Manual Chapter : Managing Connection Mirroring

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Analytics

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP DNS

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Managing Connection Mirroring

About connection mirroring

Purpose

BIG-IP system high availability includes the ability for a device to mirror connection and persistence information to another device in a device service clustering (DSC) configuration, to prevent interruption in service during failover. The BIG-IP system maintains a separate mirroring channel for each traffic group. The BIG-IP system allows TCP ports starting from 1029 to 1155. The port range for each new connection (traffic group and channel) is incremented by one.

How to enable connection mirroring

You enable connection mirroring on the relevant virtual server, and then on each device in the device group, you specify the self IP addresses that you want other devices to use when mirroring connections to the local device. This enables mirroring between an active traffic group and a mirroring peer in the device group. You can enable connections such as FTP, Telnet, HTTP, UDP, and SSL connections.
For the VLAN associated with the self IP address that you specify for connection mirroring, make sure that the VLAN's
CMP Hash
setting is set to the default value. Otherwise, the system cannot establish the HA connection.
In addition to enabling connection mirroring on the virtual server, you must also assign the appropriate profiles to the virtual server. For example, if you want the BIG-IP system to mirror SSL connections, you must assign one or more SSL profiles to the virtual server.

When to enable connection mirroring

You should enable connection mirroring whenever failover would cause a user session to be lost or significantly disrupted. For example, long-term connections such as FTP and Telnet are good candidates for mirroring. For this type of traffic, if failover occurs, an entire session can be lost if the connections are not being mirrored to a peer device. Conversely, the mirroring of short-term connections such as HTTP and UDP is typically not recommended, because these protocols allow for failure of individual requests without loss of the entire session, and the mirroring of short-term connections can negatively impact system performance.

Platform caveats

Connection mirroring only works between devices with identical hardware platforms. Note that for VIPRION® systems, you configure the BIG-IP system to mirror connections between two chassis or between two vCMP® guests that reside in separate chassis. If the VIPRION system is not provisioned for vCMP, each chassis must have the same number of blades in the same slot numbers. For vCMP systems, each guest must be assigned to the same number of blades in the same slot numbers, with the same number of cores allocated per slot. For more information, see the section
About connection mirroring for VIPRION systems
.

About connection mirroring for VIPRION systems

For VIPRION systems, each device in a Sync-Failover device group can be either a physical cluster of slots within a chassis, or a virtual cluster for a vCMP guest. In either case, you can configure a device to mirror an active traffic group's connections to its next-active device.
For mirroring to work, both the active device and its next-active device must have identical chassis platform and blade models.
You enable connection mirroring on the relevant virtual server, and then you configure each VIPRION cluster or vCMP guest to mirror connections by choosing one of these options:
Within a cluster
You can configure the BIG-IP system to mirror connections between blades within a single VIPRION cluster on the same chassis. This option is not available on VIPRION systems provisioned to run vCMP.
With this option, the BIG-IP system mirrors Fast L4 connections only.
Between clusters (recommended)
You can configure the BIG-IP system to mirror connections between two chassis or between two vCMP guests that reside in separate chassis. When you choose this option, the BIG-IP system mirrors a traffic group's connections to the traffic group's next-active device. For VIPRION systems that are not provisioned for vCMP, each chassis must have the same number of blades in the same slot numbers. For VIPRION systems provisioned for vCMP, each guest must be assigned to the same number of blades in the same slot numbers, with the same number of cores allocated per slot.
In addition to enabling connection mirroring on the virtual server, you must also assign the appropriate profiles to the virtual server. For example, if you want the BIG-IP system to mirror SSL connections, you must assign one or more SSL profiles to the virtual server.

Connection mirroring and traffic groups

Connection mirroring operates at the traffic group level. That is, for each virtual server that has connection mirroring enabled, the traffic group that the virtual server belongs to mirrors its connections to its next-active device in the device group.
For example, if
traffic-group-1
is active on
Bigip_A
, and the next-active device for that traffic group is
Bigip_C
, then the traffic group on the active device mirrors its in-process connections to
Bigip_C
.
If
Bigip_A
becomes unavailable and failover occurs,
traffic-group-1
goes active on
Bigip_C
and begins mirroring its connections to the next-active device for
Bigip_C
.
Connection mirroring only works between devices with identical hardware platforms. Note that for VIPRION® systems, you configure the BIG-IP system to mirror connections between two chassis or between two vCMP® guests that reside in separate chassis. If the VIPRION system is not provisioned for vCMP®, each chassis must have the same number of blades in the same slot numbers. For vCMP systems, each guest must be assigned to the same number of blades in the same slot numbers, with the same number of cores allocated per slot.

Task summary for configuring connection mirroring

Configuring connection mirroring requires you to perform these specific tasks:
Specifying a local self IP address for connection mirroring (required)
This local self IP address is the address that you want other devices in a device group to use when other traffic groups mirror their connections to a traffic group on this device.
Enabling connection mirroring on a virtual server
The BIG-IP® can mirror TCP or UDP connections for a virtual server. When you enable connection mirroring on a virtual server, and you then make the relevant virtual address a member of an active floating traffic group, the traffic group can mirror its connections to its corresponding standby traffic group on another device.
Enabling connection mirroring on a SNAT
The BIG-IP system can mirror TCP or UDP connections for a SNAT.
Enabling persistence mirroring on a persistence profile
The BIG-IP system can mirror persistence information between peers for the following persistence profiles:
  • Destination address affinity
  • Hash
  • Microsoft Remote Desktop (MSRDP)
  • Session Initiation Protocol (SIP)
  • Source address affinity
  • SSL
  • Universal

Specifying an IP address for connection mirroring

You can specify the local self IP address that you want other devices in a device group to use when mirroring their connections to this device. Connection mirroring ensures that in-process connections for an active traffic group are not dropped when failover occurs. You typically perform this task when you initially set up device service clustering (DSC).
When performing this task, make sure you consider the following:
  • You must perform this task locally on each device in the device group.
  • Connection mirroring only functions between devices with identical hardware platforms.
  • For the VLAN associated with the self IP address that you specify for connection mirroring, make sure that the VLAN's
    CMP Hash
    setting is set to the default value. Otherwise, the system cannot establish the HA connection.
  1. Confirm that you are logged in to the device you want to configure.
  2. On the Main tab, click
    Device Management
    Devices
    .
    This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. Near the top of the screen, click
    Mirroring
    .
  5. For the
    Primary Local Mirror Address
    setting, retain the displayed IP address or select another address from the list.
    The recommended IP address is the self IP address for VLAN
    HA
    . You can also use VLAN
    internal
    .
    If the BIG-IP device you are configuring is accessed using Amazon Web Services, then the self IP address you specify must be one of the private IP addresses that you configured for this EC2 instance as the
    Primary Local Mirror Address
    .
  6. For the
    Secondary Local Mirror Address
    setting, retain the default value of
    None
    , or select an address from the list.
    This setting is optional. The system uses the selected IP address in the event that the primary mirroring address becomes unavailable.
  7. Click
    Update
    .
In addition to specifying an IP address for mirroring, you must also enable connection mirroring on the relevant virtual servers on this device.

Configuring connection mirroring between VIPRION clusters

Before doing this task, you must enable connection mirroring on the relevant virtual server.
Using the BIG-IP Configuration utility, you can configure connection mirroring between two VIPRION or vCMP clusters as part of your high availability setup:
  • When you configure mirroring on a VIPRION system where vCMP is not provisioned (a bare-metal configuration), an active traffic group on one chassis mirrors its connections to the next-active chassis in the device group.
  • When you configure mirroring on a vCMP guest, an active traffic group mirrors its connections to its next-active guest in another chassis.
Connection mirroring requires that both devices have identical hardware platforms (chassis and blades).
You must perform this task locally on every device (chassis or vCMP guest) in the device group. For VIPRION systems with bare-metal configurations (no vCMP provisioned), each chassis must contain the same number of blades in the same slot numbers. For VIPRION systems provisioned for vCMP, each guest must reside on a separate chassis, be assigned to the same number of blades in the same slot numbers, and have the same number of cores allocated per slot.
  1. From a browser window, log in to the BIG-IP Configuration utility, using the cluster IP address.
  2. On the Main tab, click
    Device Management
    Devices
    .
    The Devices screen opens.
  3. In the Device list, in the Name column, click the name of the device you want to configure.
  4. From the Device Connectivity menu, choose Mirroring.
  5. From the
    Network Mirroring
    list, select
    Between Clusters
    .
  6. Click
    Update
    .

Enabling connection mirroring for TCP and UDP connections

Verify that you have specified primary and secondary mirroring IP addresses on this device. Other traffic groups in the device group use these addresses when mirroring connections to this device.
You can perform this task to enable TCP or UDP connections for a virtual server.
Connection mirroring
is an optional feature of the BIG-IP system, designed to ensure that when failover occurs, in-process connections are not dropped. You enable mirroring for each virtual server that is associated with a floating virtual address.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the
    Configuration
    list, select
    Advanced
    .
  4. For the
    Connection Mirroring
    setting, select the check box.
    This setting only appears when the BIG-IP device is a member of a device group.
  5. Click
    Update
    to save the changes.

Enabling connection mirroring for SNAT connections

You can perform this task to enable connection mirroring for source network address translation (SNAT).
Connection mirroring
is an optional feature of the BIG-IP system, designed to ensure that when failover occurs, in-process SNAT connections are not dropped. You can enable mirroring on each SNAT that is associated with a floating virtual address.
  1. On the Main tab, click
    Local Traffic
    Address Translation
    .
    The
    SNAT List
    screen displays a list of existing SNATs.
  2. In the Name column, click the relevant SNAT name.
  3. For the
    Stateful Failover Mirror
    setting, select the check box.
  4. Click
    Update
    .
In addition to enabling connection mirroring on a SNAT, you must also specify a mirroring IP address on this device. Other traffic groups in the device group use this address when mirroring their connections to this device.

Enabling mirroring of persistence records

Verify that you have specified primary and secondary mirroring IP addresses on this device. Other traffic groups in the device group use these addresses when mirroring persistence records to this device.
You can perform this task to mirror persistence records to another device in a device group.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Persistence
    .
    The Persistence profile list screen opens.
  2. In the Name column, click the name of the relevant persistence profile.
  3. For the
    Mirror Persistence
    setting, select the check box.
  4. Click
    Update
    .