Manual Chapter : Setup High Availability for BIG-IQ

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0
Manual Chapter

Setup High Availability for BIG-IQ

How do I configure BIG-IQ systems in a high availability configuration?

Setting up BIG-IQ in a high availability configuration ensures that you always have access to the BIG-IP devices you are managing. In a BIG-IQ high availability configuration, the BIG-IQ system replicates configuration changes since the last synchronization from the primary device to the secondary device every 30 seconds. If it ever becomes necessary, you can have the secondary peer take over management of the BIG-IP devices.
You can set up BIG-IQ in an auto failover configuration or a manual failover configuration.

Add BIG-IQ SSL certificates to the active and standby BIG-IQ in an HA pair

If you've configured SSL certificate verification for BIG-IQ by enabling the
Verify Hosts
setting from the
System
SSL CERTIFICATE VERIFICATION
screen, you must use this procedure for successful communication between the components in the high availability configuration.
SSL certificate verification is disabled by default. If you haven’t enabled SSL verification, you do not need to complete this task for your auto failover high availability configuration.
Before you create an auto-failover BIG-IQ high availability configuration for a BIG-IQ you've enabled SSL certificate verification for, you need to add the SSL certificates for both BIG-IQ systems and the DCD quorum to what will be the active BIG-IQ so you can validate the end-user host. This is required for all BIG-IQ systems and the DCD quorum with SSL certificate verification enabled to communicate with your managed devices, regardless of which BIG-IQ system is active. BIG-IQ validates the SSL certificate presented by the communicating host either against a list of certificates you provide (for example, self-signed certificates), or internal or public certificate authority certificates.
  1. Save the BIG-IQ SSL public key certificates on your local system.
  2. At the top of the screen, click
    System
    .
  3. On the left, click
    SSL CERTIFICATION VERIFICATION
    .
  4. Click
    Import
    .
  5. From the
    Import Type
    list, select
    Certificate
    .
  6. Type a
    Name
    for this BIG-IQ certificate.
    BIG-IQ stores and identifies this certificate by the name you specify here. Therefore, if the certificate you are importing is currently named
    mycertificate.crt
    , but you when you import it you name it
    f5.crt
    , BIG-IQ renames the certificate as you specified, to
    f5.crt
    .
  7. Click
    Upload File
    and navigate to the certificate.
  8. Repeat steps 4 - 8 to add the standby BIG-IQ system's certificate device to this active BIG-IQ system.

Add a standby BIG-IQ for a high availability configuration

Before you can set up BIG-IQ in a high availability (HA) configuration, you must have two licensed BIG-IQ systems and you must have added the primary and secondary SSL certificate to the primary BIG-IQ system. It's a good idea to have the BIG-IQ systems in a high availability configuration to be on different platforms for additional insurance that both BIG-IQ systems won't fail.
For the high-availability pair to synchronize properly, each system must be running the same BIG-IQ software version, and the clocks on each system must be synchronized to within 60 seconds. To make sure the clocks are in sync, take a look at the NTP settings on each system before you add a peer.
Configuring BIG-IQ in a high availability (HA) pair means that you can still manage your BIG-IP devices even if one BIG-IQ systems fails.
fail over to work properly, the second BIG-IQ system is not on the same underlying hardware as the primary BIG-IQ system to avoid having both BIG-IQ systems fail.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    Add Secondary
    button.
  4. Type the properties for the BIG-IQ system that you are adding.
  5. Click the
    Add
    button at the bottom of the screen.
The BIG-IQ system synchronize. Once they are finished, both appear as ready (green).

Change a BIG-IQ system in a high availability pair to a standalone system

If the one of your BIG-IQ systems in an HA pair is having any type of system issue, you might want to make it a standalone system until you can fix the problem or until you are finished setting up BIG-IQ again.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    BIG-IQ HA Settings
    button and then click the
    Reset to Standalone
    button.
This BIG-IQ system becomes a standalone system from which you can start managing your devices.

Remove the standby BIG-IQ system from the HA pair

If the F5 BIG-IQ Centralized Management system is configured in an HA pair, you must remove the standby BIG-IQ system before you upgrade the active BIG-IQ.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click
    Remove Standby
    .
    A dialog box opens, prompting you to confirm that you want to remove the standby BIG-IQ from this group.
  4. Click
    Remove
    to confirm that you want to take the standby BIG-IQ from the group.
    The system logs you out of the BIG-IQ while it removes the standby BIG-IQ.
  5. Log back in to the active BIG-IQ.
    For a while, both the active and the standby BIG-IQ continue to display. After a few minutes, the screen updates to display a single standalone BIG-IQ.