Bug ID 1297257: Pool member Forced Offline then Enabled is marked down on peer after Incremental sync

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3

Opened: May 09, 2023

Severity: 3-Major

Related Article: K000137795

Symptoms

When a Pool Member in an high availability (HA) pair (Sync-Failover Device Group) has been marked Forced Offline, then later is marked Enabled on one member of the Device Groups, the Pool Member may be marked down on Device Group members other than the member where the Pool Member was marked Enabled. On the BIG-IP system (Device Group member) where the Pool Member was marked Enabled, the Pool Member's status will be marked correctly according to its actual state, as determined by the Health Monitor configured for the affected Pool or Pool Member.

Impact

The affected Pool Member will not receive traffic as expected on the other Device Group members. -- If the Pool Member was re-enabled on the Standby member, traffic on the Active member will not be sent to the Pool Member. -- If the Pool Member was re-Enabled on the Active member, traffic on the Standby member will not be sent to the Pool Member if the Active member fails over to the Standby member.

Conditions

This issue occurs on BIG-IP versions with ID 1095217 is fixed, under the following conditions: -- Multiple BIG-IP systems configured in a Sync-Failover Device Group -- The Device Group is configured for Incremental sync -- A Pool Member has been marked Forced Offline -- A Health Monitor is configured for the Pool or Pool Member -- The Pool Member is later marked Enabled on one member of the Device Group -- This change is synced to the Device Group (either manually or automatically, via Incremental sync, not Full sync)

Workaround

Perform one of the following actions as a workaround: Option 1: -- Perform a Full sync to the Device Group from the DG member with the correct pool member status Option 2: -- Mark the pool member Disabled -- Sync this change to the Device Group -- Mark the pool member Enabled -- Sync this change to the Device Group Option 3: -- Remove the configured Health Monitor from the affected Pool or Pool Member (Note: If removing the Health Monitor from the Pool, all members of the Pool may become unavailable, halting new connections to the pool members.) -- Sync this change to the Device Group -- Add the previously-configured Health Monitor back to the Pool or Pool Member -- Sync this change to the Device Group Option 4 Do not use WebUI for force offline/enable and use the following CLI(TMSH) command with "replace-all-with" option to set force offline/enable. example) tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-down } } } tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-up } } }

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips