Forum Discussion
Paul_Hoyland
Nimbostratus
NimbostratusBIGIP DNS - What configuration get replicated by Sync group
Can anyone point me at some resources that explain what is replicated among devices by configuration sync on BIG-IP DNS? It seems that things like listeners and DNS profiles aren't synced so just wan...
patonbike
Cirrus
CirrusI have turned on settings -> gslb -> general "Configuration Synchronization" and "Synchronize DNS Zone Files" and I am not seeing the bind zones replicate after initial import (which does synchronize). There are no errors. Any ideas on what to check?
merlin87
Altocumulus
AltocumulusI would check that you have the same Sync Group Name specified on each GTM and also you would need to run the gtm_add command from bash once from each GTM you are pulling into the GTM Mesh, to get them to swap certs and build the iQuery connections.
Sync Group: DNS > Settings > GSLB > Group Name
https://support.f5.com/csp/article/K13312
Checking the sync connection with iQuery from the bash prompt and checking in /var/gtm should give you an idea as to what the issue may be.
- patonbike
It doesn't seem to like the BIGIP generated certificate of the peer. For example iqdump 127.0.0.1 works on either of the 2 units, however iqdump my.peer.ip.here yields :
47935202178032:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1134:
However, when I go to System ›› Device Certificates : Trusted Device Certificates ›› Trusted Device Certificates, both certs from both BIGIPs are listed on both bigips. So they should trust one another's certs. Seems like we're missing a spot where the cert needs to be trusted.
- patonbike
OK I was missing the device cert for 1 of the units under gslb -> servers -> server certs. For some reason on 1 unit, it automatically added Self + Peer. One the other unit it only added Self.
That fixed iquery, then I had not also configured a data center and servers under gslb -> servers -> server list. Everything seems to be working now.