Applies To:

Show Versions Show Versions

Manual Chapter: Testing the High Availability Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Trigger failover to the standby BIG-IP VE

Before doing this task, confirm in AWS that both BIG-IP® VE instances are running.

You can test your HA configuration by forcing the active BIG-IP VE to fail over to the standby peer and then viewing the HA status of each BIG-IP VE.

  1. Log in to the Configuration utility for both BIG-IP VEs.

    In the upper left corner, BIG-IP A should show a status of ACTIVE, while BIG-IP B shows a status of STANDBY:

    BIG-IP A BIG-IP B
  2. In the AWS Management Console, from the Services menu at the top of the screen, select EC2.
  3. In the Navigation pane, under NETWORK & SECURITY, select Network Interfaces.
    This displays the list of EC2 network interfaces.
  4. Find the secondary private IP address to be used as the virtual IP address (10.0.1.202), and see that it is assigned to BIG-IP A's external interface:

  5. On the active BIG-IP VE (BIG-IP A), from the Main tab, click Device Management > Traffic Groups .
  6. To the left of traffic-group-1, select the check box.
  7. Click Force to Standby.
    A confirmation message appears.
  8. Click Force to Standby again.

    In the upper left corner of the BIG-IP Configuration utility, BIG-IP A now shows a status of STANDBY, while BIG-IP B shows a status of ACTIVE:

    BIG-IP A BIG-IP B
  9. Now view the AWS list of network interfaces and find the secondary private IP address again. You can see that the IP address floated to BIG-IP B's external interface during failover:

Troubleshooting the HA configuration

There are a few things you can do if failover is not working:

  • Confirm that the Port Lockdown setting on each self IP address is set to Allow All.
  • Confirm that an IAM role is assigned to both instances, and that it has the appropriate security policy assigned to it. If you did not assign a role, you can create an IAM user instead and enter the user's keys into BIG-IP VE. For more information, see the topic Use keys instead of an IAM role.
  • For the external, internal, and HA VLANs, confirm that the interface assigned to each VLAN matches the device index assigned to the corresponding subnet. For example, the internal subnet in AWS should have a device index of eth2, and the internal VLAN in the BIG-IP® software should have interface 1.2 assigned to it.
  • Check the log messages by using SSH to log in to the BIG-IP VEs. At the system prompt, type the command tail -n 20 /var/log/ltm. This shows the most recent twenty rows of log messages.
  • Confirm that the two instances show the same date and time.

If none of the above solves the problem, use the BIG-IP® Configuration utility to do the following:

  1. Delete the peer authority in the local trust domain.
  2. Remove the BIG-IP VEs from the device group and then delete the empty device group.
  3. On BIG-IP A, re-establish trust with BIG-IP B, specifying BIG-IP B's management address, 10.0.0.201.
  4. Re-create the Sync-Failover device group with the Network Failover setting enabled.
  5. On BIG-IP A, sync the configuration to the device group (in this case, BIG-IP B).

Use an IAM user instead of an IAM role

For BIG-IP VE and AWS to communicate, an IAM user or role with sufficient permission must exist in AWS. If you used an IAM role, you assigned it when you deployed BIG-IP VE. If you prefer, you can use an IAM user instead.
  1. Create an AWS IAM policy.
    1. In the AWS Management Console, from the Services menu at the top of the screen, select IAM.
    2. In the Navigation pane, under Details, select Policies.
    3. Click Create Policy.
    4. By Create Your Own Policy, click Select.
    5. Enter this text in the Policy Document field.
      {
           "Version": "2012-10-17",
           "Statement": [
               {
                   "Effect": "Allow",
                   "Action": [
                   "ec2:describeinstancestatus",
                   "ec2:describenetworkinterfaces",
                   "ec2:assignprivateipaddresses"
                   ],
                   "Resource": "*"
               }
           ]
       }
    6. Click Create Policy.
  2. Now assign the policies to an IAM user.
    1. In the Navigation pane, under Details, select Users.
    2. Click Create New Users.
    3. Type a user name, select Generate an access key for each user and then click Create.
    4. Click Download Credentials.
      An access key ID and a secret access key are downloaded in a file named credentials.csv.
      Important: AWS downloads these credentials only once, so keep track of where they are stored.
    5. Click Close.
    6. In the list of users, click the row for the user.
    7. On the Permissions tab, click Attach Policy.
    8. Select the check box for the policy you created previously.
    9. Click Attach Policy.
  3. Finally, enter the user's keys into BIG-IP VE.
    1. Log in to the BIG-IP Configuration utility.
    2. On the Main tab, click System > Configuration > AWS > Global Settings .
    3. In the Access Key field, type the access key.
    4. In the Secret Key field, type the secret key.
    5. Click Update.
The IAM user can now communicate between BIG-IP VE and AWS.

High availability networking objects

If you are having issues with your HA configuration, ensure you have all of these object properly configured.

In AWS, a VPC with:
  • Network address translation (NAT)
  • A subnet for the management, external, internal, and HA networks
  • A security group for each subnet
  • A route table entry to provide Internet access for the management and external subnets
A running instance of BIG-IP VE (called BIG-IP_A) with the following:
In Object Details
AWS NICs
  • mgmt_A, eth0, 10.0.0.200
  • external_A, eth1, 10.0.1.200
  • internal_A, eth2, 10.0.2.200
  • HA, eth3, 10.0.3.96
AWS Elastic IP For the management interface, an Elastic IP (EIP) address, for example 52.x.x.x
AWS Secondary Private IP address For the virtual server, a secondary private IP address attached to NIC external_A: 10.0.1.202
BIG-IP VE VLANs
  • external VLAN interface: 1.1
  • internal VLAN interface: 1.2
  • HA VLAN interface: 1.3
BIG-IP VE Self IP addresses
  • External: 10.0.1.200
  • Internal: 10.0.2.200
  • HA: 10.0.3.96
BIG-IP VE Virtual server 10.0.1.202
BIG-IP VE Load balancing pool HA_pool
A running instance of BIG-IP VE (called BIG-IP_B) with the following:
In Object Details
AWS NICs
  • mgmt_B, eth0, 10.0.0.201
  • external_B, eth1, 10.0.1.201
  • internal_B, eth2, 10.0.2.201
  • HA, eth3, 10.0.3.185
AWS Elastic IP For the management interface, an Elastic IP (EIP) address, for example 52.x.x.x
BIG-IP VE VLANs
  • external VLAN interface: 1.1
  • internal VLAN interface: 1.2
  • HA VLAN interface: 1.3
BIG-IP VE Self IP addresses
  • External: 10.0.1.201
  • Internal: 10.0.2.201
  • HA: 10.0.3.185
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)