DEVICE GROUPS
Automatic Sync (via Properties Panel) - Automatically synchronize
objects between devices based on the modi ed time. The most
recently modi ed object is synchronized to the other device. Because
the modi ed time is used as the trigger NTP (i.e time synchronization)
must be con gured.
Full Sync (via Properties Panel) - Rather then only synchronizing the
con guration objects that have been modi ed, the whole
con guration is synchronized.
Network Failover (via Failover Panel) - Determines whether a network
probe is sent between the devices to ensure neighbor status. This is
instead of uses cable based failover*.
* As cable based failover mandates only 1 device can ever be active cable
based failover doesn't support an Active-Active based setup (i.e more then
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

based failover doesn't support an Active-Active based setup (i.e more then
2 tra c groups).
DEVICES
Con g Sync (via Device Connectivity) - De nes which interface is used
for synchronization. Its recommended by F5 that this is a dedicated
link.
Failover (via Device Connectivity) - De nes which port is used for the
network failover probes.
Mirroring (via Device Connectivity) - De nes which interfaces are used
for mirroring. It is recommended that a secondary address is also
con gured to provide redundancy should the primary fail.

ISSUING A SYNC
Manual DSC synchronization can be performed via either the command
line or the WebUI. To perform a manual synchronization within the WebUI
go to 'Device Management / Overview'. From this screen you will be
presented with an overview of the synchronization state across your
devices and device groups.
The will also see the following options,
Sync Device to Group - Synchronizes any objects that have been
recently modi ed to the other devices within the device group.
Sync Group to Device - Synchronizes any objects that have been
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

recently modi ed from the devices within the group.

Overwrite Con guration - When performing the above action(s)
synchronize the con guration regardless of when it has been
modi ed.

DEPLOYMENT MODES
There are 2 main types of deployment modes with DSC, Active-Standby
and Active-Active.

ACTIVE-STANDBY
With an Active-Standby based deployment tra c is only processed by a
single device. This is achieved via single tra c group, which all failover
objects (virtual servers, self-ips etc) reside within. This tra c group is then
active on one of the nodes. Should this node fail its HA checks the tra c
group will be marked as standby and the tra c group on the other node
promoted to active.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

ACTIVE-ACTIVE
With an Active-Active based deployment tra c is processed by both
devices. This is achieved via 2 Tra c Groups, (based on the example below)
one Tra c Group is placed as active on Node 1 and the other as active on
Node 2. Your failover objects are then assigned to either of the tra c
groups, i.e Virtual Server A in tra c group 1 and then Virtual Server B in
Tra c Group 2.
This results in Node 1 processing tra c for Virtual Server A, and Node 2
processing tra c for Virtual Server B.
Note : It is important to ensure that both nodes are running under 50%
capacity. This ensures if either of the devices fail then at the point all tra c
is processed by the single node that the devices capacity is not reached.
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

CONFIGURATION
The rst step in con guring DSC is to con gure a Trust Domain. Then we
con gure the tra c groups for either a active-active or active-standby
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

deployment.
DEVICE TRUST
1.
2.
3.
4.

Goto 'Device Management' / 'Device Trust' / 'Peer List'.

Click 'Add'.
Enter the IP and credentials of the peer device.
Click 'Retrieve Device Information'

DEVICE GROUP
1. Goto 'Device Management' / 'Device Groups'.
2. Click 'Create'.
3. Enter name, select 'Sync-Failover' as the 'Group Type', and then add all
devices to the 'Included' members list.
4. Enable 'Network Failover'.
SYNCHRONIZE
1.
2.
3.
4.

Goto 'Device Management' / 'Overview'.

Click 'Sync Device to Group'.
Click 'Sync'.
Wait for the Sync Status of both devices to turn green.

Note : To con gure the IP used for Con gSync and Mirroring, along with
the the IP, VLAN and Port for Network Failover go to 'Device Management'
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

/ 'Devices' / '<DEVICE NAME>' / Device Connectivity.

ACTIVE-STANDBY
Once the trust domain is con gured the oating IP for each VLAN needs to
be con gured.
ASSIGN TRAFFIC GROUP 1
1. Goto 'Network' / 'Self IPs'.
2. Create a oating Self IP for each VLAN (i.e Internal and External).
3. For each self IP created con gure the 'Tra c Group' as 'tra c-group1oating'.
In this example we will only be using a single Tra c Group, because of this
any virtual servers that are created will be placed into the default (single
tra c group).
Note : Should you require MAC Masquerading, a single tra c group can
still be used. However this will result in the same MAC address being
advertised for all Self-IPs within the tra c group which may complicate
future troubleshooting.

ACTIVE-ACTIVE
Once the trust domain is con gured the oating IP for each VLAN needs to
be con gured. Once done an additional tra c group is also created.
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

ASSIGN TRAFFIC GROUP 1

1. Goto 'Network' / 'Self IPs'.
2. Create a oating Self IP for each VLAN (i.e Internal and External).
3. For each self IP created con gure the 'Tra c Group' as 'tra c-group1oating'.
CREATE TRAFFIC GROUP 2
1. Goto 'Device Management' / 'Tra c Groups'.
2. Create a new Tra c Group called 'tra c-group-2' using all the default
settings.
DEMOTE TRAFFIC GROUP 2
1. Select 'tra c-group-2' from the list and select 'Force to Standby'.
The tra c group list will now show your current device running 1 tra c
group as active and 1 tra c group as standby.
ASSIGN TRAFFIC GROUP 2
1. Via 'Local Tra c / Virtual Servers / Virtual Address List' select the
Virtual Server that you want to assign to 'tra c-group-2'.
2. Via 'Local Tra c / Virtual Servers / Virtual Server List' select your
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Virtual Server. Within the tra c group section select 'tra c-group-2'.
ENABLE SNAT
1. Under 'Source Address Translation' select Automap*.
Once complete the default tra c-group will be active on one node and
tra c-group-2 will be active on the node.
*As the SelfIP is assigned to tra c-group-1 without Automap the tra c
would be sent through the wrong device.

VE ISSUES
When con guring DSC on Virtual LTMs (when using the steps above) you
may nd that both sides show as disconnected. I have only found this in the
lab for VE devices on both v11.4 and v11.5.
To resolve this you will need to change each of the devices certi cates to a
self-signed certi cate and also perform the steps in a slighty di erent
order.

STEPS
Below provides a summary of the required steps.
1. Generate new self signed cert for each device - Goto Device
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

2.
3.
4.
5.
6.
7.
8.

Management / Device Trust / Local Domain. Select Generate New

Self-Sign Authority.
Create Sync Interface - Create a new VLAN that will be used for
synchronization, mirroring, and network failover on both devices.
Con gure Con gSync/Mirroring - Con gure the interfaces that will be
used for mirroring, con g sync and network failover on both devices.
Con gure Device Group - Create a Sync-Failover device group on
Node 1 and only add local device. Enable Network Failover.
Con gure Trust - On Node 1 con gure the Trust Domain.
Update Device Group - On Node 1 add the remote peer to the device
group.
Tra c Group Assignment - Assign the tra c groups accordingly.
Synchronize - One Node 1 perform an initial synchronization via Sync
Device to Group in "Device Management' / 'Overview".

TROUBLESHOOTING
CHECKS
If your are facing issues with your HA setup, the following should be
checked,
Verify NTP is working correctly.
Check connectivity between peer addresses.
Check Self IPs used as peer addresses reside in route domain 0.
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Ensure the following protocols/ports are permitted between nodes.

Note : No matter which Port lockdown setting used these ports are
permitted.
UDP/1026 (network failover)
TCP/1028 (connection & persistence mirroring)
TCP/4353 (CMI peer communication)
Reset and Rebuild your Trust Domain.

COMMANDS
tmsh
tmsh
tmsh
tmsh
tmsh

run
run
run
run
run

/cm
/cm
/cm
/cm
/cm

sniff-updates
config-sync
watch-devicegroup-device
watch-sys-device
watch-trafficgroup-device

tmsh show /cm traffic-group

tmsh show /cm sync-status

REFERENCES
http://support.f5.com/kb/enus/solutions/public/13000/900/sol13946.html
Comments Community
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

 Recommend

Join the discussion

guest1234

12 days ago

Hello,

What if the peer VLAN has gone down and both f5 boxes are in standby mode
feature that when the pool is not reachable for both devices, not to make the 2

Reply Share

guest123

22 days ago

hi can we configure high availability between a hardware and a VM bigip LTM ?

Reply Share

Rick Porter > guest123

22 days ago

Yep as long the software versions are the same your be fine

Reply Share

guest123 > Rick Porter

thank you for your reply.. can i use any BigIP Virtual edition with

cnoyes72
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

Reply Share

3 months ago

pdfcrowd.com

I get "This device is not found" when trying to add the peer unit's management
ping it so I'm not sure what the problem could be.

Reply Share

Vijay

3 months ago

Thanks...good to watch about F5.. iam just a beginner

stfu

Reply Share

3 months ago

Early in the article the port for syncing data is not correct - should be 4353.

Reply Share

Rick Porter > stfu

3 months ago

Great. Thanks for letting me know. This has been updated.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

Reply Share

pdfcrowd.com

2 comments 8 months ago

Rick Porter Article has been updated.....

How do I create an IPSO backup via clish ?

1 comment 8 months ago

Aman Singh what is the difference between clish and supershell?

open in browser PRO version

Subscribe

Add Disqus to your site

Privacy

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

blog comments powered by

DISQUS

back to
top

ABOUT THE AUTHOR

R DONATO
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Ricky Donato is the Founder and Chief Editor of

Fir3net.com. He currently works as a Network
Security engineer and has a keen interest in
automation and the cloud.
You can nd Ricky on Twitter @f3lix001

LATEST ARTICLES

POPULAR ARTICLES

What is HTTP Strict Transport Security (HSTS) ?

Check Point Commands

How do I Ignore Case in VIM ?

Proxy ARP SPLAT

Cisco - What is vPC (Virtual Port Channel)

IPSO - Commands

Python - Show di erences between 2 Lists

How to set the Time / Date and Timezone in CentOS

Python - Split a String into a Dictionary

ASA 8.3 - Auto NAT Examples

JQuery - Hide id if Class is Visible

Con guring Windows 2008 R2 as an NTP Server

What is Auto-Scaling?

vSphere - Creating User and Group Permissions

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Python - Check for Items across Sets

Juniper Netscreen Commands

HTTP Pipelining vs Domain Sharding

VI shows the error Terminal too wide within Solaris

BIGIP - Advanced Firewall Manager (AFM)

Con guring Wireless Connectivity within Backtrack

4 r2

About

Sitemap

Partners

Login

Built with HTML5 and CSS3

Secured by Incapsula

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com