what will happend with HSRP failover with auto_lasthop but without lasthop pool setup

Question

We are running 10.2.x with auto_lasthop set but we did not have lasthop pool set and used, what will happend when the external HSRP routers failsover: will it only affect existing sessions and new connection will not be affected?&nbsp;
Not have time to test it in lab yet.&nbsp;
 &nbsp;

hamish · Answer

That depends on what happens to the MAC address that's listed in the connection. 
&nbsp;  
&nbsp; if the MAC that initiated the connection fails over with the HSRP then it's invisible. 
&nbsp; if the MAC that initiated the connection DOES NOT fail over with the HSRP, then the existing connections in the connection table will hang. 
&nbsp;  
&nbsp; This is by design apparently. IIRC the only way to have this behaviour change is to configure a last-hop pool. In which case a poolmember down will (apparently) cause a fixup of the lasthop MAC address for the connections in the connection table already. Thinking back though there was some reason we couldn't use lasthop pools when I last looked at this (Back when I used to look after a firewall sandwhich), but I can't quite remember why ATM... 
&nbsp;  
&nbsp;  
&nbsp; H

what_lies_bene1 · Answer

I think it will only be be existing sessions. New sessions will come from a different MAC and be OK. That is until HSRP fails back (if configured to do so). Why don't you want to use a Last Hop Pool?&nbsp;
@Hamish, Lasthop Pools doesn't work with VRRP which is what those firewalls probably ran.&nbsp;

nitass · Answer

based on sol9487, i understand existing connection will be affected. new connection could be okay because it will be coming from new mac address. 
&nbsp;  
&nbsp; sol9487: BIG-IP support for neighboring VRRP/HSRP routers 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9487.html 
&nbsp;  
&nbsp; just my 2 cents.

dengfeng_54944 · Answer

We are using cisco HSRP, active hsrp node's mac address did not failover together&nbsp;
Anyone tested this in a lab environment?&nbsp;

hamish · Answer

If the MAC address doesn't fail over, existing connections fail (Assuming the router with that MAC died) and new connections get the new nodes MAC address. 
&nbsp;  
&nbsp; if the router DIDN'T fail (i.e. An admin changed HSRP priorities etc), then nothing should be affected (Because the router can still route). YMMV, I've seen some confgis where only the HSRP active router can reach the destination (e.g. someone relying on static routes and the failover was because of an untracked link/interface failure). 
&nbsp;  
&nbsp; H

Forum Discussion

what will happend with HSRP failover with auto_lasthop but without lasthop pool setup

6 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Configuring AWS HA Failover Across AZs Without EIPs Using F5 Cloud Failover Extension (CFE)

Cisco ACI Endpoint Learning with a BIG-IP HA Failover

Using Distributed Cloud DNS Load Balancer with Geo-Proximity and failover scenarios

DC failover test via GTM

Per-app failover for Kubernetes-based services using F5 Distributed Cloud Services