Manual Chapter :
Adding a Standby BIG-IQ to Create a High Availability Auto Failover Configuration
Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.2.0, 8.1.0, 8.0.0, 7.1.0, 7.0.0
Adding a Standby BIG-IQ to Create a High Availability Auto Failover
Configuration
Using BIG-IQ in a high availability configuration with auto
failover
Setting up BIG-IQ Centralized Management in a high availability (HA)
configuration with auto failover ensures that you can continue to manage your BIG-IP
devices if your active BIG-IQ loses functionality. When you set up BIG-IQ in an automatic
failover configuration, failover occurs without any intervention from you.
You can also set up BIG-IQ in a manual high availability
failover configuration. For more information, refer to the
Set up BIG-IQ in a Manual High Availability Configuration
section of the Setting up and Configuring a BIG-IQ Centralized Management
Solution
guide on support.f5.com
. A BIG-IQ HA configuration with automatic fail over consists of three
components.
Component |
Description |
|---|---|
Active BIG-IQ |
The BIG-IQ currently managing all BIG-IP
devices. |
Standby BIG-IQ |
The standby BIG-IQ that has the same
configuration as the active BIG-IQ. The standby BIG-IQ automatically becomes
active if the active BIG-IQ fails over. |
Quorum DCD |
A quorum data collection device (DCD) makes the
deciding vote for which BIG-IQ will become active if communication is
disrupted between the components of the BIG-IQ high availability
configuration. If the quorum DCD is able to communicate with one of the
BIG-IQ in the pair during the disruption, that BIG-IQ becomes active. The
quorum DCD is not a peer BIG-IQ in an HA configuration. |
A healthy BIG-IQ auto failover high availability configuration looks
like this.
Before you set up BIG-IQ in an HA configuration with auto failover
enabled
When you set up BIG-IQ in an HA configuration
with auto failover enabled, you need to keep the following things in mind.
- If you're using a floating IP address for your HA configuration, the active and standby BIG-IQ must be in the same data center and in the same broadcast domain to allow GARP LAN protocol to succeed. The quorum DCD can be elsewhere. When you use a floating IP address, the address can move from the active to the standby BIG-IQ if failover occurs.
- For failover to work properly, the following ports must be open on the active and standby BIG-IQ, as well as the quorum DCD: TCP port 2224, UDP port 5404, and UDP port 5405.
- If you are deploying BIG-IQ VE in an OpenStack environment, the MTU must be set to 1450. For more information, refer to: https://support.f5.com/csp/article/K94427358
For optimum performance, F5 makes the following maximum round trip latency recommendations:
For connections between these components | Round trip latency cannot exceed |
|---|---|
between any two DCD or BIG-IQ devices in a DCD cluster | 75 ms. |
between the BIG-IQ CM and the BIG-IP devices it manages | 250 ms. |
between the managed BIG-IP devices and the DCDs that collect their data | 250 ms. |
Add SSL certificates to the active BIG-IQ with SSL verification
enabled in an auto-failover HA configuration
If you've configured SSL certificate
verification for BIG-IQ by enabling the
Verify Hosts
setting from the screen, you must use this procedure for successful communication between
the components in the high availability configuration. SSL
certificate verification is disabled by default. If you haven’t enabled SSL
verification, you do not need to complete this task for your auto failover high
availability configuration.
Before you create an auto-failover BIG-IQ
high availability configuration for a BIG-IQ you've enabled SSL certificate verification
for, you need to add the SSL certificates for both BIG-IQ systems and the DCD quorum to
what will be the active BIG-IQ so you can validate the end-user host. This is required
for all BIG-IQ systems and the DCD quorum with SSL certificate verification enabled to
communicate with your managed devices, regardless of which BIG-IQ system is active.
BIG-IQ validates the SSL certificate presented by the communicating host either against
a list of certificates you provide (for example, self-signed certificates), or internal
or public certificate authority certificates.
- Save the BIG-IQ and DCD quorum public key certificates on your local system.
- At the top of the screen, clickSystem.
- On the left, clickSSL CERTIFICATION VERIFICATION.
- Click theImportbutton.
- From theImport Typelist, selectCertificate.
- In theNamebox, type a name for this BIG-IQ certificate.BIG-IQ stores and identifies this certificate by the name you specify here. Therefore, if the certificate you are importing is currently namedmycertificate.crt, but you when you import it you name itf5.crt, BIG-IQ renames the certificate as you specified, tof5.crt.
- Click theUpload Filebutton and navigate to the certificate.
- Repeat steps 4 - 8 to add the standby BIG-IQ system's certificate device to this active BIG-IQ system.
You can now add the standby BIG-IQ system and
DCD quorum to create a high availability configuration.
Add a standby BIG-IQ to create an HA configuration with auto failover
Before you can add a standby BIG-IQ for an HA configuration with auto fail over, you must have a BIG-IQ system licensed and running, a second BIG-IQ system licensed, as well as a Data Device Cluster (DCD). If you don't have a DCD set up, you can do that during this procedure.
When configuring auto failover, you'll also create or select an existing Data Collection Device (DCD) as a quorum device. A
quorum DCD
is used as the deciding vote to determine which BIG-IQ becomes active if communication is disrupted between the active and standby BIG-IQ in the HA pair, by determining which BIG-IQ it can communicate with. The quorum DCD can be part of a DCD cluster, but is not used as a standby BIG-IQ in an HA configuration.- At the top of the screen, clickSystem.
- On the left, clickBIG-IQ HA.
- Click theAdd Standbybutton.
- In theIP Addressfield, type the discovery address you want to set up as the standby BIG-IQ.This is the same IP address the peers in a high availability configuration use to communicate.IPv6 short form addresses are not supported.
- Type the local administrativeUsernameandPasswordfor the system.
- Type theRoot Passwordfor the system.
- For theFailover setting, selectAuto Failover.For auto failover to work, you must have the following ports open on the active and standby BIG-IQ as well as the quorum DCD.
- TCP port 2224
- UDP port 5404
- UDP port 5405
- For auto failover, you must associate a quorum DCD. If you do not have a DCD set up, click theSet Up Quorum Devicebutton to specify the DCD you want to use. If you've already have a Quorum DCD for auto failover, select it from the list and type itsRoot Password.
- If you do not have a DCD set up, click theSet Up Quorum Devicebutton to specify the DCD you want to use.
- you already have a Quorum DCD for auto failover, select it from the list and type itsRoot Password.
- If you want BIG-IQ to use a floating IP address when automatically failing over to the standby BIG-IQ, select theEnable Floating IPEnablecheck box and type the address.The floating IP address must be on the same network (this configuration uses Gratuitous ARP packets) as the active and standby BIG-IQ systems’ local management address (interface eth0) and not any of the discovery self IP addresses. This does not restrict HA traffic; HA traffic can be on any of the available interfaces. Floating IP addresses are not supported if your active and standby BIG-IQ systems are in a public cloud environment, such as AWS, Azure, or VMware.If you choose not to use a floating IP address and the active BIG-IQ fails over, you'll have to provide all users access to the newly active BIG-IQ by providing the IP address.
- Click theAddbutton to add this device to this high availability configuration.
The active BIG-IQ discovers the standby BIG-IQ and displays its status.
