Manual Chapter : Adding a Standby BIG-IQ to Create a High Availability Auto Failover Configuration

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.2.0, 8.1.0, 8.0.0, 7.1.0, 7.0.0
Manual Chapter

Adding a Standby BIG-IQ to Create a High Availability Auto Failover Configuration

Using BIG-IQ in a high availability configuration with auto failover

Setting up BIG-IQ Centralized Management in a high availability (HA) configuration with auto failover ensures that you can continue to manage your BIG-IP devices if your active BIG-IQ loses functionality. When you set up BIG-IQ in an automatic failover configuration, failover occurs without any intervention from you.
You can also set up BIG-IQ in a manual high availability failover configuration. For more information, refer to the
Set up BIG-IQ in a Manual High Availability Configuration
section of the
Setting up and Configuring a BIG-IQ Centralized Management Solution
guide on
support.f5.com
.
A BIG-IQ HA configuration with automatic fail over consists of three components.
BIG-IQ HA Configuration with Auto Fail Over
Component
Description
Active BIG-IQ
The BIG-IQ currently managing all BIG-IP devices.
Standby BIG-IQ
The standby BIG-IQ that has the same configuration as the active BIG-IQ. The standby BIG-IQ automatically becomes active if the active BIG-IQ fails over.
Quorum DCD
A quorum data collection device (DCD) makes the deciding vote for which BIG-IQ will become active if communication is disrupted between the components of the BIG-IQ high availability configuration. If the quorum DCD is able to communicate with one of the BIG-IQ in the pair during the disruption, that BIG-IQ becomes active. The quorum DCD is not a peer BIG-IQ in an HA configuration.
A healthy BIG-IQ auto failover high availability configuration looks like this.

Before you set up BIG-IQ in an HA configuration with auto failover enabled

When you set up BIG-IQ in an HA configuration with auto failover enabled, you need to keep the following things in mind.
  • If you're using a floating IP address for your HA configuration, the active and standby BIG-IQ must be in the same data center and in the same broadcast domain to allow GARP LAN protocol to succeed. The quorum DCD can be elsewhere. When you use a floating IP address, the address can move from the active to the standby BIG-IQ if failover occurs.
  • For failover to work properly, the following ports must be open on the active and standby BIG-IQ, as well as the quorum DCD: TCP port 2224, UDP port 5404, and UDP port 5405.
  • If you are deploying BIG-IQ VE in an OpenStack environment, the MTU must be set to 1450. For more information, refer to: https://support.f5.com/csp/article/K94427358
For optimum performance, F5 makes the following maximum round trip latency recommendations:
For connections between these components
Round trip latency cannot exceed
between any two DCD or BIG-IQ devices in a DCD cluster
75 ms.
between the BIG-IQ CM and the BIG-IP devices it manages
250 ms.
between the managed BIG-IP devices and the DCDs that collect their data
250 ms.

Add SSL certificates to the active BIG-IQ with SSL verification enabled in an auto-failover HA configuration

If you've configured SSL certificate verification for BIG-IQ by enabling the
Verify Hosts
setting from the
System
SSL CERTIFICATE VERIFICATION
screen, you must use this procedure for successful communication between the components in the high availability configuration.
SSL certificate verification is disabled by default. If you haven’t enabled SSL verification, you do not need to complete this task for your auto failover high availability configuration.
Before you create an auto-failover BIG-IQ high availability configuration for a BIG-IQ you've enabled SSL certificate verification for, you need to add the SSL certificates for both BIG-IQ systems and the DCD quorum to what will be the active BIG-IQ so you can validate the end-user host. This is required for all BIG-IQ systems and the DCD quorum with SSL certificate verification enabled to communicate with your managed devices, regardless of which BIG-IQ system is active. BIG-IQ validates the SSL certificate presented by the communicating host either against a list of certificates you provide (for example, self-signed certificates), or internal or public certificate authority certificates.
  1. Save the BIG-IQ and DCD quorum public key certificates on your local system.
  2. At the top of the screen, click
    System
    .
  3. On the left, click
    SSL CERTIFICATION VERIFICATION
    .
  4. Click the
    Import
    button.
  5. From the
    Import Type
    list, select
    Certificate
    .
  6. In the
    Name
    box, type a name for this BIG-IQ certificate.
    BIG-IQ stores and identifies this certificate by the name you specify here. Therefore, if the certificate you are importing is currently named
    mycertificate.crt
    , but you when you import it you name it
    f5.crt
    , BIG-IQ renames the certificate as you specified, to
    f5.crt
    .
  7. Click the
    Upload File
    button and navigate to the certificate.
  8. Repeat steps 4 - 8 to add the standby BIG-IQ system's certificate device to this active BIG-IQ system.
You can now add the standby BIG-IQ system and DCD quorum to create a high availability configuration.

Add a standby BIG-IQ to create an HA configuration with auto failover

Before you can add a standby BIG-IQ for an HA configuration with auto fail over, you must have a BIG-IQ system licensed and running, a second BIG-IQ system licensed, as well as a Data Device Cluster (DCD). If you don't have a DCD set up, you can do that during this procedure.
When configuring auto failover, you'll also create or select an existing Data Collection Device (DCD) as a quorum device. A
quorum DCD
is used as the deciding vote to determine which BIG-IQ becomes active if communication is disrupted between the active and standby BIG-IQ in the HA pair, by determining which BIG-IQ it can communicate with. The quorum DCD can be part of a DCD cluster, but is not used as a standby BIG-IQ in an HA configuration.
You set up BIG-IQ in an HA configuration so that if one BIG-IQ system goes offline, another BIG-IQ system can continue managing your devices without interruption. This procedure shows how to add a standby BIG-IQ configured for auto fail over.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    Add Standby
    button.
  4. In the
    IP Address
    field, type the discovery address you want to set up as the standby BIG-IQ.
    This is the same IP address the peers in a high availability configuration use to communicate.
    IPv6 short form addresses are not supported.
  5. Type the local administrative
    Username
    and
    Password
    for the system.
  6. Type the
    Root Password
    for the system.
  7. For the
    Failover setting
    , select
    Auto Failover
    .
    For auto failover to work, you must have the following ports open on the active and standby BIG-IQ as well as the quorum DCD.
    • TCP port 2224
    • UDP port 5404
    • UDP port 5405
  8. For auto failover, you must associate a quorum DCD. If you do not have a DCD set up, click the
    Set Up Quorum Device
    button to specify the DCD you want to use. If you've already have a Quorum DCD for auto failover, select it from the list and type its
    Root Password
    .
    • If you do not have a DCD set up, click the
      Set Up Quorum Device
      button to specify the DCD you want to use.
    • you already have a Quorum DCD for auto failover, select it from the list and type its
      Root Password
      .
  9. If you want BIG-IQ to use a floating IP address when automatically failing over to the standby BIG-IQ, select the
    Enable Floating IP
    Enable
    check box and type the address.
    The floating IP address must be on the same network (this configuration uses Gratuitous ARP packets) as the active and standby BIG-IQ systems’ local management address (interface eth0) and not any of the discovery self IP addresses. This does not restrict HA traffic; HA traffic can be on any of the available interfaces. Floating IP addresses are not supported if your active and standby BIG-IQ systems are in a public cloud environment, such as AWS, Azure, or VMware.
    If you choose not to use a floating IP address and the active BIG-IQ fails over, you'll have to provide all users access to the newly active BIG-IQ by providing the IP address.
  10. Click the
    Add
    button to add this device to this high availability configuration.
The active BIG-IQ discovers the standby BIG-IQ and displays its status.