Forum Discussion
CirrusAdding a virtual to physical HA pair for ConfigSync
I have 2 physical devices, let's say bigip01 and bigip02. They are in an HA pair with ConfigSync, a traffic group etc. Running version 13.1.3.4.
I am trying to add a 3rd, virtual device called bigip03; this will normally be in a forced offline state, however I would like to keep the configuration from bigip01/02 sync'd over to bigip03 as backup.
I tried to setup device trust by adding bigip03 to bigip01 under device trust members. It successfully adds bigip03 as a trusted device to bigip01 and big02 when I do this, however on bigip03 it only adds bigip01 as a trusted device. bigip02 is not trusted. As a result, I get errors in the logs for attempting to sync that say:
bigip03 err mcpd[6078]: 01071470:3: Disconnecting from CMI device /Common/bigip02.xxxxx.com, the device is not in a trust domain.
Does anyone have any suggestions? I already made the mistake of trying to manually adding bigip02 as a trusted device on bigip03. bigip03 and bigip02 then split off and create their own HA pair away from bigip01. Not good!
4 Replies
Most HA configurations fail because of communication issues, typically in the misconfigured HA communication settings realm. Common causes include IP address conflicts, HA VLAN misconfiguration, mismatched software versions, and devices/systems not reachable on the network. Have you tried all the troubleshooting tips described in K13946: Troubleshooting ConfigSync and device service clustering issues? If not, I would start there. Also, there's a pretty good video on adding a new device to an existing device group on the F5 YouTube channel here: https://www.youtube.com/watch?v=Auc13Q31qUA Although this is for a Sync-Only device group, the steps are similar.
patonbikeThanks - the problem I have is that that when I go to add bigip03 to bigip01 as a new trusted device, bigip03 does not also get bigip02 as a trusted device. The actions are:
Device trust -> device trust members -> add device. This appears to work, but the result is that:
01 has 02 and 03 as trusted devices
02 has 01 and 03 as trusted devices.
03 only has 01 as a trusted device, so it will not sync with 02.
They can all reach one another on the network.
If I try to sync bigip01 device_trust_group to the group (Awaiting intial sync), it fails.
Logs in 03 read:
Disconnecting from CMI device /Common/bigip02.mydomain.com, the device is not in a trust domain.
How do I add 02 as a trusted device on 03? I have already made the mistake of trying to manually add bigip02 to bigip03 as a trusted device, and it caused an outage. What happened is 02 and 03 formed a pair, and 02 went "active" while 01 was also active! Perhaps if I forced both (02 and 03) offline, I could work it out by modifying the device groups, I am not sure.
Do I need to manually add trust certificate for 03->02 ?
- patonbike
Still looking for help here. When I add a 3rd device to an existing device trust group... the new device only sees one of the 2 existing devices as trusted devices. As a result sync's are failing.
There is full network connectivity between the 3 devices.
How do I get device 3 to trust device 2.
Device 1 trusts 1+2
Device 2 trusts 1+3
Device 3 only trusts 1.
How do I rectify this?
Hi, again, Patonbike...
If you've been through the list of DSC ConfigSync troubleshooting tips I suggested earlier, and nothing has helped, then I recommend you open an F5 Service Request with F5 Support. Adding a third device to an existing (production?) HA pair is not without its perils, especially since traffic flow can be interrupted.
