Forum Discussion
ConfigSync issue in BIG-IP 1600 v11.3 HF5
Hi, We are facing issues while trying a config sync between the nodes of the BIG-IP. We get the following error in the Gui
One or more devices are unreachable. Resolve any communication problems before attempting to sync.
We checked the /var/log/ltm messages and we could see the following error
Dec 6 14:54:21 LB1-KDDTS1FARMCLSFR1 info tmm[8159]: CMI peer 10.10.40.2 certificate rejected, error 19: self signed certificate in certificate chain
Can you please help us in solving this issue ?
- Richard__HarlanHistoric F5 Account
Sounds like a Device trust issue I would contact support you can also look over the following solution and check the device trust status.
http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html?sr=33711178verifying%20dsc
- Ulf_126730Nimbostratus
I ran into the same Problem but looks more like a bug which is described here: http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html?sr=33711178
The workaround does not work for me and I saw the problem also with 11.5.0 ...
- fubarSUSHIAltocumulus
I realize that you may have figured this out all ready but in case someone looks at this thread... I would recommend going to the cli of each box and performing a "ntpq -p" command.
Insure that NTP is synced between both boxes. Otherwise, you will not be able to sync them together.
- artur_barczewskNimbostratushi running 11.5.1 3.0.131 and having same issue with error 19 a reset device trust and Generate New Self Signing Authority under "Device Trust" solved it. Sync came up. solved at least for me.. Artur Barczewski
- dirtiPACKET_136Nimbostratus
I realize that you may have figured this out all ready but in case someone looks at this thread... I would recommend going to the cli of each box and performing a "ntpq -p" command.
Insure that NTP is synced between both boxes. Otherwise, you will not be able to sync them together.
- artur_barczewskNimbostratushi running 11.5.1 3.0.131 and having same issue with error 19 a reset device trust and Generate New Self Signing Authority under "Device Trust" solved it. Sync came up. solved at least for me.. Artur Barczewski
- RhysM_NZ_169268Nimbostratus
Artur's suggestion worked for me as well. I regenerated certs on both boxes and sync happened immediately.
- Phoenix_109783Nimbostratus
This workaround worked for me , version 11.6.0 HF5 1. Made offline secondary devices 2. removed all peers from primary , and verified that on secondary devices peers are not set = all devices came to standalone 3. reset domain trust on all devices and choose generate a new-self-signed certificate 4. Generate new certificate on each machine with a common name similar to a host name of a machine 5. added all peers to a primary machine 6. added them to a HA group and sync.
Levon.
- kaneshd_139008Nimbostratus
I have to add this worked for me too.
I was trying to go from a production pair of 1500 LTMs running 10.2.4 to a pair of lab 1600s running the same version of code, upgrade the lab boxes to 11.5.1 HF10 and move the config via UCS file to a pair of 2000 LTMs.
Restoring the UCS for 11.5.1 HF10 on the primary 2000 LTM worked, but did not for the secondary. I got an error about a certificate not being present in the "trash-bin". F5 support tried to assist, but we did not make much headway.
I resorted to editing the secondary device's SCF file so it had only the network configuration. I then tried adding it to the trust group. This did not work until I set the standby/secondary LTM to offline. I tried all the steps above independently before seeing this suggestion. Without the secondary being offline the primary and secondary would "see" each other, but give me reachability errors when trying to sync. Ping between the devices was fine, and they were connected back to back, so I knew it wasn't a switch configuration issue.
The secondary was visible and "syncable" once it was forced offline before being added to the group. I now have a working HA pair.
Hope this helps someone. If you know why there's a requirement to force the device offline before adding it to the trust group then please let me know!
- alex100_194614Nimbostratus
This gives me flash backs from v11.6 hf4. Yep.... Resetting the trust fixes the problem. It's been much better since hf6. No issues of this kind at all.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com