Non-identical HA-group configuration detected-f5-False

error
high-availability
false
f5
Non-identical HA-group configuration detected-f5-False
0

#1

Non-identical HA-group configuration detected-f5-False

Vendor: f5

OS: False

Description:
indeni will identify when two F5 devices are part of a device group and alert if the HA-group configuration is different.

Remediation Steps:
Make sure that the HA-group configuration is exactly the same in both devices. You may optionally choose to ignore certain differences if they are intended.

How does this work?
This alert logs into the F5 device through SSH and runs the command “tmsh show sys ha-group detail” in order to extract the ha-group configuration. The configuration pulled is compared with the other members in the cluster. For this alert to work this means that all members must have identical configuration, including names.

Why is this important?
HA-groups are one of the ways to determine if an F5 cluster should fail over or not by keeping track of trunk health and/or specific pool statuses. Should a link in a trunk fail, or a pool member stop responding this could trigger a fail-over. To minimize the risk of flapping an active bonus is highly recommended. Since this configuration is not synchronized it is ideal for it to be identical in all units of the cluster. Even more so, since F5’s recommended way of manually failing over a cluster with ha-groups is to change the weight of the ha-group members. This is easily forgotten once done, which in turn could lead to the system not failing over when components fail.

Without Indeni how would you find this?
An administrator could could periodically log into the device through the Web Interface and to to “System -> High-availability -> HA-groups”. It is also available by logging into the device through SSH, entering TMSH and executing the command “show sys ha-group detail”.

f5-tmsh-show-sys-ha-group-detail

#! META
name: f5-tmsh-show-sys-ha-group-detail
description: Extract HA-group data
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    linux-based: "true"
    high-availability: "true"
    shell: "bash"

#! COMMENTS
f5-ha-group:
    why: |
        HA-groups are one of the ways to determine if an F5 cluster should fail over or not by keeping track of trunk health and/or specific pool statuses. Should a link in a trunk fail, or a pool member stop responding this could trigger a fail-over. To minimize the risk of flapping an active bonus is highly recommended. Since this configuration is not synchronized it is ideal for it to be identical in all units of the cluster. Even more so, since F5's recommended way of manually failing over a cluster with ha-groups is to change the weight of the ha-group members. This is easily forgotten once done, which in turn could lead to the system not failing over when components fail.
    how: |
        This alert logs into the F5 device through SSH and runs the command "tmsh show sys ha-group detail" in order to extract the ha-group configuration. The configuration pulled is compared with the other members in the cluster. For this alert to work this means that all members must have identical configuration, including names.
    without-indeni: |
        An administrator could could periodically log into the device through the Web Interface and to to "System -> High-availability -> HA-groups". It is also available by logging into the device through SSH, entering TMSH and executing the command "show sys ha-group detail".
    can-with-snmp: false
    can-with-syslog: false
    
#! REMOTE::SSH
tmsh -q show sys ha-group detail

#! PARSER::AWK

BEGIN {
    iHA = 0
}

#Sys::HA Group: trunk-health
/Sys::HA Group: /{
    iPool = 0
    iTrunk = 0
    
    #Save the HA-group name for later use
    haGroupName = $NF
}

#State         disabled
/^State\s+(disabled|enabled)$/{

    state = $2
    
    #If the state is enabled we will go ahead and increase the iterator and set the name
    if(state == "enabled"){
        iHA++
        haGroupArray[iHA, "name"] = haGroupName
    }
}

#Active Bonus      100
/^Active Bonus\s+[0-9]+$/{
    activeBonus = $NF
}

#  | Sys::HA Group Trunk: trunk-health:External
/^\s+\| Sys::HA Group Trunk:/{

    iTrunk++
    
    trunkName = $NF
    
    #  | Sys::HA Group Trunk: trunk-health:External
    sub(/.*:/,"",trunkName)
    
    arrayKey = "Trunk " iTrunk
    arrayValue = "Trunk name: " trunkName

}

#  | Sys::HA Group Pool: trunk-health:
/^\s+\| Sys::HA Group Pool: trunk-health:/{

    iPool++
    
    poolName = $NF
    sub(/.*:/,"",poolName)
    
    arrayKey = "Pool " iPool
    arrayValue = poolName
    
}

#  | Threshold             0
/\s+\|\s+Threshold\s+[0-9]+$/{
    arrayValue = arrayValue " - Threshold: " $NF
}

#  | Percent Up          100
/\s+\|\s+Percent Up\s+[0-9]+$/{
    arrayValue = arrayValue " - Percent up: " $NF
}

#  | Weight               25
/\s+\|\s+Weight\s+[0-9]+$/{
    
    #There is no need to write disabled ha-groups
    if(state == "enabled"){
        arrayValue = arrayValue " - Weight: " $NF
        haGroupArray[iHA, arrayKey] = arrayValue
        
        #Add the active bonus extracted earlier
        haGroupArray[iHA, "active-bonus"] = activeBonus
    }
}

END{
    writeComplexMetricObjectArray("f5-ha-group", null, haGroupArray)
}

f5_ha_group_comparison

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
/**
  *
  */
case class f5_ha_group_comparison() extends SnapshotComparisonTemplateRule(
  ruleName = "f5_ha_group_comparison",
  ruleFriendlyName = "F5 Devices: Non-identical HA-group configuration detected",
  ruleDescription = "indeni will identify when two F5 devices are part of a device group and alert if the HA-group configuration is different.",
  metricName = "f5-ha-group",
  isArray = true,
  alertDescription = "HA-groups are one of the ways to determine if an F5 cluster should fail over or not by keeping track of trunk health and/or specific pool statuses. Should a link in a trunk fail, or a pool member stop responding this could trigger a fail-over. To minimize the risk of flapping an active bonus is highly recommended. Since this configuration is not synchronized it is ideal for it to be identical in all units of the cluster. Even more so, since F5's recommended way of manually failing over a cluster with ha-groups is to change the weight of the ha-group members. This is easily forgotten once done, which in turn could lead to the system not failing over when components do fail.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = """Make sure that the HA-group configuration is exactly the same in both devices. You may optionally choose to ignore certain differences if they are intended.""")()