Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: Apr 20, 2015 Severity: 2-Critical
When active/standby clocks are not in sync this problem will manifest itself. On a failover, BIG-IP needs to determine the age of an entry so that it can update the TTL. This age determination depends on clocks on the active and standby which may not be in sync.
Entry may expire later or may expire early or may not get programmed if on failover we determine if it has already expired.
This occurs in an HA deployment where NTP is not configured and the clocks are out of sync.
Use NTP to sync clocks. This should reduce the error margin and make it as low as what NTP provides
Use NTP to sync active/standby pair for better accuracy of shun entry expiry.