Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Check1t_282465's avatar
Check1t_282465
Icon for Nimbostratus rankNimbostratus
May 14, 2018

Any Reasons NOT to use automatic with incremental synchronization sync type

Situation: Have an active and standby pair on 5200 boxes/13.1 release. ~ 300 VIP on LTM, 20 APM policies, 50 ASM policies. Several of ASM policies with policy building in automatic mode. We have au...
application delivery
big-ip
security
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
May 14, 2018

The biggest issue with auto-sync is that the device that receives config changes does not write the changes to disk - the change only exists in memory in MCPD. This is a deliberate design decision to prevent the BigIP spending all it's time writing config changes to disk as a number of small changes are made on the peer.

 

K14624: Configuring the Automatic Sync feature to save the configuration on the remote devices

 

This can lead to a situation where the configuration can be lost if the system where changes are made (and saved) fails, and then the peer restarts or reloads the config from disk without saving.

 

You can enable save-on-auto-sync but this introduces risks with very large configs.

 

If you are using ASM Policy Builder, then the ASM sync group should be set to automatic.

 

You have to make a choice about your LTM sync groups, based on the size of the configuration, the frequency of changes, and your own management policies.

 

Some people with auto-sync enabled use a cron task to ensure that a

 

tmsh save /sys config

 

is run at a regular interval (I'd suggest no more than hourly, as opposed to daily).