Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

VLANfailover (failsafe) did not occur on vCMP Guest

I'm running 12.1.1. I have a single vCMP Guest (on two vCMP Hosts) in a common Sync-Failover Device Group and have "failsafe enabled".

vCMP Host:

user_me@(my_host)(cfg-sync Standalone)(Active)(/Common)(tmos)# list /net vlan DMZ_TRA_SVCEXT
net vlan DMZ_TRA_SVCEXT {
    if-index 672
    interfaces {
        trunk-guest-1 {
            tag-mode service
            tagged
        }
    }
    tag 2400
}
user_me@(my_host)(cfg-sync Standalone)(Active)(/Common)(tmos)# list /net trunk trunk-guest-1
net trunk trunk-guest-1 {
:
    interfaces {
        2.1
        2.2
    }
    lacp enabled
    lacp-mode passive
:
}
user_me@(my_host)(cfg-sync Standalone)(Active)(/Common)(tmos)# list /vcmp guest 
vcmp guest guest-tse {
:
    hostname my_guest.net
    vlans {
        DMZ_TRA_SVCEXT
:    
   }
}

vCMP Guest:

user_me@(my_guest)(cfg-sync In Sync)(Active)(/Common)(tmos)# list /net vlan DMZ_TRA_SVCEXT 
net vlan DMZ_TRA_SVCEXT {
    failsafe enabled
    if-index 96
    tag 2400
}

To test VLAN failsafe, on one vCMP Host, I administratively disabled all traffic interfaces:

modify /net interface 2.2 disabled
modify /net interface 2.2 disabled

However, the expected failover did not occur after 90s. Any idea why?

0
Rate this Discussion
Comments on this Discussion
Comment made 27-Nov-2016 by epaalx 362

Can't edit...

Obviously, I meant

modify /net interface 2.1 disabled
modify /net interface 2.2 disabled
0
Comment made 28-Nov-2016 by fgf 280

Hello,

Can you show us what is your configuration under "System > High Availability > Fail-Safe > VLANs" ?

Did you check that there is traffic on the VLAN DMZ_TRA_SVCEXT ?

tcpdump -ni 0.0 /Partition/DMZ_TRA_SVCEXT -c 50

Regards,

0
Comment made 28-Nov-2016 by epaalx 362

Thanks for responding, fgf.

Can you show us what is your configuration under "System > High Availability > Fail-Safe > VLANs" ?

Here (bottom four - as you can see, I have VLAN failsafe on two VLANs.

user_me@(my_guest)(cfg-sync In Sync)(Active)(/Common)(tmos)# show /sys ha-status all-properties 
--------------------------------------------------------------------------------------------------------------------------
Sys::HA Status    
Feature             Key                   Action                        Fail  Feature  Take  Client  Proc          Timeout
                                                                              Enabled  Act   Data                  (sec)
--------------------------------------------------------------------------------------------------------------------------
config-not-recvd    sod                   go-offline                    no    yes      no    0       sod           0
crypto-failsafe     cn-crypto-0           failover                      no    yes      no    0       tmm           0
crypto-failsafe     cn-crypto-1           failover                      no    yes      no    0       tmm1          0
daemon-heartbeat    bigd                  restart                       no    yes      no    33.2M   bigd          60
daemon-heartbeat    cbrd                  restart                       no    yes      no    604.7K  cbrd          30
daemon-heartbeat    guestagentd           restart                       no    no       no    121.0K  guestagentd   10
daemon-heartbeat    mcpd                  restart                       no    yes      no    259.4M  mcpd          300
daemon-heartbeat    scriptd               restart                       no    yes      no    604.7K  scriptd       60
daemon-heartbeat    snmpd                 restart                       no    yes      no    604.6K  snmpd         300
daemon-heartbeat    sod                   restart-all                   no    yes      no    6.1M    sod           60
daemon-heartbeat    tmm                   go-offline-downlinks-restart  no    yes      no    1.2M    tmm           0
daemon-heartbeat    tmm1                  go-offline-downlinks-restart  no    yes      no    1.2M    tmm1          0
daemon-heartbeat    tmrouted              restart                       no    no       no    0       tmrouted      30
daemon-heartbeat    vxland                restart                       no    no       no    120.9K  vxland        10
daemon-heartbeat    wccpd                 restart                       no    yes      no    604.5K  wccpd         60
forced-offline      sod                   none                          no    yes      no    0       sod           0
hardware-failover   sod                   go-active                     no    yes      no    0       sod           0
hypervisor-offline  chmand                go-offline                    no    yes      no    0       chmand        0
license-invalid     mcpd                  go-offline-downlinks          no    no       no    0       mcpd          0
nic-failsafe        tmm                   reboot                        no    yes      no    0       tmm           0
nic-failsafe        tmm1                  reboot                        no    yes      no    0       tmm1          0
overdog-ctrl        watchdog              none                          no    yes      no    0       mcpd          0
proc-run            bigd                  go-offline-downlinks          no    no       no    0       sod           10
proc-run            mcpd                  go-offline-downlinks          no    yes      no    0       sod           10
proc-run            named                 go-offline-downlinks          no    yes      no    0       runsm1_named  1
proc-run            tmm                   go-offline-downlinks          no    yes      no    0       sod           2
proc-run            tmrouted              failover                      no    no       no    0       sod           10
ready-for-world     tmm                   none                          no    yes      yes   27      tmm           0
ready-for-world     tmm1                  none                          no    yes      yes   15      tmm1          0
reboot-request      sod                   reboot                        no    yes      no    0       sod           0
software-update     lind                  reboot                        no    yes      no    0       lind          0
tmm-detect-fail     tmm                   failover                      no    yes      no    0       tmm           0
vlan-failsafe       DMZ_TRA_SVCEXT        failover-restart-tm           no    yes      no    0       tmm           90
vlan-failsafe       DMZ_TRA_SVCEXT        failover-restart-tm           no    yes      no    0       tmm1          90
vlan-failsafe       DMZ_TRA_SVCINT        failover-restart-tm           no    yes      no    0       tmm           90
vlan-failsafe       DMZ_TRA_SVCINT        failover-restart-tm           no    yes      no    0       tmm1          90

Note that during the time when 2.1 and 2.2 were set administratively down (beyond 90s) on vCMP Host, the "Fail" status did not changed from "no" to "yes".

Did you check that there is traffic on the VLAN DMZ_TRA_SVCEXT ?

[user_me@my_guest:Active:In Sync] ~ # tcpdump -vv -i DMZ_TRA_SVCEXT
tcpdump: listening on DMZ_TRA_SVCEXT, link-type EN10MB (Ethernet), capture size 65535 bytes
10:13:09.886309 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.84.1.1 tell 10.84.1.9, length 35 out slot1/tmm0 lis=
:
10:13:27.504764 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::f615:63ff:fe04:8804 > fe80::f615:63ff:fe04:8802: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::f615:63ff:fe04:8802
          source link-address option (1), length 8 (1): f4:15:63:04:88:04
              0x0000:  f415 6304 8804 out slot1/tmm1 lis=
:

0
Comment made 28-Nov-2016 by epaalx 362

Notice, in above printout - vCMP Guest doesn't know that the VLAN's interface is down - it continues to send IPv4 ARP / IPv6 Neighbor Discovery packets, as per failsafe probing, although, it never receives any responses.

0
Comment made 02-Dec-2016 by fgf 280

Hi epaalx,

It seems that there isn't traffic on that VLAN.

  • Can you check that VLAN failsafe is configured also on the standby unit?

VLAN failsafe configuration is local to the BIG-IP system and is not a shared configuration that is synchronized between high-availability systems during ConfigSync operations. As a result, you must define VLAN failsafe on all BIG-IP units in a high-availability system.

  • Can you configure any monitor to generate traffic on that VLAN?

Unwanted VLAN failsafe events can occur if VLAN failsafe is enabled on a VLAN with no default gateway or pool members, and the VLAN contains only devices that do not respond to ARP requests, ICMPv6 neighbor discovery probes, or multicast pings. To help prevent this behavior, you can assign a health monitor to at least one node on that VLAN. This practice helps to consistently populate the ARP tables on the BIG-IP high-availability systems, and give a more accurate view of VLAN availability.

  • Can you check if there is other guest configured to use the same VLAN?

If more than one guest on a vCMP host is configured to use the same VLAN, you should avoid using the VLAN failsafe feature for the guest instances; when a vCMP guest detects a loss of network traffic on the VLAN, and attempts to generate VLAN failsafe traffic, the other guests that are configured on the same VLAN may respond to the failsafe requests and prevent a failover event from occurring.

Regards,

0

Replies to this Discussion

placeholder+image

Confirm known bug:

ID611487 vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host

Work-around is to disable IPv6, globally, only on vCMP Hosts (see SOL15056: Disabling IPv6 on a BIG-IP system). However, F5 support recommended on both vCMP Hosts and Guests.

1
Comments on this Reply
Comment made 13-Apr-2017 by Jeremy 3

Hi,

I would like to confirm the known bug. Had this issue before to disable IPv6, v12.1.2 on 5250v. Worked fine after changes.

Thanks epaalx.

0
Comment made 24-Oct-2017 by Pinko_Commie 66

I've encountered the same bug.

6 boxes, 2 * i10800, 4 * i7800, all running v12.1.2 HF1.

The i10800s and 2 of the i7800s function fine and VLAN faisafe works, the other 2 i7800 they don't

I see this when doing a TCPDump:

16:28:37.798076 xx:xx:xx:xx:df:21 > xx:xx:xx:xx:df:02, ethertype IPv6 (0x86dd), length 93: xxxx::xxxx::xxxx:xxxx:df21 > xxxx::xxxx::xxxx:xxxx:df02: ICMP6, neighbor solicitation, who has xxxx::xxxx::xxxx:xxxx:df02, length 32 out slot1/tmm0 lis=

16:28:37.798365 xx:xx:xx:xx:df:02 > xx:xx:xx:xx:df:21, ethertype IPv6 (0x86dd), length 93: xxxx::xxxx::xxxx:xxxx:df02 > xxxx::xxxx::xxxx:xxxx:df21: ICMP6, neighbor advertisement, tgt is xxxx::xxxx::xxxx:xxxx:df02, length 32 in slot1/tmm0 lis=

MAC address ending in df:02 is not one of the physical interfaces and appears to be some internal communications MAC from the vCMP host.

Once I disabled IPv6 as the vCMP HOST level, all the guests VLAN Failsafes started to work.

I'm going to take it up with F5 becuse all 6 boxes were setup at the same time, nd its a strannge co-incidence that 2 of them are doing it and 4 aren't. Also, the two that are doing it happen to be the same pair (i.e. they have each others guests HA partners), so it's either VLAN specific or something in the surrounding infrastructure that makes the difference.

0