Bug ID 618319: HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.2.1, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Sep 22, 2016
Severity: 3-Major
Related Article:
K58255321

Symptoms

All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.

Impact

When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.

Conditions

This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026). If this port is blocked, the devices cannot exchange failover status information.

Workaround

Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port. Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.

Fix Information

The system now validates input of unicast self-IP addresses, and issues a TMSH warning and log a message if a unicast address is configured that does not have the correct allow-service attribute. The message is similar to the following example: Unicast IP address x.x.x.x does not allow service on UDP port xxxx, network failover may not work.

Behavior Change