Bug ID 618319: HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.2.1, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6

Fixed In:

Opened: Sep 22, 2016

Severity: 3-Major

Related Article: K58255321


All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.


When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.


This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026). If this port is blocked, the devices cannot exchange failover status information.


Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port. Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.

Fix Information

The system now validates input of unicast self-IP addresses, and issues a TMSH warning and log a message if a unicast address is configured that does not have the correct allow-service attribute. The message is similar to the following example: Unicast IP address x.x.x.x does not allow service on UDP port xxxx, network failover may not work.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips