HA failover and ARP confusion

Question

Hi,&nbsp;&nbsp;I am having some trouble with a HA failover scenario and suspect it's the switch (but can see no evidence of this) however the problem presents itself as stale ARP entries so thought I would ask here.&nbsp;&nbsp;&nbsp;I am running 10.2.0 1755.1&nbsp;&nbsp;&nbsp;I have 3 VLANS configured:&nbsp;VLAN_A on 1.1&nbsp;VLAN_B on 1.2 (tagged)&nbsp;VLAN_C on 1.2 (tagged)&nbsp;&nbsp;&nbsp;I have self IP's for VLAN A only (one static for each and one floating)&nbsp;&nbsp;&nbsp;My default route is a gateway on VLAN A&nbsp;&nbsp;&nbsp;I have virtuals on all three VLANS.&nbsp;Both units are synced.&nbsp;VLAN configs are duplicated and by default I am not using masquerading.&nbsp;&nbsp;&nbsp;When Unit 1 is Active all virtuals work fine.&nbsp;&nbsp;&nbsp;Problem:&nbsp;I force Unit 1 to standby ... all nodes and virtuals on the new active (Unit 2) are green.&nbsp;Virtuals on VLAN A continue to work as desired, appropriate changes to the ARP table on the switch are observed.&nbsp;Virtuals on VLAN B and C do not respond.&nbsp;Checking ARP tables on the switch....entries for virtuals on B and C appear stale.&nbsp;&nbsp;&nbsp;If I fail back, all works ok.&nbsp;&nbsp;&nbsp;I only have 4 virtuals on VLAN C and 9 on B so I don't think its Gratuitious ARP spam (ref http://support.f5.com/kb/en-us/solu...r=11136085)&nbsp;&nbsp;&nbsp;I've tried using MAC Masquerade on the offending VLAN's although I do not have visibility into the switch again until tomorrow at which time I'll find out if the table is correct. However do a 'b load' on both units and I did fail over with no different results.&nbsp;&nbsp;&nbsp;I've also observed I only have ARP entries on either LTM for VLAN A - I assume this is because I only have a Self IP for A (I assume I need an address on the VLAN I want to issue Gratuitous ARP's on for the reply) , I am unsure if I should see entries for the other two VLANs given I have no Self IP's for B and C. Unit 1 works without visible entries, so I assumed this would be good for Unit 2.&nbsp;&nbsp;&nbsp;I've seen the switchport (Cisco IOS) config, and the ports for Unit 1 1.2 and Unit 2 1.2 are identical.&nbsp;&nbsp;&nbsp;Any ideas? have I missed something in my config? any clues about what to look for on the switch?&nbsp;&nbsp;&nbsp;Any advice appreciated.&nbsp;&nbsp;&nbsp;Regards&nbsp;J&nbsp;&nbsp;&nbsp;

jason_keating · Answer

Hi 
 I was a little confused about it to, so I read the TMOS guide again and again on Self IP's trying to determine if I needed one. 
 According to the text I only want a Self IP for a VLAN if I want to route to destination servers based on self ip (as a means to identify VLAN and therefore interface of egress), I have a default gateway for all destinations. Or for SNAT'ing thereby ensuring responses are routed back through the LTM, I am snatting most of my traffic with everything coming back to 10.162.134.183
 Here is my config, I can add self ip's but did not see anything stating I must. 
 Thanks for having a look stp instance 0 {
   interfaces {
      1.1 {
         external path cost 20000
         internal path cost 20000
      }
      1.2 {
         external path cost 20000
         internal path cost 20000
      }
   }
   vlans {
      internal_A
      internal_B
      internal_C
   }
}
vlan internal_A {
   tag 4094
   interfaces 1.1
}
vlan internal_B {
   tag 214
   interfaces tagged 1.2
}
vlan internal_C {
   tag 645
   mac masq 40:017:B2:25:44
   interfaces tagged 1.2
}
self 10.162.134.181 {
   netmask 255.255.255.0
   vlan internal_A
   allow default
}
self 10.162.134.183 {
   netmask 255.255.255.0
   unit 1
   floating enable
   vlan internal_A
   allow default
}
route default inet {
   gateway 10.162.134.1
}
snatpool myfloating_SNAT {
   members 10.162.134.183
}
virtual virtual_1 {
   snatpool myfloating_SNAT
   pool pool_1
   destination 10.162.134.187:http
   ip protocol tcp
   profiles {
      http {}
      tcp {}
   }
}
virtual virtual_2 {
   snatpool myfloating_SNAT
   pool pool_2
   destination 10.162.142.2:https
   ip protocol tcp
   vlans internal_B enable
}
virtual virtual_3 {
   snatpool myfloating_SNAT
   pool pool_3
   destination 10.162.146.173:ldap
   ip protocol tcp
   vlans internal_C enable
}

nitass · Answer

as i tested, there was no garp on internal vlan (no selfip). however, with mac masquerading, client in internal vlan was able to connect to virtual server after failing over. 
  
 without mac masquerading, arp was not changed since garp was not sent out on internal vlan. so, client in internal vlan cannot connect to virtual server after failing over.

bigip01:
[root@bigip01:Active] config  b version|grep -iA 2 version
BIG-IP Version 10.2.0 1755.1
Hotfix HF1 Edition

vlan external {
   tag 4093
   interfaces 1.1
}
vlan internal {
   tag 4094
   mac masq 02:01:D7:1E:C3:43
   interfaces 1.3
}
self 172.28.17.50 {
   netmask 255.255.255.0
   vlan external
   allow all
}
self 172.28.17.99 {
   netmask 255.255.255.0
   unit 1
   floating enable
   vlan external
   allow all
}
virtual bar {
   snat automap
   pool foo
   destination 10.10.70.100:http
   ip protocol tcp
}

bigip02:
[root@bigip02:Standby] config  b version|grep -iA 2 version
BIG-IP Version 10.2.0 1755.1
Hotfix HF1 Edition

vlan external {
   tag 4093
   interfaces 1.1
}
vlan internal {
   tag 4094
   mac masq 02:01:D7:1E:C3:43
   interfaces 1.3
}
self 172.28.17.10 {
   netmask 255.255.255.0
   vlan external
   allow all
}
self 172.28.17.99 {
   netmask 255.255.255.0
   unit 1
   floating enable
   vlan external
   allow all
}
virtual bar {
   snat automap
   pool foo
   destination 10.10.70.100:http
   ip protocol tcp
}

bigip01:
[root@bigip01:Active] config  b fo standby

bigip02:
[root@bigip02:Standby] config  tcpdump -e -nni 0.0 'arp[14:4] = arp[24:4]'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
03:57:02.596939 00:01:d7:1e:c3:44 &gt; ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 4093, p 0, ethertype ARP, arp who-has 172.28.17.99 (ff:ff:ff:ff:ff:ff) tell 172.28.17.99
03:57:03.596976 00:01:d7:1e:c3:44 &gt; ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 4093, p 0, ethertype ARP, arp who-has 172.28.17.99 (ff:ff:ff:ff:ff:ff) tell 172.28.17.99
03:57:04.596594 00:01:d7:1e:c3:44 &gt; ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 4093, p 0, ethertype ARP, arp who-has 172.28.17.99 (ff:ff:ff:ff:ff:ff) tell 172.28.17.99
03:57:05.596643 00:01:d7:1e:c3:44 &gt; ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 4093, p 0, ethertype ARP, arp who-has 172.28.17.99 (ff:ff:ff:ff:ff:ff) tell 172.28.17.99
03:57:06.596685 00:01:d7:1e:c3:44 &gt; ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 4093, p 0, ethertype ARP, arp who-has 172.28.17.99 (ff:ff:ff:ff:ff:ff) tell 172.28.17.99

client in internal vlan:
[root@web1 ~] arp -a|grep 10.10.70.100
? (10.10.70.100) at 02:01:D7:1E:C3:43 [ether] on eth0

nitass · Answer

i'm a little bit confused. u don't have selfip on vlan b and c but u've virtual server on them. what's the virtual server config?? 
&nbsp;  
&nbsp; would u mind posting vlan, selfip and virtual server config here?

nitass · Answer

if i'm not wrong, i understand garp will be sent for floating selfip and vip. since those ip are in vlan a, i don't think there is garp being sent on vlan b and c. anyway, i'll have a look if there is anything i can find. &nbsp;
&nbsp;SOL11985: Overview of the ARP.GratuitousRate bigpipe database variable 
&nbsp;http://support.f5.com/kb/en-us/solutions/public/11000/900/sol11985.html

jason_keating · Answer

Thanks for you help on this, I added self IP's - which as we suspected sorted the problem. 
&nbsp;  
&nbsp; I'm still unclear on why this is needed (based on F5's documentation which as far as I can see does not set it out as a requirement), although I appreciate why its likely required. 
&nbsp;  
&nbsp; I need to learn more about garp, I've watched the garps with the new selfip's and am puzzled by the mac's in the garp (they don't match the physical int) - anyhow it all works as expected - so like I say, some more testing, research and learning required. 
&nbsp;  
&nbsp; Thanks again helping out. 
&nbsp;  
&nbsp; Cheers 
&nbsp; J &nbsp;

Forum Discussion

HA failover and ARP confusion

5 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Configuring AWS HA Failover Across AZs Without EIPs Using F5 Cloud Failover Extension (CFE)

AS3 TLS_Client VS TLS_Server Schema confusion

Cisco ACI Endpoint Learning with a BIG-IP HA Failover

Using Distributed Cloud DNS Load Balancer with Geo-Proximity and failover scenarios

DC failover test via GTM