January 28, 2018 at 8:54 pm #13632
Old F5 customer here making the switch over to A10 and I am finding either GSLB does not behave as I am accustomed to or I don’t know what I am doing. Probably the latter.
I have set up GSLB using sub zone delegation whereby we have a delegated subzone that forwards requests to my A10 devices. For example:
CNAME called Server.domain.com points to server.LB.domain.com which is really a delegated sub-zone pointing to A10
This query gets forwarded to the A10 device and hits the service server.lb.domain.com for resolution
In the F5 world, with round robin or any other load balancing method, a dig command would return ONE DNS record for a request like this. What I am finding with A10 is that it always sends all DNS records. If I have two SLB VIPs set up for server.lb.domain.com, the A10 device returns both DNS records whether or not one or both are up.
This shouldn’t be for obvious reasons. The two DNS records are one VIP in my primary datacenter and one VIP in my DR datacenter. If a A10 or site is down, I need it to only resolve queries to one datacenter or the other.
What am I doing incorrectly?January 29, 2018 at 8:49 am #13642
You’ll need to play with the gslb policy to get the results you are looking for. Below is an example that may provide the results you are looking for. I recently tested this on v4.1.1-P7 and the ADC provides a dns response for a single A record for the active site. Should the health-check fail for the active site, the A record for the backup site is returned.
gslb policy GSLB-POLICY health-check-preference-enable weighted-ip-enable no geographic no round-robin metric-force-check metric-fail-break metric-order health-check weighted-ip dns backup-server dns selected-only 1 dns logging both dns server ! gslb zone gslb.mydomain.com policy GSLB-POLICY dns-soa-record ns1.mydomain.com admin.mydomain.com expire 604800 refresh 7200 retry 1800 serial 1513807667 ttl 14400 dns-mx-record mx01.mydomain.com 1 dns-mx-record mx02.mydomain.com 5 dns-ns-record ns01.mydomain.com dns-ns-record ns02.mydomain.com service 80 www dns-a-record VIP01-DR as-backup ttl 5 dns-a-record VIP01-HQ ttl 5 static !January 29, 2018 at 10:26 am #13652
Thank you for the feedback.
I looked at the policy like you suggested and figured out that the result I am looking for is controlled by the following settings:
Metric Fail Break (to force it to stop providing responses if everything is down)
Only Keep Active Servers (to force it to only return servers that have good health checks)
Only Keep Selected Servers – Value: 1 (to force it to only return one valid response)
I am enjoying my time with A10 so far but I am definitely finding that F5 had a lot more stuff in place when I first rolled it out. However, it just works differently. A10 has very granular control which is a positive. :)
Next thing on my list is to look at GSLB synchronization and health checking.. I’m sure I’ll have more questions about that. :)January 29, 2018 at 10:37 am #13662
Great! Look at gslb groups for syncing, this is very simple to set-up and use. Health checks are a separate topic on its own, so check the docs. A10 has pretty intricate health checks that can be created. Good Luck!January 29, 2018 at 11:48 am #13672
Thanks again. I got the sync group set up pretty easily.
Regarding health checking: in the F5 world we had the iquery framework so that GTM pretty much just monitored the LTM VIPs you had setup, and if the health checks at the LTM level caused the VIP to go down, GTM took note of that and stopped routing to that VIP. Is that pretty much the same way things work in the GSLB world or is GSLB health checking considered an entity unto itself separate from the SLB/ADC realm?January 29, 2018 at 11:59 am #13682
Yes, you can do exactly the same thing. However, if needed, you can also apply different health monitors to the gslb service-ips as well (which for your scenario would be the slb virtual-servers, but can be any server, anywhere). My comment was just to say that health monitors are not specific to gslb. You can build health-monitors and apply to real servers, service-groups, virtual-servers and gslb service-ips. Check the SLB guide for more information on health monitors.January 29, 2018 at 12:17 pm #13692
Thank you. You have been a tremendous help.February 15, 2018 at 11:54 am #13772
Can you confirm if the “as-backup” statement is a replacement for the as-replace? I am running 2.6.1 and don’t have as-backup option, only as-replace I would like to confirm if they provide the same behavior.
Btw, thank you for your post, helped me as well.
You must be logged in to reply to this topic.