Bug ID 744936: Adding a default tmm gateway in AWS breaks failover between two instances if the default tmm gateway can't provide route to the ec2 metadata service at 169.254.169.254.

Last Modified: May 01, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP VE(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4

Opened: Sep 24, 2018
Severity: 3-Major

Symptoms

Instance failover breaks with the following messages in /var/log/ltm: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Instance sanity check failed with error: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): ('Connection aborted.', error(111, 'Connection refused'))

Impact

As moving the elastic-ip between the Active and Stand-by instances breaks, the failover can't complete and the new Active instance can't takeover the BIG-IP operations.

Conditions

- BIG-IP is deployed in AWS with multiple NICs. - Also, the BIG-IP is part of a failover group. - The Failover/HA in AWS depends on access to the instance metadata provided by the EC2 cloud via the http endpoint at 169.254.169.254. - The default gateway provided by AWS through DHCP ensures access to this metadata endpoint without any additional configuration. However, when using a custom default gateway, the access to the instance metadata endpoint might not work.

Workaround

Add the ip rule for the link local address 169.254.169.254 as following: ip rule add to 169.254.169.254 lookup 245

Fix Information

None

Behavior Change