For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Paul_Hoyland's avatar
Paul_Hoyland
Icon for Nimbostratus rankNimbostratus
May 21, 2019

BIGIP DNS - What configuration get replicated by Sync group

Can anyone point me at some resources that explain what is replicated among devices by configuration sync on BIG-IP DNS? It seems that things like listeners and DNS profiles aren't synced so just wan...
application delivery
BIG-IP DNS
operations
sync
merlin87's avatar
merlin87
Icon for Altocumulus rankAltocumulus
Oct 04, 2019

I would check that you have the same Sync Group Name specified on each GTM and also you would need to run the gtm_add command from bash once from each GTM you are pulling into the GTM Mesh, to get them to swap certs and build the iQuery connections.

 

Sync Group: DNS > Settings > GSLB > Group Name

 

https://support.f5.com/csp/article/K13312

 

Checking the sync connection with iQuery from the bash prompt and checking in /var/gtm should give you an idea as to what the issue may be.

 

https://support.f5.com/csp/article/K13690

patonbike's avatar
patonbike
Icon for Cirrus rankCirrus
Oct 04, 2019

It doesn't seem to like the BIGIP generated certificate of the peer. For example iqdump 127.0.0.1 works on either of the 2 units, however iqdump my.peer.ip.here yields :

 

47935202178032:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1134:

 

However, when I go to System ›› Device Certificates : Trusted Device Certificates ›› Trusted Device Certificates, both certs from both BIGIPs are listed on both bigips. So they should trust one another's certs. Seems like we're missing a spot where the cert needs to be trusted.