Forum Discussion
NimbostratusDevice Group using public NAT
Hello,
I need to setup a sync-only Device Group to synchronize the GTM configuration.
My devices are located in two different AWS regions. AWS works using NAT so the bigips have private addressing, these addresses are then mapped to AWS public IPs (EC2 Elastic IPs)
I setup device trust under 'Device Management > Device Trust > Peer List'
I used the public (NAT) IP to retrieve the peer certificate and it works. The devices are happy with the certificates and the group is formed, however in 'Device Management > Overview' the peer appliance show as 'Disconnected'.
Using tcpdump I can see the appliances are trying to connect to the privates IPs of the each peer, obviously this will not work because the communication needs to happen over the public IPs.
I tried using iptables to do a DNAT but no luck.
Any advice will be very welcomed.
Many thanks,
6 Replies
Andy_McGrathCumulonimbus
Want gtm to sync you don't need to use device groups but need to setup a gtm sync group:
http://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm-implementations-11-4-0/3.html
When you configure one gtm setting up each gtm as a GBLB server and configure the translation address as the private IP and the address as the public ip, then do a gtm_add on the other gtm devices to the first ones public ip.
- Brad_Parker
Cirrus
Are you trying to sync DNS-express zones? 
VictorCreed_192Thanks Guys,
I was following this guide http://tinyurl.com/pjwuplh which under the section "Adding GTM to a GTM synchronization group" indicated to run gtm_add and then create a Device Trust.
So I've removed the device trust now.
In my first appliance under GSLB>Servers>Server List I can see both GTMs showing in green. So the gtm_add script worked ok.
In my second appliance I can see that the information has synchronise under "Zones>ZoneRunner>Zone List" , which is good.
But only the zone information has synchronise. I was expecting the datacenters, gslb servers and gslb pools information to sync as well. It's my assumption correct or do I need to create these manually on the second GTM?
FYI: I'm not using DNSSEC.
Thanks again for the help,
- Andy_McGrath
Check the sync settings under System > Configuration > Global Traffic > General and ensure both Zone and GSLB Synchronization are checked.
- VictorCreed_192
I only have Local Traffic under 'System>Configuration>'.
Under 'DNS>Settings>GSLB>General>Configuration Synchronization' I have enabled Synchronize and Synchronize DNS Zone Files on both appliances.
So the DNS Zone Files have synchronized but not the Data Centers and Servers.
- VictorCreed_192
So finally I got it working, I had to delete all the configuration and start again.
So I did run the gtm_add script first and then start by adding the servers then other components. At each step making sure the each component synced to the other GTM.
However I had to add the virtual servers manually as the auto-discovery didn't work. To add the virtual servers I used this format /Common/my_vs_server It seems to work because if the virtual server goes down also associated gslb pool goes down.
The following troubleshooting guide confirms that the virtual server auto-discovery does not support NAT: https://support.f5.com/kb/en-us/solutions/public/14000/100/sol14106.html
"Confirm that the BIG-IP virtual servers do not use address translation Auto-discovery is unavailable for virtual servers using translated IP addresses. Before troubleshooting auto-discovery issues, confirm that the BIG-IP virtual servers do not use address translation. For example, if the target BIG-IP virtual server IP addresses reside in a private network space, as defined by RFC1918, and are mapped to public IP addresses that are defined on a network device such as a firewall, the BIG-IP DNS system will silently disable the auto-discovery feature for the BIG-IP system."
