Forum Discussion
CirrostratusDevice Trust issues after v11 upgrade
I have been upgrading my 6900 estate to v11 and the latest problem for me is Device Trust.
On the other HA pairs I have upgraded I have had varying degrees of success
1)First pair did not form device trust relationship but after deleting and recreating I managed to resolve issue
2)Second pair formed device trust relationship with no errors.
3)Would not form device trust
So for 3) the initial problem was that device trust was not formed
error message in log =
The requested device group (/Common/device_trust_group) was not found.
I deleted the device group and ensured all mention of peer was removed.
I then tried to add peer back in – Device Management/Peer List/Add – and received the following message:
getDeviceInfo failed: get_local_device: Unknown method “ “{urn:iControl:Management/Device}:get_local_device"
I tried various times and also confirmed userid/password were valid. I rebooted the newly upgraded device and tried again – still same issue.
I treid to create device trust from command line and received exactly the same error.
Command= (tmsh modify /cm trust-domain ?common/Root ca-device add { 172.31.31.31 } name device.domain.com username xxxxxx password yyyyyy
NTP was configured on both devices.
No other error messages in log.
Has anyone seen this before?
Many thanks in advance.
11 Replies
kunjan_118660Cumulonimbus
You may want to try this:
touch /service/mcpd/forceload
reboothttp://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html?sr=36679609
LyonsG_85618Thanks. As per text below I have a chnage up to test v11 tomorrow. Will see what happens on 2nd attempt.
kunjanNimbostratus
You may want to try this:
touch /service/mcpd/forceload
reboothttp://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html?sr=36679609
- LyonsG_85618Thanks. As per text below I have a chnage up to test v11 tomorrow. Will see what happens on 2nd attempt.
- Steve_M__153836
There is one more piece to the trust that you may or may have not completed. I've had v11 pairs where it was required and where it wasn't. I had to export the device certificate from each device and import them on the other device in the pair. You have to go to System>Device Certificates>Trusted Device Certificates and import the certificate from the other device in the pair. I think best practice is to do this before building any other part of the device trust so you probably should completely disassemble your device trust before doing this. I don't think it would hurt if you didn't though....
Sorry to waste your time if you've already done this.
- Interesting! I've upgraded many v10's and never encountered this solution. Establishing trust should be enough to exchange certificates. Will keep this in mind. :)
- Steve_M__153836Patrik I agree. Most times I've not had to take these steps, but it's happened just enough times I thought it would be worth sharing (only in v11 though; and usually when upgrading minor versions, i.e. 11.2.x > 11.3.x).
- LyonsG_85618Thanks Steve. I havent tried this but have a change up to test implementation again tomorrow so will try the certficate thing. I'll post my findings back on Wednesday.
JGWhich version of the BIG-IP did you upgrade from?
