Forum Discussion
Hawary
Altostratus
AltostratusASM Sync Between 2 Data Centers
Hi Folks, Any one tried to sync ASM configuration between 2 data centers successfully? my current scenario is, i have HA pair (active/passive) in data center A and another HA pair (active/passive) i...
Hi Hawary ,
I got from you this Scenario:
I have Tested it in my Lab and it worked...First you must have a connectivity between all BIGIPs.
Procedures:
Assume we have ( Device 1,2 in DC_A & Devices 3,4 in DC_B )- Reset device Trust for all devices.( because all devices must be under same trust domain , and in your current deployment now you have a trust domain in DC_A and another one in DC_B , so you must Reset it.)
- Build Trust Relationship :
- open BIGIP 1 >>> ( add Devices ( 2,3,4) in the Trust like this:
- open BIGIP 1 >>> ( add Devices ( 2,3,4) in the Trust like this:
- Go to Device Management >> Devices Tab >>> and review The ( Config sync , Failover ) for each device or configure them properly for each device ( For example you need to add a config-sync IP that can be reached from all BIGIPs to be able to do SYNC )
- After That, deploy your current scenario >> Go to Device Groups TAB and Configure the below :
- In Device 1 " which is in DC_A "
- Configure a Device Group ( SYNC-Failover ) type , Manual sync with incremental.
- Move just only Devices (1,2) from available box to includes box like this:
-
- In Device 3 " which is in DC_B"
- Configure a Device Group ( SYNC-Failover ) type , Manual sync with incremental.
- Move just only Devices (3,4) from available box to includes box like this:
-
- In Device 1 " which is in DC_A "
- Now, you returned and Kept your current scenario ( 2 Datacenters , each one has an HA pair ( Active/Standby ) ) Test your config Sync between pairs >> it should Work as expected, so that's fine till now , in the next step the new configs which you want to implement.
- Return to Device 1 and configure the below:
- Configure new Device Group ( open Device management >> Device groups tab >> Click Create )
- This Traffic Group will only be related to ASM Configs synchronizations, so configure it as follows:
- Give a name , Type : Sync-only , Manual with Full Sync "you will change it to automatic after making the initial sync manually" , add all of the 4 devices >> move them from available to includes.
- Go to ( Security Tab >> options >> Application Security > Synchronization > and choose the previous/newly device group that related to ASM Sync only, like that:
- Go to overview (Device management >> Overview ) tab and make the initial sync manually.
- After That, Return back to Device groups TAB and then open the ASM Device group policy , and change it from manually to automatic Sync with incremental if you want that, you can leave it manual if you require to do the manual sync with each change in ASM policies, so the ASM Device group will be like this:
>> Now, you are done and you have the following :
- HA pair ( Active/Standby ) in DC_A & HA pair ( Active/Standby ) in DC_B
- you can now Sync only ASM Policies Updates from DC_A to DC_B and visa-versa ( Manually sync or Automatic Sync ) if you wish.
I have Tested it with all scenarios and it worked with me.
Please Test it and let me know your comments.Good luck 😉
Hi Hawary ,
I got from you this Scenario:
I have Tested it in my Lab and it worked...
First you must have a connectivity between all BIGIPs.
Procedures:
Assume we have ( Device 1,2 in DC_A & Devices 3,4 in DC_B )
- Reset device Trust for all devices.( because all devices must be under same trust domain , and in your current deployment now you have a trust domain in DC_A and another one in DC_B , so you must Reset it.)
- Build Trust Relationship :
- open BIGIP 1 >>> ( add Devices ( 2,3,4) in the Trust like this:
- open BIGIP 1 >>> ( add Devices ( 2,3,4) in the Trust like this:
- Go to Device Management >> Devices Tab >>> and review The ( Config sync , Failover ) for each device or configure them properly for each device ( For example you need to add a config-sync IP that can be reached from all BIGIPs to be able to do SYNC )
- After That, deploy your current scenario >> Go to Device Groups TAB and Configure the below :
- In Device 1 " which is in DC_A "
- Configure a Device Group ( SYNC-Failover ) type , Manual sync with incremental.
- Move just only Devices (1,2) from available box to includes box like this:
-
- In Device 3 " which is in DC_B"
- Configure a Device Group ( SYNC-Failover ) type , Manual sync with incremental.
- Move just only Devices (3,4) from available box to includes box like this:
-
- In Device 1 " which is in DC_A "
- Now, you returned and Kept your current scenario ( 2 Datacenters , each one has an HA pair ( Active/Standby ) ) Test your config Sync between pairs >> it should Work as expected, so that's fine till now , in the next step the new configs which you want to implement.
- Return to Device 1 and configure the below:
- Configure new Device Group ( open Device management >> Device groups tab >> Click Create )
- This Traffic Group will only be related to ASM Configs synchronizations, so configure it as follows:
- Give a name , Type : Sync-only , Manual with Full Sync "you will change it to automatic after making the initial sync manually" , add all of the 4 devices >> move them from available to includes.
- Go to ( Security Tab >> options >> Application Security > Synchronization > and choose the previous/newly device group that related to ASM Sync only, like that:
- Go to overview (Device management >> Overview ) tab and make the initial sync manually.
- After That, Return back to Device groups TAB and then open the ASM Device group policy , and change it from manually to automatic Sync with incremental if you want that, you can leave it manual if you require to do the manual sync with each change in ASM policies, so the ASM Device group will be like this:
>> Now, you are done and you have the following :
- HA pair ( Active/Standby ) in DC_A & HA pair ( Active/Standby ) in DC_B
- you can now Sync only ASM Policies Updates from DC_A to DC_B and visa-versa ( Manually sync or Automatic Sync ) if you wish.
I have Tested it with all scenarios and it worked with me.
Please Test it and let me know your comments.
Good luck 😉
HawaryAltostratus
AltostratusHi Mohamed,
Thank you for your reply. actually i tried it but still not working,
- first when i reset the device Trust for all devices , all devices become active standalone.
- i added devices 2,3 and 4 to the first device, but still i see it as not trusted with first device, it showing as disconnected (specially for 3 and 4), i tried to sync between the devices but still not connected . Also, when trying to access Device Management ›› Overview, it takes sometime to open and after sometime it is disconnect and i have to refresh the page to connect again. Kindly check the snapshot:
- then i configured HA between first and second devices, and it showing good as the HA.
- i tried to add device 4 to device 3 to do the HA, it gives an error that this device already associated with a trust domain
so, if possible to test it again with the same scenario as i have here which is , i have HA pair in site 1 and HA pair in site 2 and need to do the ASM sync.
thank you so much for your help Mohamed.
Hi Hawary,
I deployed the same scenario.
Try to Reset the Trust again for all devices from each one and choose this option:Then configure the Trust relationship for between all devices ( From Device 1 and add Devices 2,3,4 ).
This step is crucial.
You have to break all old trust
I will keep my eyes on this thread to see if it worked with you or not , so feel free to reach out.- Hawary
Hi Mohamed,
thank you for your concern. Actually that what i did, i selected "Generate New Self-Signed Authority" but same issue. i changed the DC2 devices to be in same VLAN as DC1 (ConfigSync IPs for all the device are in same VLAN) and it worked fine, so i guess it is a problem of my Lab's network which not allowing the traffic between the 2 VLANs in DC1 and DC2. i already spoked with my network admin and will check for the communication between the VLANs, an will keep you updated.
again thank you for your concern.
Hi Hawary ,
Good News,
Okay I will be keeping my attention here until it works with you.
You're most welcome, it is an interesting deployment really, I learnt new deployment :)