Bug ID 425028: Traffic groups and UCS restore or upgrade of HA pair issues

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0

Opened: Jul 11, 2013

Severity: 2-Critical

Related Article: K14104

Symptoms

An upgrade or UCS restore of an HA pair from versions 10.X to 11.4.x may result in an incorrect traffic group assignment for the "/", "/Common" and other non-default system folders. This condition may cause a disruption with normal failover behaviors for an Active/Standby pair.

Impact

- Failover events may elicit address conflicts in the Local Traffic logs. - Traffic disruptions may occur with failover objects as, in this state, they may be serviced by either the Active OR Standby device.

Conditions

Traffic groups drive failover behaviors in BIGIP 11.x. Under normal operating circumstances only the device that is active for a given traffic group services ARP for "failover objects" associated with a failover traffic group. Failover objects are SNATs, floating self ip addresses and virtual addresses. By default, BIG-IP creates two traffic groups, one for monitoring (traffic-group-local-only) and the default failover traffic group called "traffic-group-1". In a typical Active/Standby upgrade scenario, all failover objects will be assigned the default failover traffic group: traffic-group-1

Workaround

For most Active/Standby deployments the fix is to set 'traffic-group-1' on the failover objects present in the /Common administrative partition. How it works: By default there are two system folders used by BIGIP: The "root" folder: / The folder for the default administrative partition: /Common - To see if the issue is present on the two default BIGIP folders: tmsh list /sys folder / /Common Example output from an affected device: sys folder / { device-group sync-failover-group traffic-group none } sys folder /Common { device-group sync-failover-group inherited-devicegroup true traffic-group none } - To correct the issue for / and /Common folders: To fix the traffic group assignment: tmsh modify /sys folder /Common / traffic-group traffic-group-1 To verify the fix: tmsh list /sys folder / Common / To make the change persist across reboots or configuration loads: tmsh save /sys config - Next, failover objects in /Common must be evaluated for the issue: grep 'traffic-group none' /config/* Once affected objects have been identified the issue can be fixed by either of the following methods: Method one: Correct the affected failover objects in memory, commit the change. For example, if only virtual-address definitions are affected in /Common, to fix all virtual addresses for the /Common partition: tmsh modify ltm virtual-address all traffic-group traffic-group-1 To make the change persist across reboots or configuration loads: tmsh save /sys config Method 2: On the standby unit, perform a find and replace on the flat file: Make a backup of the affected configuration file: cp /config/bigip.conf /shared/tmp/SOL14104_bigip.conf Using a text editor find and replace instances of 'traffic-group none' with 'traffic-group traffic-group-1'. Validate the changes will load: tmsh load sys config verify Correct syntax errors as necessary. Assuming the configuration validates, load the configuration into memory: tmsh load sys config Sync the changes to the active box. Evaluate ARP states on adjacent Layer 2 peers to make certain the Active unit's MAC address is authoritative for affected failover objects. - The configuration must also be evaluated for other affected folders which will inherit the issue from the default root ("/") folder: To list all folders: tmsh list sys folder Affected folders will list the traffic group as 'traffic-group none' To correct an affected folder: tmsh modify sys folder <folder_name> traffic-group traffic-group-1 To make the change persist across reboots or configuration loads: tmsh save /sys config partitions all Note: You may correct more than one folder at time: tmsh modify sys folder <folder_name_1> <folder_name_2> <folder_name_3> traffic-group traffic-group-1 - To check for affected failover objects in partitions other than / and /Common: grep 'traffic-group none' /config/partitions/*/* Perform one of the above methods to correct objects that have inherited the issue.

Fix Information

The BIG-IP configuration will have correct failover traffic group assignment for the "/", "/Common" and other non-default system folders.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips