Forum Discussion

vysakh_139287's avatar
vysakh_139287
Icon for Nimbostratus rankNimbostratus
Dec 06, 2013

ConfigSync issue in BIG-IP 1600 v11.3 HF5

Hi, We are facing issues while trying a config sync between the nodes of the BIG-IP. We get the following error in the Gui

One or more devices are unreachable. Resolve any communication problems before attempting to sync.

    We checked the /var/log/ltm messages and we could see the following error 

Dec 6 14:54:21 LB1-KDDTS1FARMCLSFR1 info tmm[8159]: CMI peer 10.10.40.2 certificate rejected, error 19: self signed certificate in certificate chain

    Can you please help us in solving this issue ?
  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account

    Sounds like a Device trust issue I would contact support you can also look over the following solution and check the device trust status.

     

    http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html?sr=33711178verifying%20dsc

     

  • I ran into the same Problem but looks more like a bug which is described here: http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html?sr=33711178

     

    The workaround does not work for me and I saw the problem also with 11.5.0 ...

     

  • I realize that you may have figured this out all ready but in case someone looks at this thread... I would recommend going to the cli of each box and performing a "ntpq -p" command.

     

    Insure that NTP is synced between both boxes. Otherwise, you will not be able to sync them together.

     

    • artur_barczewsk's avatar
      artur_barczewsk
      Icon for Nimbostratus rankNimbostratus
      hi running 11.5.1 3.0.131 and having same issue with error 19 a reset device trust and Generate New Self Signing Authority under "Device Trust" solved it. Sync came up. solved at least for me.. Artur Barczewski
  • I realize that you may have figured this out all ready but in case someone looks at this thread... I would recommend going to the cli of each box and performing a "ntpq -p" command.

     

    Insure that NTP is synced between both boxes. Otherwise, you will not be able to sync them together.

     

    • artur_barczewsk's avatar
      artur_barczewsk
      Icon for Nimbostratus rankNimbostratus
      hi running 11.5.1 3.0.131 and having same issue with error 19 a reset device trust and Generate New Self Signing Authority under "Device Trust" solved it. Sync came up. solved at least for me.. Artur Barczewski
  • Artur's suggestion worked for me as well. I regenerated certs on both boxes and sync happened immediately.

     

  • This workaround worked for me , version 11.6.0 HF5 1. Made offline secondary devices 2. removed all peers from primary , and verified that on secondary devices peers are not set = all devices came to standalone 3. reset domain trust on all devices and choose generate a new-self-signed certificate 4. Generate new certificate on each machine with a common name similar to a host name of a machine 5. added all peers to a primary machine 6. added them to a HA group and sync.

     

    Levon.

     

    • kaneshd_139008's avatar
      kaneshd_139008
      Icon for Nimbostratus rankNimbostratus

      I have to add this worked for me too.

       

      I was trying to go from a production pair of 1500 LTMs running 10.2.4 to a pair of lab 1600s running the same version of code, upgrade the lab boxes to 11.5.1 HF10 and move the config via UCS file to a pair of 2000 LTMs.

       

      Restoring the UCS for 11.5.1 HF10 on the primary 2000 LTM worked, but did not for the secondary. I got an error about a certificate not being present in the "trash-bin". F5 support tried to assist, but we did not make much headway.

       

      I resorted to editing the secondary device's SCF file so it had only the network configuration. I then tried adding it to the trust group. This did not work until I set the standby/secondary LTM to offline. I tried all the steps above independently before seeing this suggestion. Without the secondary being offline the primary and secondary would "see" each other, but give me reachability errors when trying to sync. Ping between the devices was fine, and they were connected back to back, so I knew it wasn't a switch configuration issue.

       

      The secondary was visible and "syncable" once it was forced offline before being added to the group. I now have a working HA pair.

       

      Hope this helps someone. If you know why there's a requirement to force the device offline before adding it to the trust group then please let me know!

       

    • alex100_194614's avatar
      alex100_194614
      Icon for Nimbostratus rankNimbostratus

      This gives me flash backs from v11.6 hf4. Yep.... Resetting the trust fixes the problem. It's been much better since hf6. No issues of this kind at all.