Forum Discussion
- Anjuli_LamEmployee
AskF5 recently published an article related to this topic:
- Andy_McGrathCumulonimbus
You have two different Sync configuration on F5 DNS:
- F5 DNS sync group where DNS and BIND configuration can be synced between all F5 DNS members of the group look under DNS >> Settings >> GSLB >> General (Configuration Synchronization) where you can set the group name and what to Synchronize
- https://support.f5.com/csp/article/K13734
- https://support.f5.com/csp/article/K13690
- F5 Device Group and HA are used more for LTM and other modules that need to failover this will sync up LTM based configuration and will work in an Active/Standby for each Traffic Group configured. Recommend you do not do this for F5 DNS/GTM as better to have all devices Active and failover is not required as DNS is already a fault tolerant protocol.
- F5 DNS sync group where DNS and BIND configuration can be synced between all F5 DNS members of the group look under DNS >> Settings >> GSLB >> General (Configuration Synchronization) where you can set the group name and what to Synchronize
- Paul_HoylandNimbostratus
Settings >> GSLB >> General does give me some information but doesn't tell me whether WIPs are synchronized and Listeners are not (for example). Is there any documentation that does give me that detail?
- Andy_McGrathCumulonimbus
Tried to find something but nothing substantial, best way to look at it is:
- Anything that is written to the configuration file `bigip_gtm.conf` will be synced between devices in the same F5 DNS sync group.
- Anything written to the internal BIND DNS server zone files will be synced if you have enabled to sync zone files.
Configuration around listeners and DNS pools etc. is actually LTM configuration, hence why it doesn't sync.
- patonbikeCirrus
I have turned on settings -> gslb -> general "Configuration Synchronization" and "Synchronize DNS Zone Files" and I am not seeing the bind zones replicate after initial import (which does synchronize). There are no errors. Any ideas on what to check?
- merlin87Altocumulus
I would check that you have the same Sync Group Name specified on each GTM and also you would need to run the gtm_add command from bash once from each GTM you are pulling into the GTM Mesh, to get them to swap certs and build the iQuery connections.
Sync Group: DNS > Settings > GSLB > Group Name
https://support.f5.com/csp/article/K13312
Checking the sync connection with iQuery from the bash prompt and checking in /var/gtm should give you an idea as to what the issue may be.
- patonbikeCirrus
It doesn't seem to like the BIGIP generated certificate of the peer. For example iqdump 127.0.0.1 works on either of the 2 units, however iqdump my.peer.ip.here yields :
47935202178032:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1134:
However, when I go to System ›› Device Certificates : Trusted Device Certificates ›› Trusted Device Certificates, both certs from both BIGIPs are listed on both bigips. So they should trust one another's certs. Seems like we're missing a spot where the cert needs to be trusted.