For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Herman2024's avatar
Herman2024
Icon for Cirrostratus rankCirrostratus
Sep 17, 2024

dns config is not sync to standby f5 for HA cluster

Hi , I have setup a HA cluster big-ip, the virtual server will be automatically created on standby unit, but any config under DNS is not sync to standby unit. Is it normal ? I am new to f5, anyone pl...
announcement
application delivery
Herman2024's avatar
Herman2024
Icon for Cirrostratus rankCirrostratus
Sep 19, 2024

Thanks Martin  for your kind advice! The problem is when I tried to add a new gtm to "Sync group" , the local config isn't replaced by remote config. I have to manually add both existing DNS with the server  and new DNS with the server onto each other's machine, then can syncronized. 

Following are what I did., but the dns config was not copied to new DNS box from existing DNS box. Please advise, thanks. 

  1. the existing dns box is configured with server -- DC A , server A, auto-discover virtual servers, sync is enabled with snyc-group name "Test-sync-group"
  2. a new dns is setup with DC B, server B, auto-discover virtual servers
  3. enable sync on new DNS and set the sync group name to "Test-sync-group" 
  4. Add new DC B and server B onto the existing DNS box
  5. login to new DNS box via CLI, run the command "tmsh run gtm gtm_add <ip-existing DNS self-ip>, but the response message is "Existing" 
  6. the existing DNS config (DC name, server name ) is not copied to new DNS box , the port lock down of the self IP on both box are set to "Allow all". and run netstat -na | grep 4353 , the communication between both boxes are "Established" on port 4353. 

 

 

welinton_trigueiro's avatar
welinton_trigueiro
Icon for Cirrus rankCirrus
Nov 01, 2024

Check the logs in /var/log/gtm for SSL errors; it’s possible that the BIGIP-DNS systems are not communicating.

Validate that after executing the bigip_add command, the certificates were copied between the BIGIP-DNS systems. These certificates are used for authentication and the correct functioning of big3d and iquery.

Check on both BIGIP-DNS systems to ensure the certificates were replaced and are in their respective paths: /config/big3d/client.crt and /config/gtm/server.crt. Inside the .crt files, you should see the certificates for both BIGIP-DNS systems.

 

Here are some articles that might help with troubleshooting:

Synchronized Objects - https://my.f5.com/manage/s/article/K45907236


Port release requirements between GTMs - https://my.f5.com/manage/s/article/K13734


This article gives a great overview of how gtm_add, big3d_install, and bigip_add work - https://my.f5.com/manage/s/article/K13312


To verify iQuery communication - iqdump <remote BIG-IP system>"

From your description, this lab is similar to the environment you are working in.