Any Reasons NOT to use automatic with incremental synchronization sync type

Question

Situation: Have an active and standby pair on 5200 boxes/13.1 release.  ~ 300 VIP on LTM, 20 APM policies, 50 ASM policies. Several of ASM policies with policy building in automatic mode.  We have auto failover turned on if Primary goes down but Not configured to auto failback on standby device.  Those items noted...&nbsp;
Are there any concerns about using automatic with incremental synchronization sync type?  Two potential pitfalls I could see are the following
a) Policy building in auto mode will result in more ASM Policy updates and trigger more syncs.  Question - Will every change to counter result in policy update?
b) Maximum Incremental Sync Size is 1024, and if more, will due a full syncronization.  How can one determine what the sync size is for a given syncronization due to an individual ASM, LTM, or APM change?&nbsp;
I would prefer to use auto sync if possible to ensure backups are as up to date as possible but anecdotally am not aware of many shops using auto sync.  Welcome community's thoughts on the matter. Thanks.&nbsp;

rob_carr · Answer

Here's a reason not to use autosync - if you don't change the default behavior, the config is sync'd to all devices, but not saved. I can see scenarios where a total DC failure results in something other than the most recent production config being deployed. Link here.

simon_blakely · Answer

The biggest issue with auto-sync is that the device that receives config changes does not write the changes to disk - the change only exists in memory in MCPD. This is a deliberate design decision to prevent the BigIP spending all it's time writing config changes to disk as a number of small changes are made on the peer.  
&nbsp;
K14624: Configuring the Automatic Sync feature to save the configuration on the remote devices&nbsp;
This can lead to a situation where the configuration can be lost if the system where changes are made (and saved) fails, and then the peer restarts or reloads the config from disk without saving.&nbsp;
You can enable save-on-auto-sync but this introduces risks with very large configs.&nbsp;
If you are using ASM Policy Builder, then the ASM sync group should be set to automatic.&nbsp;
You have to make a choice about your LTM sync groups, based on the size of the configuration, the frequency of changes, and your own management policies.  
&nbsp;
Some people with auto-sync enabled use a cron task to ensure that a&nbsp;
tmsh save /sys config&nbsp;
is run at a regular interval (I'd suggest no more than hourly, as opposed to daily).&nbsp;

Forum Discussion

Any Reasons NOT to use automatic with incremental synchronization sync type

2 Replies

Recent Discussions

Transaction looks successful but file not downloading

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Decrypting BIG-IP Packet Captures Automatically

GTM synchronization group

F5 Automatic ISP failover Configuration

F5 Distributed Cloud - Automatic TLS Certificate Generation - Non-Delegated DNS Zone

F5 BIG-IP Automatic email notification for system update events (ASM/AWAF)