Hi experts, I'm facing an issue at implementing Active/Active design, where i couldn't access VIPs at all although i can access them an Active/Standby OR Standby/Active. what might be the issue ? I wanna also review my steps to implement active/active: * create 2 VLans(VL_A @ VL_B) * 4 self IPs (S_A1,S_A2,S_B1,S_B2), and 2 floatings (F_A,F_B) * 2 traffic groups(T1,T2), and F_A at T1 and F_B at T2\ *Device_A active at T1 and standby at T2, Device_B active at T2 and standby at T1, * have some virtual servers assigned to VL_A or VL_B(we didn't assign virtual servers to Traffic group directly, right?)

How are you routing traffic to the devices? Are you using a routed segment between the external VLAN and whatever is in front of them (firewall?) and routing the VS subnet to the floating IPs or will the device/firewall use ARP? If ARP I think this should work. I can't quite decide if you need MAC Masquerade or not but its probably a good idea. If L3 routing you'll need dedicated routes for the VS's associated with each TG. So any you'll need to route any VS IPs in TG1 to the TG1/F_A floating IP and and any in TG2 to the TG2/F_B floating IP. Am I making sense?

thnx a lot, actually problem solved after changing SNAT pool to Automap, I don't realize why, what's the problem of having 2 dedicated IPs (one for VLAN_A and other for VLAN_B). Although this design was woorking fine for Active/Standby and Standby/Active? I've note, i though that MAC Masquerade for reducing the risk of dropped connections when failover occurs, which is optional, is that right?

You're welcome. RE: MAC Masq, yes, absolutely. Regarding the active/active, its all about symmetry. If you were using a single SNAT pool that wouldn't work; you'd need two, one for each traffic group (subnet/VLAN).

OK, so how are they configured? Can you provide more detail on the L2/L3 design, would be good to get to the bottom of this one.

Hi, the above answer is correct about having symmetric network configuration. I was also confused about this when i implemented my first active/active configuration. Let's assume that the client (read : the device that initiate the traffic) is on vlan A and the network gateway is Float IP A on TG1 handled by device A. And the client will trying to access VS on vlan B on TG2 handled by device B. If you configure snat, the traffic will be send to device A, device A will snat the packet and then send the traffic to device B, the device B will send the response back to device A, and device A will forward the response back to the client. If you didn't configure snat, the traffic from client will be sent to Device A, and then device A will send the traffic to device B, and device B will send the response by itself to the client. You can see that the traffic was not symmetric. This problem will not happened if you had active/standby configuration because basically there was only one device that handled the traffic. There are many ways to solve this problem, you already had one. Mine is creating routing on the client so every traffic to VS that handled by different TG will be forwarded to respective device that handled the TG. Because the TG itself can move from one device to another device, you must create Floating IP for each TG on each VLAN, and routing those traffic to those Float IP. So you will create Float IP A1 (IP on VLAN A handled by TG1), Float IP A2 (IP on VLAN A handled by TG2), Float IP B1 (IP on VLAN B handled by TG1), Float IP B2 (IP on VLAN B handled by TG2). On the client that reside on VLAN A, you will create routing that every traffic to VLAN B will be sent to Float IP A2 (handled by TG2). On the client that reside on VLAN B, you will create routing that every traffic to VLAN A will be sent to Float IP B1 (handled by TG1). I hope i'm not confusing you with my answer. Already got headache ? well, welcome to the active/active club. Imagine if you had 4 VLAN like me (1 VLAN public facing (TG1), and 1 VLAN internal facing (TG2) and 2 other VLAN (TG3 and TG4) behind F5, each servers behind TG3 and TG4 will talk with each other using VS that handled by TG2. I admitted that i had bad network design, but this was because i didn't know how active/active work, i'm already planning to redesign my network.

Active/Active scenario Issue.

17 Replies

What_Lies_Bene1
Cirrostratus
Aug 19, 2014
How are you routing traffic to the devices? Are you using a routed segment between the external VLAN and whatever is in front of them (firewall?) and routing the VS subnet to the floating IPs or will the device/firewall use ARP?

If ARP I think this should work. I can't quite decide if you need MAC Masquerade or not but its probably a good idea.

If L3 routing you'll need dedicated routes for the VS's associated with each TG. So any you'll need to route any VS IPs in TG1 to the TG1/F_A floating IP and and any in TG2 to the TG2/F_B floating IP.

Am I making sense?
refra_151287
Cirrus
Aug 19, 2014
thnx a lot, actually problem solved after changing SNAT pool to Automap, I don't realize why, what's the problem of having 2 dedicated IPs (one for VLAN_A and other for VLAN_B). Although this design was woorking fine for Active/Standby and Standby/Active?

I've note, i though that MAC Masquerade for reducing the risk of dropped connections when failover occurs, which is optional, is that right?
What_Lies_Bene1
Cirrostratus
Aug 20, 2014
You're welcome. RE: MAC Masq, yes, absolutely.

Regarding the active/active, its all about symmetry. If you were using a single SNAT pool that wouldn't work; you'd need two, one for each traffic group (subnet/VLAN).
What_Lies_Bene1
Cirrostratus
Aug 20, 2014
OK, so how are they configured? Can you provide more detail on the L2/L3 design, would be good to get to the bottom of this one.
Ongko_8903
Cirrus
Aug 21, 2014
Hi, the above answer is correct about having symmetric network configuration.

I was also confused about this when i implemented my first active/active configuration.

Let's assume that the client (read : the device that initiate the traffic) is on vlan A and the network gateway is Float IP A on TG1 handled by device A.

And the client will trying to access VS on vlan B on TG2 handled by device B.

If you configure snat, the traffic will be send to device A, device A will snat the packet and then send the traffic to device B, the device B will send the response back to device A, and device A will forward the response back to the client.

If you didn't configure snat, the traffic from client will be sent to Device A, and then device A will send the traffic to device B, and device B will send the response by itself to the client.

You can see that the traffic was not symmetric.

This problem will not happened if you had active/standby configuration because basically there was only one device that handled the traffic.

There are many ways to solve this problem, you already had one.

Mine is creating routing on the client so every traffic to VS that handled by different TG will be forwarded to respective device that handled the TG.

Because the TG itself can move from one device to another device, you must create Floating IP for each TG on each VLAN, and routing those traffic to those Float IP.

So you will create Float IP A1 (IP on VLAN A handled by TG1), Float IP A2 (IP on VLAN A handled by TG2), Float IP B1 (IP on VLAN B handled by TG1), Float IP B2 (IP on VLAN B handled by TG2).

On the client that reside on VLAN A, you will create routing that every traffic to VLAN B will be sent to Float IP A2 (handled by TG2).

On the client that reside on VLAN B, you will create routing that every traffic to VLAN A will be sent to Float IP B1 (handled by TG1).

I hope i'm not confusing you with my answer.

Already got headache ? well, welcome to the active/active club.

Imagine if you had 4 VLAN like me (1 VLAN public facing (TG1), and 1 VLAN internal facing (TG2) and 2 other VLAN (TG3 and TG4) behind F5, each servers behind TG3 and TG4 will talk with each other using VS that handled by TG2.

I admitted that i had bad network design, but this was because i didn't know how active/active work, i'm already planning to redesign my network.
- What_Lies_Bene1
  Cirrostratus
  Aug 22, 2014
  I really need to do a diagram just for my own purposes. When its done I'll post it here. I think you have the right idea but some errors in your text, you state you use VLAN A for TG1 and TG2. Tricky stuff huh.
refra_151287
Cirrus
Aug 25, 2014

regarding that design, Floating_A is associated to TG1

VS_A is associated to TG1, VLAN_A and using Automap.
Floating_B is associated to TG2 VS_B is associated to TG2, VLAN_B and using Automap.

and now it's working fine. any notices.
- What_Lies_Bene1
  Cirrostratus
  Aug 26, 2014
  OK, sounds good are you happy now? Not sure I fully understand the diagram, are the F5s really connected directly to the firewalls?
- refra_151287
  Cirrus
  Aug 28, 2014
  regarding Boxes, sorry they're connected to SW as F5 and BE servers are in same subnet.
Thomas_Gobet_91
Cirrostratus
Aug 25, 2014
When you were using SNAT Pool, did you add static routes on your servers ?

As it's not an IP defined on interfaces own by the BIG-IP, it won't answer to ARP requests for this IPs.

SNAT Automap use the Floating IP that's maybe why it works when you're running Active/Passive mode.
- refra_151287
  Cirrus
  Aug 28, 2014
  No routes where SNAT IP are in same subnet either with F5 and BE servers, right? Is Automap uses slef IP or Floating IP?
Thomas_Gobet
Nimbostratus
Aug 25, 2014
When you were using SNAT Pool, did you add static routes on your servers ?

As it's not an IP defined on interfaces own by the BIG-IP, it won't answer to ARP requests for this IPs.

SNAT Automap use the Floating IP that's maybe why it works when you're running Active/Passive mode.
- refra_151287
  Cirrus
  Aug 28, 2014
  No routes where SNAT IP are in same subnet either with F5 and BE servers, right? Is Automap uses slef IP or Floating IP?
Thomas_Gobet_91
Cirrostratus
Aug 28, 2014
Automap uses Floating IP, just have a look upper I told you : "SNAT Automap use the Floating IP that's maybe why it works when you're running Active/Passive mode."

I made a mistake about SNAT and routes, I'm sorry. I didn't understand they were on the same subnet.

Is everything fine now ?
- refra_151287
  Cirrus
  Aug 28, 2014
  yes, thnx
Thomas_Gobet
Nimbostratus
Aug 28, 2014
Automap uses Floating IP, just have a look upper I told you : "SNAT Automap use the Floating IP that's maybe why it works when you're running Active/Passive mode."

I made a mistake about SNAT and routes, I'm sorry. I didn't understand they were on the same subnet.

Is everything fine now ?
- refra_151287
  Cirrus
  Aug 28, 2014
  yes, thnx

Forum Discussion

Active/Active scenario Issue.

17 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Especial Load Balancing Active-Passive Scenario (II)

Azure Active Directory and BIG-IP APM Integration

Re activate license failed

F5 Active Standby Node Configuration