Forum Discussion
NimbostratusCertificate issues getting a cluster established
Forgive me for my ignorance as I'm brand new to F5...
I'm trying to set up a simple two-node failover cluster and I'm having nothing but problems. Here is my general process that I'm following:
- Create the HA VLAN and self IP
- Configure the ConfigSync to use the HA self IP
- Configure Failover to use the HA self IP and management IP
- Go to the Peer Trust and add the second device via its management IP
When I add the second device into the peer trust, the first sees its serial number and MAC address and such. But the second device never sees the information for the first. I can manually add it, but they both see each other as disconnected. Turning up the logging I see SSL handshake failures for port 4353.
I've tried this both on the 10200v-FIPS appliances with 11.4.1 and on the trial of the virtual edition 11.3.0. They both exhibit the same behavior.
This looks like it should be such a simple process from looking at the documentation and YouTube videos, but I'm getting nowhere. Have any of you seen this type of behavior? I am certain I have connectivity between the two.
Thanks,
Ben
12 Replies
benmgood36Just to be clear, I have done this with the setup utility also where you have the internal, external VLANs with the floating IPs. It doesn't make any difference. I get the same behavior.
Brad_ParkerCirrus
I would recommend opening a support ticket. Probably related to the FIPS module.
ben_good_187922I do have a support ticket open, but I'm unable to use WebEx so I'm not getting very far with it. I find it very odd that I have the same problem using the virtual edition, though. It makes me wonder if there's some step I'm missing.After you add the peer as trusted, you also need to Create a Sync-Failover device group, and add both devices to it.
Make sure that the Failover checkbox is ticked on the device group.
- benmgood36If you proceed to creating the failover group, only the first device will get it. If you create it on both, both devices show the other as disconnected.
- Add both devices to a single group on one device, and then synchronize.
Concentrate on only one device. Once both are trusted and in the same device group, then you synchronize the changes to the other device.
if it still shows as disconnected then very likely you have no IP addresses specified in Network failover for one or more of the devices, or the ports are locked down, or network failover is not enabled on the device group.
- benmgood36It seems like the trust is the issue and I can't get it to the point where they would ever sync the failover group. I immediately get errors in the LTM log about the device_trust_group being inconsistent as soon as I add one to the other's peer trust. The IPs are all in place and I used the Allow All on the HA self IP. The setup utility looks like it performs this in the order you're saying to do where it sets up the peer trust and failover all on one device, but I get the same behavior there. The second device never sees the failover group and only shows the hostname of the first device and never learns the rest of its details like the serial number, MAC, and so on.
natheCirrocumulus
what happens if you telnet from one of the bigips to the other one on port 4353? i.e. telnet- natheis NTP configured and the dates/times the same on both boxes?
- benmgood36
So I've rebuilt the boxes from a thumbdrive and started from a clean slate because I had so many issues during the first go round. I also reinitialized the FIPS modules which took two attempts on each device for some reason. Anyway, the devices do seem to be working just fine now.
Thanks for the assistance.
