Non-identical HA-group configuration detected-f5-all
Vendor: f5
OS: all
Description:
indeni will identify when two F5 devices are part of a device group and alert if the HA-group configuration is different.
Remediation Steps:
Make sure that the HA-group configuration is exactly the same in both devices. You may optionally choose to ignore certain differences if they are intended.
How does this work?
This alert logs into the F5 device through SSH and runs the command “tmsh show sys ha-group detail” in order to extract the ha-group configuration. The configuration pulled is compared with the other members in the cluster. For this alert to work this means that all members must have identical configuration, including names.
Why is this important?
HA-groups are one of the ways to determine if an F5 cluster should fail over or not by keeping track of trunk health and/or specific pool statuses. Should a link in a trunk fail, or a pool member stop responding this could trigger a fail-over. To minimize the risk of flapping an active bonus is highly recommended. Since this configuration is not synchronized it is ideal for it to be identical in all units of the cluster. Even more so, since F5’s recommended way of manually failing over a cluster with ha-groups is to change the weight of the ha-group members. This is easily forgotten once done, which in turn could lead to the system not failing over when components fail.
Without Indeni how would you find this?
An administrator could could periodically log into the device through the Web Interface and to to “System -> High-availability -> HA-groups”. It is also available by logging into the device through SSH, entering TMSH and executing the command “show sys ha-group detail”.
f5-tmsh-show-sys-ha-group-detail
name: f5-tmsh-show-sys-ha-group-detail
description: Extract HA-group data
type: monitoring
monitoring_interval: 60 minutes
requires:
vendor: f5
product: load-balancer
high-availability: 'true'
shell: bash
comments:
f5-ha-group:
why: |
HA-groups are one of the ways to determine if an F5 cluster should fail over or not by keeping track of trunk health and/or specific pool statuses. Should a link in a trunk fail, or a pool member stop responding this could trigger a fail-over. To minimize the risk of flapping an active bonus is highly recommended. Since this configuration is not synchronized it is ideal for it to be identical in all units of the cluster. Even more so, since F5's recommended way of manually failing over a cluster with ha-groups is to change the weight of the ha-group members. This is easily forgotten once done, which in turn could lead to the system not failing over when components fail.
how: |
This alert logs into the F5 device through SSH and runs the command "tmsh show sys ha-group detail" in order to extract the ha-group configuration. The configuration pulled is compared with the other members in the cluster. For this alert to work this means that all members must have identical configuration, including names.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: tmsh -q show sys ha-group detail
parse:
type: AWK
file: tmsh-show-sys-ha-group-detail.parser.1.awk
f5_ha_group_comparison
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/f5/f5_ha_group_comparison.scala