View High Availability State

Review the High Availability Overview page to see information about what HA does.

Check Tunnel Uses Floating Self IP

Use tmsh list net ipsec ipsec-policy [<policy-name>] tunnel-local-address to check the policy’s local address. Then move forward to verify the local address is a floating self IP.

# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 tunnel-local-address

net ipsec ipsec-policy IPSEC-POLICY-1234 {
    tunnel-local-address 192.0.2.1
}

If no IP appears for tunnel-local-address, it islikely that the ipsec-policy is configured as “interface” mode, so the correct place to check is in the “tunnels” configuration as follows: “

# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 tunnel-local-address

net ipsec ipsec-policy IPSEC-POLICY-1234 {
    tunnel-local-address any6
}

# tmsh list net ipsec ipsec-policy IPSEC-POLICY-1234 mode
net ipsec ipsec-policy IPSEC-POLICY-1234 {
    mode interface
}

Use tmsh list net tunnels tunnel [<tunnel-name>] local-address to find the local address.

# tmsh list net tunnels tunnel TUNNEL-1234 local-address
net tunnels tunnel TUNNEL-1234 {
    local-address 192.0.2.1
}

Check the Local Address is a Floating Self IP

# tmsh list net self EXTERNAL-SELF address traffic-group
net self EXTERNAL-SELF {
    address 192.0.2.1
    traffic-group traffic-group-1
}

Normally, if the assigned traffic-group is not “traffic-group-local-only” then the traffic-group and the address is floating.

You can verify the traffic-group floating state with the tmsh list cm traffic-group [<traffic-group-name>] is-floating command.

# tmsh list cm traffic-group traffic-group-1 is-floating
cm traffic-group traffic-group-1 {
    is-floating true
}

Check Standby Device Has Security Associations

The output of the command tmsh show net ipsec ike-sa and tmsh show net ipsec ipsec-sa should be the same on both Active and Standby BIG-IP.

# tmsh show net ipsec ike-sa
-------------------------
IKE::SecurityAssociations
-------------------------
  192.0.2.1/4500 -> 198.51.100.1/4500  v2  ESTABLISHED  (tmm: 6)
  192.0.2.1/500 -> 203.0.113.1/500  v2  ESTABLISHED  (tmm: 5)
Total records returned: 2

# tmsh show net ipsec ipsec-sa
IPsec::SecurityAssociations
192.0.2.1  ->  198.51.100.1  SPI(0x7a3ee44)  out  esp  (tmm: 7)
192.0.2.1  ->  203.0.113.1  SPI(0x4812d7a)  out  esp  (tmm: 3)
192.0.2.1  ->  203.0.113.1  SPI(0xb17f87c)  out  esp  (tmm: 3)
203.0.113.1  ->  192.0.2.1  SPI(0xff6f51b)  in  esp  (tmm: 5)
203.0.113.1  ->  192.0.2.1  SPI(0xe6ace8f)  in  esp  (tmm: 5)
198.51.100.1  ->  192.0.2.1  SPI(0x61d7673)  in  esp  (tmm: 6)
Total records returned: 6

In normal use cases, the Active and Standby should return exactly the same information, except in cases where:

  1. An SA operation (create or delete/expire) was occurring around the same time that the show commands were run.

  2. A BIG-IP administrator used the delete command on the Standby to remove an SA (not a recommended or standard procedure).

  3. The tmm may differ if the SA load migration feature has been enabled by the BIG-IP administrator. This is a rare configuration requirement and not on by default.

Check Mirroring

If no SAs are being mirrored at all, one reason may be that a mirroring channel has not been setup or is down.

There is no special mirroring requirement for IPsec outside of mirroring being configured and working on each BIG-IP.

# list cm device mirror-ip
cm device bigip1 {
    mirror-ip 192.0.2.11
}
cm device bigip2 {
    mirror-ip 192.0.2.12
}

A summary of the HA mirror state can be seen with tmsh show sys ha-mirror.

# show sys ha-mirror

------------------------------------------------------------------------------------------------------------------
Sys::HA Mirror Status
------------------------------------------------------------------------------------------------------------------
Traffic Group      TMM    Primary  Secondary  Aborts  Overflows  Errors  Buffered  L4 Mirror  L7 Mirror  L7 Failed
------------------------------------------------------------------------------------------------------------------
traffic-group-1  [0.0]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.1]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.2]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.3]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.4]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.5]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.6]  connected     closed       0          0       0         0          0          0          0
traffic-group-1  [0.7]  connected     closed       0          0       0         0          0          0          0

Counters that may also help HA troubleshooting can be found using the bash command tmctl -i ha_stat.

See Also

K54622241: Troubleshooting connection mirroring K21347674: Support for IPsec tunnel failover (High Availability)

Top | Flowchart | Contents