BIG-IP 6900 High Available Cluster Configuration

Question

Hi,
We have 2 (two) F5 BIG-IP 6900 APM/LTM gateways with the names: F5-GW1 and F5-GW2. 
F5-GW1 is used as a load-balancer for Web Server Farm 1 and F5-GW2 is used as a load balancer for Web Server Farm 2.
What we need to do is to protect both Web Server Farms by using the existing F5 BIG-IP appliances and therefore by enabling the ASM (Application Security Manager) module.
Furthermore, we need to deploy High Availability for the F5 BIG-IP ASM gateways although the existing F5 BIG-IP 6900 appliances are not currently working in High Availability. 
My question is consisted by two parts:
1) Is it possible to use the two existing BIG-IP appliances so as to implement a High Available ASM cluster ? 
In this scenario, F5-GW1 will be the Active ASM gateway for Web Server Farm 1 and the Standby ASM gateway for Web Server Farm 2. In the same way, F5-GW-2 will be the Active ASM gateway for Web Server Farm2 and the Standy ASM gateway for Web Server Farm 1.
2) If the High Availability scenario described in part 1 above is doable, is it possible to configure the HA cluster so as to operate ONLY for the ASM module ? Or will the HA cluster configuration also affect the existing Load Balancing configuration ?&nbsp;
Thanks in advamce,
K.Argyrides. &nbsp;

sec-enabled_658 · Answer

Are the 6900's currently in a device group or are they running standalone? Sounds like they are standalone right now. What version of software are you running? Using different traffic groups might be a solution for this. As far as I know, the HA cluster can be setup for traffic groups, but not on a module basis. ASM policies are tied to vips, so you might be able to have web svr farm 1 vips on traffic group A which could be active on F5-GW1, while then having web svr farm 2 vips on traffic group B which could be active on F5-GW2. The traffic groups could be failed over seperate from each other. Of course you would want to make sure that either 6900 could handle traffic for both groups at any given time in-case one of the units dies.

kargyrides_1348 · Answer

Hi Nathan,
Thanks for your reply.
I am not 100% sure about the current configuration but I believe the 6900s are running as standalone. Both 6900s are running BIG-IP 11.3.0 Build 3131.0 Hotfix HF6. 
Based on your answer, if Web Server Farm A VIP and Web Server Farm B VIP is already configured on each of the existing 6900 gateway (used for load balancing), is it still possible to configure the HA Cluster scenario ONLY for the ASM policies ?

Forum Discussion

BIG-IP 6900 High Available Cluster Configuration

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

No Source configuration available when upgrading from 15.1.9.1 to 15.1.10.2

Integrating with your IPv6 Kubernetes Cluster

BIG-IP VE VMWare Cluster HA triggering configuration

Configuring VMware Fusion for Device Services Clustering

Making EKS Anywhere Highly Available and Secure