Non-identical HA-group configuration detected-f5-all

Non-identical HA-group configuration detected-f5-all
0

Non-identical HA-group configuration detected-f5-all

Vendor: f5

OS: all

Description:
indeni will identify when two F5 devices are part of a device group and alert if the HA-group configuration is different.

Remediation Steps:
Make sure that the HA-group configuration is exactly the same in both devices. You may optionally choose to ignore certain differences if they are intended.

How does this work?
This alert logs into the F5 device through SSH and runs the command “tmsh show sys ha-group detail” in order to extract the ha-group configuration. The configuration pulled is compared with the other members in the cluster. For this alert to work this means that all members must have identical configuration, including names.

Why is this important?
HA-groups are one of the ways to determine if an F5 cluster should fail over or not by keeping track of trunk health and/or specific pool statuses. Should a link in a trunk fail, or a pool member stop responding this could trigger a fail-over. To minimize the risk of flapping an active bonus is highly recommended. Since this configuration is not synchronized it is ideal for it to be identical in all units of the cluster. Even more so, since F5’s recommended way of manually failing over a cluster with ha-groups is to change the weight of the ha-group members. This is easily forgotten once done, which in turn could lead to the system not failing over when components fail.

Without Indeni how would you find this?
An administrator could could periodically log into the device through the Web Interface and to to “System -> High-availability -> HA-groups”. It is also available by logging into the device through SSH, entering TMSH and executing the command “show sys ha-group detail”.

f5-tmsh-show-sys-ha-group-detail

name: f5-tmsh-show-sys-ha-group-detail
description: Extract HA-group data
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    linux-based: 'true'
    high-availability: 'true'
    shell: bash
comments:
    f5-ha-group:
        why: |
            HA-groups are one of the ways to determine if an F5 cluster should fail over or not by keeping track of trunk health and/or specific pool statuses. Should a link in a trunk fail, or a pool member stop responding this could trigger a fail-over. To minimize the risk of flapping an active bonus is highly recommended. Since this configuration is not synchronized it is ideal for it to be identical in all units of the cluster. Even more so, since F5's recommended way of manually failing over a cluster with ha-groups is to change the weight of the ha-group members. This is easily forgotten once done, which in turn could lead to the system not failing over when components fail.
        how: |
            This alert logs into the F5 device through SSH and runs the command "tmsh show sys ha-group detail" in order to extract the ha-group configuration. The configuration pulled is compared with the other members in the cluster. For this alert to work this means that all members must have identical configuration, including names.
        without-indeni: |
            An administrator could could periodically log into the device through the Web Interface and to to "System -> High-availability -> HA-groups". It is also available by logging into the device through SSH, entering TMSH and executing the command "show sys ha-group detail".
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: tmsh -q show sys ha-group detail
    parse:
        type: AWK
        file: tmsh-show-sys-ha-group-detail.parser.1.awk

f5_ha_group_comparison

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
/**
  *
  */
case class f5_ha_group_comparison() extends SnapshotComparisonTemplateRule(
  ruleName = "f5_ha_group_comparison",
  ruleFriendlyName = "F5 Devices: Non-identical HA-group configuration detected",
  ruleDescription = "indeni will identify when two F5 devices are part of a device group and alert if the HA-group configuration is different.",
  metricName = "f5-ha-group",
  isArray = true,
  alertDescription = "HA-groups are one of the ways to determine if an F5 cluster should fail over or not by keeping track of trunk health and/or specific pool statuses. Should a link in a trunk fail, or a pool member stop responding this could trigger a fail-over. To minimize the risk of flapping an active bonus is highly recommended. Since this configuration is not synchronized it is ideal for it to be identical in all units of the cluster. Even more so, since F5's recommended way of manually failing over a cluster with ha-groups is to change the weight of the ha-group members. This is easily forgotten once done, which in turn could lead to the system not failing over when components do fail.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = """Make sure that the HA-group configuration is exactly the same in both devices. You may optionally choose to ignore certain differences if they are intended.""")()