Applies To:

Show Versions Show Versions

Manual Chapter: Configuring for High Availability
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About active-standby, high-availability configurations

To ensure that you always have access to the BIG-IP devices under BIG-IQ management, install two BIG-IQ systems in an active-standby, high-availability (HA) configuration.
Note: Currently, a BIG-IQ Security HA configuration is limited to two systems, configured as peers.

Configuring a high-availability pair is optional. However, if you configure a high-availability BIG-IQ system and the active peer fails, the standby peer will become active, enabling you to continue to manage devices.

BIG-IQ Security performs asynchronous replication per transaction, which means that data is replicated continuously, asynchronously, on a transaction-by-transaction basis as changes are made or commands are run on the active system.

Continuous, asynchronous replication ensures you that the stored state on each BIG-IQ system is identical to the state on the other BIG-IQ system(s) in the HA configuration. You can resume managing firewalls after a failover without loss of any configuration change that might have occurred prior to failover.

In addition, all intermediate generations of a configuration object are identical on all HA peers. This is required because snapshots can refer to previous generations, and the system must be able to restore on any node a snapshot that was originally taken on a peer.

About high-availability terminology

Terminology is crucial in understanding the status of the high-availability (HA) relationship. The following list defines some important terms used in HA configurations.

The node you are logged in to when establishing the pair is deemed the primary node; the system added is deemed the secondary node. The primary node determines which node is active if both nodes are up and communicating. This is the node that wins if a conflict occurs. Initiate the pairing from the primary node.
Any node added to the configuration is deemed the secondary node. Currently, BIG-IQ Security supports a 2-node pairing. When finished discovering its peer, the primary node triggers a snapshot of the current state of the storage on the primary node. When the snapshot is finished, it is copied to the secondary node. The restjavad process on the secondary node is restarted.
The node that is running commands is the active node.

If you see the status indications Active (Secondary) on the secondary device, you have failed over to the node that is not the primary.

In the unlikely event of network segmentation, both systems may report that they are active.

The standby node is the node that instructs the user to perform all module-related activity on the active node through a yellow status bar at the top of the interface that indicates its standby status.
A synonym for a high-availability configuration is cluster. A cluster comprises at least two BIG-IQ systems (fully installed and licensed, and running the same version of software), and is configured in a high-availability relationship through BIG-IQ > BIG-IQ Systems > Properties.

Pairing BIG-IQ Security systems for high-availability

Before you can configure BIG-IQ systems for high-availability (HA), you must have two licensed BIG-IQ systems, installed with the required system components. For the high-availability pair to synchronize properly, each must be running the same BIG-IQ version, and the clocks on each system must be synchronized within 60 seconds, and remain synchronized. Prior to establishing the pair, examine the NTP settings at the BIG-IQ system level and the current system time value.
Note: Perform the following procedure on the BIG-IQ system that is deemed the active node.
You can ensure that you always have access to managed BIG-IP devices by installing two BIG-IQ systems in a high availability (HA) cluster. Any configuration change that occurs on one BIG-IQ system is immediately synchronized with its peer device. If a BIG-IQ system in an HA cluster fails, a peer BIG-IQ system takes over device management that was previously performed by the original device. When an event occurs that prevents one of the BIG-IQ systems from processing network traffic, the peer in the redundant system immediately begins processing that traffic, and users experience no interruption in service.
  1. Log in to the BIG-IQ system, using administrator credentials.
  2. From the BIG-IQ dropdown list, select System.
  3. From the BIG-IQ Systems panel header, click + and select Add Device.
  4. In the New Device panel, complete the following fields:
    Option Description
    IP Address Type the self IP address.
    User name Type the administrative user name.
    Password Type the administrative password.
    Group From the Group dropdown list, select Management Group.
    High Availability Mode Select Active-Standby.
  5. Click Add.
When you expand the Management Group, you will see the addition of the standby peer under localhost.

Splitting a high-availability pair

To change or reconfigure peers that are in a BIG-IQ high-availability pair, you must first delete the HA relationship or split the pair.
  1. Log in to the BIG-IQ system, using administrator credentials.
  2. From the BIG-IQ dropdown list, select System.
  3. From the BIG-IQ Systems panel, expand the Management Group.
  4. Hover over the secondary-standby peer and when the gear icon appears, click it to open the panel.
  5. In the expanded panel, click Remove.
The pair is now split. Consult the banner at the top for status. Both nodes will display a status of Standalone.

About automatic failback

BIG-IQ Security forces an automatic failback mechanism in which the Active (Primary) node goes down and the Active (Secondary) node takes over. Subsequently, the Active (Secondary) node may be labeled Active (Secondary). When the Active (Primary) node comes back up, it takes over primary responsibilities automatically, becomes the Active (Primary) node, and synchronizes its configuration with the configuration on the Standby (Secondary) node. Thus, you are guaranteed that no data is lost.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)