Last Modified: Jul 26, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3
Fixed In:
16.1.5
Opened: May 09, 2023 Severity: 3-Major Related Article:
K000137795
A pool member, a high availability (HA) pair (Sync-Failover Device Group), has been marked Forced Offline. Later, one member of the Device Groups is marked as Enabled and another pool member may be marked as Down. On the BIG-IP system (Device Group member), the status of the pool member marked as Enabled is correctly marked according to the actual state determined by the Health Monitor configured for the affected pool or pool member.
The affected pool member does not receive traffic as expected as the other Device Group members. -- If the pool member is re-enabled on the Standby member, traffic on the Active member will not be sent to the pool member. -- If the pool member is re-enabled on the Active member, traffic on the Standby member will not be sent to the pool member if the Active member fails over to the Standby member.
This issue occurs on BIG-IP versions where ID1095217 is fixed for the following conditions: -- Multiple BIG-IP systems are configured in a Sync-Failover Device Group -- The Device Group is configured for Incremental sync -- A pool member or the parent Node has been marked Forced Offline -- A Health Monitor is configured for the pool or pool member -- The same monitor assigned to the pool member is not set to the rule for LTM default-node-monitor -- The pool member or its parent Node is later marked as Enabled on one member of the Device Group -- This change is synced to the Device Group (either manually or automatically, through Incremental sync, not Full sync)
Perform one of the following actions as a workaround: Option 1: -- Perform a Full sync to the Device Group from the Device Group member with the correct pool member status. Option 2: -- Set the pool member as Disabled -- Sync the change with the Device Group -- Set the pool member Enabled -- Sync the change with the Device Group Option 3: -- Remove the configured Health Monitor from the affected pool or pool member. Note: If the Health Monitor is removed from the pool, all pool members may become unavailable, halting new connections to pool members. -- Sync this change to the Device Group. -- Add the previously configured Health Monitor back to the pool or pool member. -- Sync the change to the Device Group. Option 4: Do not use WebUI for Force Offline or Enable. But, use the following TMSH command with the ‘replace-all-with’ option to set Force Offline/Enable. For example: tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-down } } } tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-up } } } Note: Option 4 does not resolve the issue; it prevents the issue from occurring.
The pool member status is now correctly synced to other Device Group members after being Forced Offline and then Enabled on one Device Group member. This fix causes a return of ID1095217 on versions where ID1095217 had previously been Fixed.