Forum Discussion
ASM Sync Between 2 Data Centers
- Sep 14, 2024
Hi Hawary ,
I got from you this Scenario:
I have Tested it in my Lab and it worked...First you must have a connectivity between all BIGIPs.
Procedures:
Assume we have ( Device 1,2 in DC_A & Devices 3,4 in DC_B )- Reset device Trust for all devices.( because all devices must be under same trust domain , and in your current deployment now you have a trust domain in DC_A and another one in DC_B , so you must Reset it.)
- Build Trust Relationship :
- open BIGIP 1 >>> ( add Devices ( 2,3,4) in the Trust like this:
- open BIGIP 1 >>> ( add Devices ( 2,3,4) in the Trust like this:
- Go to Device Management >> Devices Tab >>> and review The ( Config sync , Failover ) for each device or configure them properly for each device ( For example you need to add a config-sync IP that can be reached from all BIGIPs to be able to do SYNC )
- After That, deploy your current scenario >> Go to Device Groups TAB and Configure the below :
- In Device 1 " which is in DC_A "
- Configure a Device Group ( SYNC-Failover ) type , Manual sync with incremental.
- Move just only Devices (1,2) from available box to includes box like this:
-
- In Device 3 " which is in DC_B"
- Configure a Device Group ( SYNC-Failover ) type , Manual sync with incremental.
- Move just only Devices (3,4) from available box to includes box like this:
-
- In Device 1 " which is in DC_A "
- Now, you returned and Kept your current scenario ( 2 Datacenters , each one has an HA pair ( Active/Standby ) ) Test your config Sync between pairs >> it should Work as expected, so that's fine till now , in the next step the new configs which you want to implement.
- Return to Device 1 and configure the below:
- Configure new Device Group ( open Device management >> Device groups tab >> Click Create )
- This Traffic Group will only be related to ASM Configs synchronizations, so configure it as follows:
- Give a name , Type : Sync-only , Manual with Full Sync "you will change it to automatic after making the initial sync manually" , add all of the 4 devices >> move them from available to includes.
- Go to ( Security Tab >> options >> Application Security > Synchronization > and choose the previous/newly device group that related to ASM Sync only, like that:
- Go to overview (Device management >> Overview ) tab and make the initial sync manually.
- After That, Return back to Device groups TAB and then open the ASM Device group policy , and change it from manually to automatic Sync with incremental if you want that, you can leave it manual if you require to do the manual sync with each change in ASM policies, so the ASM Device group will be like this:
>> Now, you are done and you have the following :
- HA pair ( Active/Standby ) in DC_A & HA pair ( Active/Standby ) in DC_B
- you can now Sync only ASM Policies Updates from DC_A to DC_B and visa-versa ( Manually sync or Automatic Sync ) if you wish.
I have Tested it with all scenarios and it worked with me.
Please Test it and let me know your comments.Good luck 😉
Hi Mohamed,
When choosing the Local Address to use for ConfigSync, can I use a separate subnet between DC A and DC B? For example, in DC A, I use subnet 192.168.1.0/24, and in DC B, I use subnet 192.168.2.0/24 to ensure these addresses are reachable via routing. The firewall policy just needs to allow port 4353, right?
Hi Kyr ,
So you configure HA but with different subnets, Look I haven't tried this approach before but the most important thing is to validate there is a reachability between the HA Pair ( TWO Devices ).
Yes allow this port 4353 over TCP.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com