HA Parameters

You can change the role of the LoadMaster by setting the HA Mode. If the HA Mode is set to HA (First) Mode or HA (Second) Mode, a prompt appears reminding you to add a shared IP address. Changing the HA Mode requires a reboot. After the details are set, click Reboot. Once the LoadMaster has rebooted, the HA Parameters menu option is available in the System Configuration section provided the role is not Non HA Mode. Configuring both units in the same HA Mode, for example, HA (First Mode) and HA (First) Mode, results in severe operational problems because; not only will both units be active, both units try to use the same IP address.

When logging in to the HA pair, use the shared IP address to view and set the full functionality of the pair, apart from passwords and licensing. Logging in to the direct IP address of either one of the devices displays different menu options (see menus below). Logging into one of the LoadMasters directly is usually reserved for maintenance.

After upgrading from firmware version 7.1-24b or below, if using the FIPS cavium card 1610 FW 2.2 and the LoadMaster is in HA mode, regenerate the web server SSL key to access the WUIs of the individual LoadMasters.

When a LoadMaster is in HA mode, the following screen appears when the HA Parameters menu option is selected:

HA Status

At the top of the screen (next to the time) icons denote the real-time status of the LoadMaster units in the pair. There is an icon for each unit in the pair. This status is maintained using an automatic ping between the units.

Clicking these icons opens the management interface of the relevant HA partner.

The possible icons are:

Green (with ‘A’)		The unit is online and operational and the HA units are correctly paired. The A in the middle of the square indicates that this is the active unit.
Green (without ‘A’)		The unit is online and operational and the HA units are correctly paired. The absence of an ‘A’ in the middle of the square indicates that this is not the active unit (standby).
Red/Yellow		The partner unit is unreachable or turned off. It may be offline or misconfigured. The unit is not ready to take over. It may be offline or incorrectly paired.
Blue		When the unit reboots more than three times in 5 minutes it enters a pacified state. In this state, the machine is only accessible using the direct machine WUI (not the shared WUI) and it is not participating in any HA activity. Therefore, no changes from the active unit are received and it does not take over if the active unit fails. To remove the unit from the pacified state, fix the root cause of the health check failures, log in to the pacified LoadMaster through SSH or the console and reboot. If a unit continuously reverts to a pacified state, check the network to see if CARP is being blocked.
Gray		The machine is in an indeterminate state and may require a reboot to return to operation. A gray box often means the unit has not been set up in HA mode correctly. A gray box also appears for a few seconds during the initial HA configuration. In some cases, it may mean both machines are active, that is, both are set to active, and something has gone seriously wrong.
Question marks		The HA status is updating.
Both green (left box with 'A')		Both units are up, unit 1 is active (A) and unit 2 is standby.
Both green (right box with 'A')		Both units are up, unit 1 is standby and unit 2 is active (A).
Left box green, right box red/yellow		Unit 1 is up and currently active (A). Unit 1 cannot reach unit 2, or unit 2 is turned off.
Left box red/yellow, right box green		Unit 2 is up and currently active (A). Unit 2 cannot reach unit 1, or unit 1 is turned off.
Left box gray, right box red/yellow		HA setup is not complete on unit 1.
Left box red/yellow, right box gray		HA setup is not complete on unit 2.
No HA icons		If the HA status squares are not appearing in the WUI, it probably means that HA is not enabled. Go to System Administration and select the HA option. Ensure the HA Mode is set to either First or Second.

In HA mode, each LoadMaster has its own IP address that is used only for diagnostic purposes directly on the unit. The HA pair has a shared IP address over which the WUI is used to configure and manage the pair as a single entity.

HA Mode

If using a single LoadMaster, select NonHA Mode. When setting up HA mode, one LoadMaster must be set to HA (First) Mode and the other HA (Second) Mode. HA does not operate if both units have the same HA Mode.

HA Timeout

CARP requests are sent every second from the active unit. The value selected in the HA Timeout drop-down list is the time that the active machine must be unavailable before a switchover occurs. With this option, the time it takes a HA pair to detect a failure can be adjusted from 3 seconds to 15 seconds in 3-second increments. The default value is 9 seconds. A lower value detects failures sooner, whereas a higher value prevents HA from failing over too soon if there is a delay when receiving CARP.

To set this option, follow the steps below:

1. Select System Configuration > HA Parameters.
2. Select the preferred value in the HA Timeout drop-down list.

HA Initial Wait Time

The HA Initial Wait Time is the length of time after the initial boot of a LoadMaster, before the machine decides that it should become active. If the partner machine is running, this value is ignored. You can change this value to mitigate the time taken for some intelligent switches to detect that the LoadMaster has started and to bring up the link.

HA Virtual ID

When using multiple HA LoadMaster pairs (or other devices using CARP-like protocols) on the same network, this value uniquely identifies each HA pair so that there are no potential unwanted interactions.

We highly recommend using a higher value than 10 because any other HA pair using the same ID could interfere with HA operations.

As of the 7.2.36 release, the LoadMaster selects a virtual ID based on the shared IP address of the first configured interface (the last eight bits). It is selected and displayed once both the shared address and the partner address are set. You can change the value to whatever you want (in the range 1 – 255) or you can keep it at the value it already selected. Ensure the virtual ID is unique on each LoadMaster on the network.

You can find the HA Virtual ID in the LoadMaster WUI by going to System Configuration > HA Parameters.

Use Broadcast IP address

By default, the LoadMaster uses an IP multicast address (224.0.0.18) when sending CARP packets. Enabling this option forces the use of the IP broadcast address (255.255.255.255) instead.

Switch to Preferred Server

By default, neither partner in a HA pair has priority. When a machine restarts after a failover, the machine becomes the standby and stays in that state until it is forced to active. Specifying a preferred host means that when this machine restarts, it always tries to become active and the partner reverts to standby mode.

When set to Prefer First HA, if the LoadMaster fails over, the active reverts to HA1 when HA1 comes back online.

When set to Prefer Second HA, if the LoadMaster fails over, the active reverts to HA2 when HA2 comes back online.

When No Preferred Host is selected, if there is a failover on the LoadMaster, the unit that becomes active remains as active (failback does not happen).

To change this option, follow the steps below in the LoadMaster WUI:

1. In the main menu, select Local Administration > HA Parameters.
2. Select the relevant option from the Switch to Preferred Server drop-down list.

For normal operating conditions, we recommend selecting No Preferred Host.

HA Update Interface

The interface used to synchronize the entire HA configuration within the HA pair. Synchronization occurs every two minutes. The information is synchronized over SSH port 6973.

Hard Reboot on link Failure

In LoadMaster firmware version 7.2.53, a new option, Hard Reboot on link Failure, was introduced. When the Hard Reboot on link Failure check box is enabled, the LoadMaster configured in HA reboots if any configured interface loses connectivity with the network (that is, experiences a link failure). The reboot occurs regardless of the LoadMaster's HA status (Primary or Standby).

The Hard Reboot on link Failure check box is available in the System Configuration > HA Parameters screen when both of these are true:

• High Availability (HA) is configured

• The Switch to Preferred Server option is set to No Preferred Server.

  Note: The Hard Reboot on link Failure check box will be unavailable, if you select a preferred server from the Switch to Preferred Server drop-down list.

You cannot have a preferred server if Hard Reboot on link Failure is enabled - if you did, it could lead to circular swapping between the active and standby LoadMaster units.

Force Partner Update

Immediately forces the configuration from the active to standby unit without waiting for a normal update. This option is only available if both units can see each other in an active/standby scenario.

Inter HA L4 TCP Connection Updates

When using L4 services, enabling the Inter HA L4 TCP Connection Updates option allows L4 connection information to be shared between the HA partners. If a failover occurs, the connection information will be available on the unit that assumes the active role. This option does not apply to L7 services.

Inter HA L7 Persistency Updates

When a failover occurs, all connections are dropped. Enabling the Inter HA L7 Persistency Updates option can help to send some traffic back to the same Real Server, but the connections are still dropped after a failover.

When using L7 services, enabling the Inter HA L7 Persistency Updates option allows L7 persistence information to be shared between the HA partners. If a failover occurs, the persistence information will be available on the unit that assumes the active role. This option does not apply to L4 services.

HA Multicast Interface

The network interface used for multicast traffic, which is used to synchronize Layer 4 and Layer 7 traffic when Inter HA Updates are enabled.

You can select the interface to send and receive inter-HA traffic from within the WUI of the shared IP address:

1. In the main menu, select System Configuration > HA Parameters.
2. The HA Update Interface setting is used for sending HA configuration updates using TCP/6973 between units. Modify it if needed.

If you have enabled L7 persistency updates or L4 TCP connection updates, an additional HA Multicast Interface option also becomes available.

Use Virtual MAC Addresses

Selecting this option creates a shared MAC address for both units. When failover occurs, the LoadMasterthe LoadMaster handles the MAC address handover too. This allows the switches to keep the same MAC address and not worry about ARP caches or stale records. This is useful when gratuitous ARPs (used in communicating changes in HA IP addresses to switches) are not allowed.

Virtual MAC (VMAC) is a way of doing HA at Layer 2, rather than Layer 3. In addition to a shared IP address, there is a shared MAC address that is owned by whichever unit is active. By implementing this, all Virtual Service traffic communicates to this shared MAC address, allowing the standby device to pick up the traffic seamlessly. In the event of a failover, upstream devices do not need to change the Address Redundancy Protocol (ARP) record associated with the services. The only change that must occur is that the switch must begin sending frames out of a different port.

VMAC is the best way to accomplish HA. The only reason it is not defaulted is because some environments prohibit migrating MAC addresses across ports. Settings such as Cisco's Port Security can prevent VMAC from working properly.

A quick way to test whether your environment can use this is the 'laptop test'. To do the 'laptop test', follow the steps below:

1. Get a laptop and plug it into a port on the switch.
2. Get connectivity.
3. Move the connection to a different port on the same switch.

If connectivity returns without incident, then you should also be able to use VMAC.

If your HA pair is connected to two different switches, the laptop test should be done on the switch that those switches converge at (rather than the switches the LoadMaster connects to) because that is where the MAC bookkeeping has to change quickly.

After confirming that VMAC will work in your environment, you can change to Virtual MAC during a maintenance window because it requires a reboot. Also, ARP must be flushed on relevant devices. To turn it on, select the Use Virtual MAC addresses check box in the LoadMaster WUI by going to Local Administration > HA Parameters on both devices. Following that, you must reboot both devices. You also must flush the ARP on all upstream devices. It is recommended, but may not be necessary, to also flush ARP on the Real Servers.

This is the expected behavior when Virtual MAC (VMAC) is enabled and a fail-over occurs:

Following a fail-over:

Here is the expected behavior without VMAC enabled:

Following a fail-over:

Switches may not update their ARP table to reflect the change in fail-over.

The switch sends traffic to 192.168.11.245 (00-10-f3-18-d4-82 (Standby unit)).