View High Availability State¶
Review the High Availability Overview page to see information about what HA does.
Check Tunnel Uses Floating Self IP¶
Use tmsh list net ipsec ipsec-policy [<policy-name>] tunnel-local-address
to check the policy’s local address. Then move forward to verify the local address is a floating self IP.
# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 tunnel-local-address
net ipsec ipsec-policy IPSEC-POLICY-1234 {
tunnel-local-address 192.0.2.1
}
If no IP appears for tunnel-local-address, it islikely that the ipsec-policy is configured as “interface” mode, so the correct place to check is in the “tunnels” configuration as follows: “
# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 tunnel-local-address
net ipsec ipsec-policy IPSEC-POLICY-1234 {
tunnel-local-address any6
}
# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 mode
net ipsec ipsec-policy IPSEC-POLICY-1234 {
mode interface
}
Use tmsh list net tunnels tunnel [<tunnel-name>] local-address
to find the local address.
# tmsh list net tunnels tunnel TUNNEL-1234 local-address
net tunnels tunnel TUNNEL-1234 {
local-address 192.0.2.1
}
Check the Local Address is a Floating Self IP¶
# tmsh list net self EXTERNAL-SELF address traffic-group
net self EXTERNAL-SELF {
address 192.0.2.1
traffic-group traffic-group-1
}
Normally, if the assigned traffic-group is not “traffic-group-local-only” then the traffic-group and the address is floating.
You can verify the traffic-group floating state with the tmsh list cm traffic-group [<traffic-group-name>] is-floating
command.
# tmsh list cm traffic-group traffic-group-1 is-floating
cm traffic-group traffic-group-1 {
is-floating true
}
Check Standby Device Has Security Associations¶
The output of the command tmsh show net ipsec ike-sa
and tmsh show net ipsec ipsec-sa
should be the same on both Active and Standby BIG-IP.
# tmsh show net ipsec ike-sa
-------------------------
IKE::SecurityAssociations
-------------------------
192.0.2.1/4500 -> 198.51.100.1/4500 v2 ESTABLISHED (tmm: 6)
192.0.2.1/500 -> 203.0.113.1/500 v2 ESTABLISHED (tmm: 5)
Total records returned: 2
# tmsh show net ipsec ipsec-sa
IPsec::SecurityAssociations
192.0.2.1 -> 198.51.100.1 SPI(0x7a3ee44) out esp (tmm: 7)
192.0.2.1 -> 203.0.113.1 SPI(0x4812d7a) out esp (tmm: 3)
192.0.2.1 -> 203.0.113.1 SPI(0xb17f87c) out esp (tmm: 3)
203.0.113.1 -> 192.0.2.1 SPI(0xff6f51b) in esp (tmm: 5)
203.0.113.1 -> 192.0.2.1 SPI(0xe6ace8f) in esp (tmm: 5)
198.51.100.1 -> 192.0.2.1 SPI(0x61d7673) in esp (tmm: 6)
Total records returned: 6
In normal use cases, the Active and Standby should return exactly the same information, except in cases where:
An SA operation (create or delete/expire) was occurring around the same time that the show commands were run.
A BIG-IP administrator used the delete command on the Standby to remove an SA (not a recommended or standard procedure).
The tmm may differ if the SA load migration feature has been enabled by the BIG-IP administrator. This is a rare configuration requirement and not on by default.
Check Mirroring¶
If no SAs are being mirrored at all, one reason may be that a mirroring channel has not been setup or is down.
There is no special mirroring requirement for IPsec outside of mirroring being configured and working on each BIG-IP.
# list cm device mirror-ip
cm device bigip1 {
mirror-ip 192.0.2.11
}
cm device bigip2 {
mirror-ip 192.0.2.12
}
A summary of the HA mirror state can be seen with tmsh show sys ha-mirror
.
# show sys ha-mirror
------------------------------------------------------------------------------------------------------------------
Sys::HA Mirror Status
------------------------------------------------------------------------------------------------------------------
Traffic Group TMM Primary Secondary Aborts Overflows Errors Buffered L4 Mirror L7 Mirror L7 Failed
------------------------------------------------------------------------------------------------------------------
traffic-group-1 [0.0] connected closed 0 0 0 0 0 0 0
traffic-group-1 [0.1] connected closed 0 0 0 0 0 0 0
traffic-group-1 [0.2] connected closed 0 0 0 0 0 0 0
traffic-group-1 [0.3] connected closed 0 0 0 0 0 0 0
traffic-group-1 [0.4] connected closed 0 0 0 0 0 0 0
traffic-group-1 [0.5] connected closed 0 0 0 0 0 0 0
traffic-group-1 [0.6] connected closed 0 0 0 0 0 0 0
traffic-group-1 [0.7] connected closed 0 0 0 0 0 0 0
Counters that may also help HA troubleshooting can be found using the bash command tmctl -i ha_stat
.