View High Availability State

Review the High Availability Overview page to see information about what HA does.

Check Tunnel Uses Floating Self IP (Tunnel Mode)

Use tmsh list net ipsec ipsec-policy [<policy-name>] tunnel-local-address to check the policy’s local address. Then move forward to verify the local address is a floating self IP.

# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 tunnel-local-address

net ipsec ipsec-policy IPSEC-POLICY-1234 {
    tunnel-local-address 192.0.2.1
}

Check Tunnel Uses Floating Self IP (Interface Mode)

If there is no IP in tunnel-local-address, it is likely that the ipsec-policy is configured as “interface” mode. That is fine as long as a tunnel object is setup. In that casee the correct place to check is in the “tunnels” configuration as follows.

  1. We see there is no local IP on the ipsec-policy:

# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 tunnel-local-address

net ipsec ipsec-policy IPSEC-POLICY-1234 {
    tunnel-local-address any6
}

  1. We see the policy is in interface mode:

# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 mode
net ipsec ipsec-policy IPSEC-POLICY-1234 {
    mode interface
}

  1. We find the tunnels config object has a local-address.

Use tmsh list net tunnels tunnel [<tunnel-name>] local-address to find the local address.

# tmsh list net tunnels tunnel TUNNEL-1234 local-address
net tunnels tunnel TUNNEL-1234 {
    local-address 192.0.2.1
}

That is the address which must exist as a floating self IP.

Check the Local Address is a Floating Self IP

# tmsh list net self EXTERNAL-SELF address traffic-group
net self EXTERNAL-SELF {
    address 192.0.2.1
    traffic-group traffic-group-1
}

Normally, if the assigned traffic-group is not “traffic-group-local-only” then the traffic-group and the address is floating.

You can verify the traffic-group floating state with the tmsh list cm traffic-group [<traffic-group-name>] is-floating command.

# tmsh list cm traffic-group traffic-group-1 is-floating
cm traffic-group traffic-group-1 {
    is-floating true
}

Check Standby Device Has Security Associations

The output of the command tmsh show net ipsec ike-sa and tmsh show net ipsec ipsec-sa should be the same on both Active and Standby BIG-IP.

# tmsh show net ipsec ike-sa
-------------------------
IKE::SecurityAssociations
-------------------------
  192.0.2.1/4500 -> 198.51.100.1/4500  v2  ESTABLISHED  (tmm: 6)
  192.0.2.1/500 -> 203.0.113.1/500  v2  ESTABLISHED  (tmm: 5)
Total records returned: 2

# tmsh show net ipsec ipsec-sa
IPsec::SecurityAssociations
192.0.2.1  ->  198.51.100.1  SPI(0x7a3ee44)  out  esp  (tmm: 7)
192.0.2.1  ->  203.0.113.1  SPI(0x4812d7a)  out  esp  (tmm: 3)
192.0.2.1  ->  203.0.113.1  SPI(0xb17f87c)  out  esp  (tmm: 3)
203.0.113.1  ->  192.0.2.1  SPI(0xff6f51b)  in  esp  (tmm: 5)
203.0.113.1  ->  192.0.2.1  SPI(0xe6ace8f)  in  esp  (tmm: 5)
198.51.100.1  ->  192.0.2.1  SPI(0x61d7673)  in  esp  (tmm: 6)
Total records returned: 6

In normal use cases, the Active and Standby should return exactly the same information, except in cases where:

  1. An SA operation (create or delete/expire) was occurring around the same time that the show commands were run.

  2. A BIG-IP administrator used the delete command on the Standby to remove an SA (not a recommended or standard procedure).

  3. The tmm may differ if the SA load migration feature has been enabled by the BIG-IP administrator. This is a rare configuration requirement and not on by default.

Check Mirroring

If no SAs are being mirrored at all, one reason may be that a mirroring channel has not been setup or is down.

There is no special mirroring requirement for IPsec outside of mirroring being configured and working on each BIG-IP.

# list cm device mirror-ip
cm device bigip1 {
    mirror-ip 192.0.2.11
}
cm device bigip2 {
    mirror-ip 192.0.2.12
}

A summary of the HA mirror state can be seen with tmsh show sys ha-mirror.

# show sys ha-mirror

------------------------------------------------------------------------------------------------------------------
Sys::HA Mirror Status
------------------------------------------------------------------------------------------------------------------
Traffic Group      TMM    Primary  Secondary  Aborts  Overflows  Errors  Buffered  L4 Mirror  L7 Mirror  L7 Failed
------------------------------------------------------------------------------------------------------------------
traffic-group-1  [0.0]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.1]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.2]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.3]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.4]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.5]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.6]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.7]  connected     closed       0          0       0         0          0          0          0

Counters that may also help HA troubleshooting can be found using the bash command tmctl -i ha_stat.

See Also

K54622241: Troubleshooting connection mirroring K21347674: Support for IPsec tunnel failover (High Availability)

Top | Flowchart | Contents