Last Modified: Feb 11, 2025
Affected Product(s):
BIG_IP_NEXT(VE/HW) Install/Upgrade
Known Affected Versions:
20.2.1
Opened: May 20, 2024 Severity: 2-Critical
This is an intermittent issue due to a race condition during HA cluster creation and standby writing self-signed certificates in standby vault. Following is an expected HA workflow steps: 1. Two BIG-IP Next instances (instance-1 and Instance-2) boot up as standalone on BIG-IP Next 20.2.0 image. 2. Both instances create and store self-signed certificates in vault DB. 3. HA cluster creation job is initiated. 4. Active instance creates self-signed certificates for new cluster IP and updates vault DB. 5. Standby instance creates self-signed certificates for new cluster IP and updates vault database. 6. During HA cluster join and database sync, active DB replaces standby DB. From the above steps, if Step.5 occurs before Step.6, then HA cluster goes into unknown state. If Step.5 occurs after Step.6, then HA cluster is healthy and upgrade works fine as expected.
BIG-IP Next HA cluster is unreachable from CM.
After creating BIG-IP Next cluster, upgrade the version on standby.
During HA upgrades, if standby node is not reachable, follow below steps: 1. Disable "enable automatic failover" flag and Force failover. 2. On CM UI, click on the HA cluster name-> certificates-> Establish Trust. HA status on CM UI changes from Unknown to Unhealthy. 3. Upgrade new standby instance to BIG-IP Next 20.2.1. Both active and standby should be on BIG-IP Next 20.2.1 and HA should be healthy in CM UI.
None