Forum Discussion

Alexis_Gruet_22's avatar
Alexis_Gruet_22
Icon for Nimbostratus rankNimbostratus
May 29, 2017

BIGIP v13 - AFM is not synchronised between Sync members

Dear F5 Ph.D

 

I facing a sync issue when creating a rule in AFM. We have two BIGIP and everything is synchronised (LTM, APM, GTM etc. ) and working as expected, except the FW rules created into a given Policy.

 

So suppose i have on LB01 a AFM rule created in a POLICY ( F5-DUMB-POLICY ) and binded on the Global Context, if i commit the rule, i expect to see this rule on the LB02.. Unfortunately this is not case.

 

Any advices ?

 

AFM
BIG-IP
security
  • Alexis_Gruet_22's avatar
    Alexis_Gruet_22
    Icon for Nimbostratus rankNimbostratus
    May 29, 2017

    i forgotten to mention, if i create a rule list and add some rules in it from a given sync member ( suppose LB02 ), the rule list will be synced in the LB01.

     

    So the pb is only on the Policy itself, meaning the rule list appear on the left side panel but not inside the Policy and btw not commited accross the sync members.

     

    • Alexis_Gruet_22's avatar
      Alexis_Gruet_22
      Icon for Nimbostratus rankNimbostratus
      May 30, 2017

      Hi Tikka,

      This is what i seen from the tmsh command

      cm cmi-sync-status {
    color green
    details.0.details lb02.ktws.io: connected
    details.1.details device-group-failover-a53a1405e5cc (In Sync): All devices in the device group are in sync
    details.2.details device_trust_group (In Sync): All devices in the device group are in sync
    mode high-availability
    status In Sync
    summary All devices in the device group are in sync
}

      Regarding the kb link you mentioned, i did not seen any occurrences of 

      Peer Time Out..
      nor 
      time exceeds
      under 
      /var/log/ltm

      Any chances to look somewhere else ? Otherwise i will raise a case

    • Tikka_Nagi_1315's avatar
      Tikka_Nagi_1315
      Historic F5 Account
      May 30, 2017

      Hi Maverick, Since Stanislas asked in the comment if this policy is applied to a self-ip, I would like to point out that:

       

      "For HA pairs, policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. "

       

      If that's not the issue, please open a support ticket for this and provide qkview from both devices

       

      ~Tikka

       

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 30, 2017

    Hi,

     

    Did you enable the policy on a self ip?

     

    if a policy is assigned to self ip, this policy will not be synchronized.