Forum Discussion
neil_t_66364
Nimbostratus
NimbostratusASM policy synchronising as 'not configured'
Hi, I have two guests running on two 5200V boxes. The two guests are running ASM, LTM, Analytics modules. The two guests synchronise the LTM configuration without a problem but when I create an ASM policy it appears on the second guest as unconfigured. If I then configure the ASM policy on the second device the ASM policy on the first device then becomes 'unconfigured'. Does anyone have any idea what could be the cause of this? I've tried removing all ASM policies and starting again but I get the same result.
Cheers
9 Replies
neil_t_66364I forgot to mention the ASM are setup to sync configs
gsharriAltostratus
Just to be clear, you have setup a sync-failover device group to sync the LTM config and you have also enabled the separate ASM sync setting to use the the same device group as the LTMs? Correct?- neil_t_66364Hi Scott, yes, both are configured. The LTM and ASM used to sync but now the LTM syncs and the ASM copies the policy over to the second box but requires the configuration wizard to run to complete the configuration. If I run the wizard the primary then shows the sync issue and requires the wizard to run so the two ASMs are never synchronised
- gsharriNeil, the only time I have seen this behavior is when the ASM sync setting is not configured but the bigips are in a sync-failover device group together. In that scenario the security policy object shell (for lack of a better term) will sync but the settings inside the security policies do not. Have you tried disabling ASM sync, deleting all security policies on one of the ASMs and then re-enabling ASM sync? Also what version are you running?
- neil_t_66364I've de-sync'd them and even uninstalled/reinstalled ASM on both devices and I'm still getting the same issue. I should note that at the moment there is no traffic on the VIP associated with the single ASM policy and the policy has Application language set to auto detect so is it possible that the policy on the second device is in this state because the application language has not yet been discovered? I have just created a policy with the Application language set and this appears to resolve the issue. Once we have traffic across the virtual servers I'll update this stream on whether the policies have automatically completed their configuration.
- gsharriYes you are most likely correct. If the app language is unknown then no learning will take place so in a sense the security policy is not configured yet.
- gsharriFor what it's worth: I tested this quickly on an HA pair LTM/ASM, v11.6.0 using a security policy built with the automatic Policy Builder and auto-detect language and did not see any "configure" messages on the standby unit. Even though there was traffic flowing on the VS/security policy no learning took place until the application language had been set.
- neil_t_66364Thanks for your comment Scott, they've been very helpful. I have another question if you're up for it. have a search on my posted questions, it's regarding asm sync across primary and DR sites.
- boneyard
MVP
i have seen issues like this before, even with set language. solution seemed to be a full sync with overwrite. but it remains a little unstable for my taste.
