Bug ID 780857: HA failover network disruption when cluster management IP is not

Last Modified: Jul 07, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4

Opened: May 09, 2019
Severity: 2-Critical

Symptoms

If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.

Impact

The blade management IP addresses in the failover network unicast mesh stop functioning: [root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status ----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------ 10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1 10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <-- 10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--

Conditions

-- VIPRION chassis or vCMP guest on a VIPRION chassis. -- Per-blade management IP addresses listed in the failover network unicast mesh. -- No cluster management IP address listed.

Workaround

You can add an explicit management IP firewall rule to allow this traffic: tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } } This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.

Fix Information

None

Behavior Change