Follow

Info: Understanding the HA options for F5 behind-the-scenes

Applies To:

TPP versions 15+

F5 LTM advanced driver

Summary:

The HA options provided in the advanced F5 LTM driver are intended as a work around to the more common and highly recommended floating IP configuration for F5's in HA mode. If using a Floating IP is not an option, then these HA options can help us provision your F5's configured for failover.

The basic configuration options are outlined here (18.4 docs) for the F5 LTM Configuration:

https://docs.venafi.com/Docs/18.4/TopNav/Content/Drivers/r-F5LTM-AppObjSettings-tpp.php?Highlight=f5%20advanced%20ltm

As noted, there are four modes under HA Provisioning: Stand Alone, Active, Stand By or Ignore.

Stand alone is just what it means - there is only one server, so treat it accordingly.

The ignore option is well documented here: https://support.venafi.com/hc/en-us/articles/215911347

Essentially, if it is set to Active we will only provision to the F5 if it is active. If it is Standby we will only provision to it if it is the standby. If it is Ignore Failover State we'll provision to it regardless of whether it is Active or Standby which, if you have both in your TPP configuration, then both devices will independently receive the same certificate and key.

Config Sync pushes the cert to the standby F5, so if you are set to ignore the state, then during Config Sync the standby's copy of the certificate/key will be overwritten, essentially duplicating the work.

When using the Active or Standby options, if you have both devices in your TPP configuration, half are expected to fail and you must reset those certificates to clear the error after successfully provisioning the one side

Was this article helpful?
0 out of 0 found this helpful

Comments