Standby interfaces stay active

Question

I have two LTM 4000's in an Active/Standby configuration.  They are connected to two Palo Alto firewalls and a Cisco 6500 VSS core.  I have two interfaces on each PAN connected to the F5's so that the F5's can fail-over without having to fail-over a PAN as well.  The issue I am seeing is that the PAN is trying to send traffic to the stanby F5.  Why are the interfaces active for a stanby unit?  I can see on the PAN the IP address and MAC of the standby unit and not the active unit.  I have a ticket in with support, but they have not been able to figure this out so far.  I also tried using the MAC Masquerade on the traffic group, which works but it still tries to send data to the standby unit, so it works really poorly.  50% ping loss.&nbsp;
Thoughts anyone?&nbsp;

steve_janetzke_ · Answer

Why are the interfaces active for a stanby unit?
The Standby unit is not offline, it is still processing traffic for the non floating self-IP or IP's associated to the vlan for which that interface is listed as a resource in the configuration. The non-floating IP's are always reachable on the standby unit, it is the floating IP for the VLAN of the HA pair that swaps back and forth based on the Active or Standy status. The interface does not go down. &nbsp;
When you look at the ARP tables on the firewalls is the MAC for the floating IP consistent or does it change when you failover/failback? &nbsp;

badmojo42_14014 · Answer

It shows both floating and the local address for the standby device.  When I try to connect to the website, the arp table shows (incomplete)

eric_st__john · Answer

Did you clear the arp table on the firewall after configuring MAC Masquerading?  Sounds like the firewalls are dropping the gratuitous ARP, as they should, which is why you should be using MAC Masquerading.  It sounds like for a short bit the MAC of the standby unit was learned by the firewalls, and needed to either be cleared or wait for them to timeout.&nbsp;
Eric&nbsp;

dathomas111_201 · Answer

Can you verify the peering is setup correctly? I have seen this behavior from standby units in the past when the trust is corrupted and needs to be re-established. This may arise if you have multiple traffic groups and the standby unit cannot connect to the active. Also, have you experienced trouble syncing or have you applied updates that may have corrupted the db?

bwolmarans_1284 · Answer

Keep this in mind as you troubleshoot: http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7577.html&nbsp;

Forum Discussion

Standby interfaces stay active

7 Replies

Recent Discussions

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

F5 Active Standby Node Configuration

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

When Active/Standby failover send mail

Application Programming Interface (API) Authentication types simplified

VLAN Failsafe failover settings change on STANDBY device - affect ACTIVE device?