Forum Discussion
NimbostratusF5 DNS SSL sync error
Hi all,
I have a new deployment, a pair of HA F5 LTM (Physical) and VE F5 DNS at each site. Configured as per this diagram:
I have the LTMs working and configured as I need them and these are working perfectly fine.
Regarding the F5 DNS I have setup the following;
- GSLB -> Data Centres ->
- DC1 Setup
- DC1 Servers
- DC1 - LTM - VIP
- Virtual Servers - Discovered
- No Links discovered though?
Listeners are setup and working OK, I can configure a wide IP and give it a pool, It shows as UP and responds to DNS OK.
On the other F5 I have setup the sync group under DNS -> Settings -> GSLB and enabled syncronisation.
This appears to run OK for a while and I see the correct objects turn up (The other side can't get a status of the objects so marks them down but this is firewall / routing and is going to be resolved).
After a while though, I get this in the log files and synchronisation stops working? If I go into the DC2 F5 DNS and run tmsh -> run gtm gtm_add and go through that again it works for a short period of time. After a while though, sometimes just on time or sometimes if I make a change forcing a sync I get the following error messages?
Mar 15 17:50:30 F5DNSDC02 notice gtmd[11207]: 011a001d:5: SYNC loading GTM config from: 81.xxx.xxx.xxx
Mar 15 17:50:30 F5DNSDC02 47648853176208:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1134:
Mar 15 17:50:30 F5DNSDC02 SSL return code: SSL_ERROR_SYSCALL
Mar 15 17:50:30 F5DNSDC02 ---
Mar 15 17:50:30 F5DNSDC02 New, (NONE), Cipher is (NONE)
Mar 15 17:50:30 F5DNSDC02 SSL-Session:
Mar 15 17:50:30 F5DNSDC02 Protocol : TLSv1.2
Mar 15 17:50:30 F5DNSDC02 Cipher : 0000
Mar 15 17:50:30 F5DNSDC02 Session-ID:
Mar 15 17:50:30 F5DNSDC02 Session-ID-ctx:
Mar 15 17:50:30 F5DNSDC02 Master-Key:
Mar 15 17:50:30 F5DNSDC02 Key-Arg : None
Mar 15 17:50:30 F5DNSDC02 PSK identity: None
Mar 15 17:50:30 F5DNSDC02 PSK identity hint: None
Mar 15 17:50:30 F5DNSDC02 Start Time: 1521136230
Mar 15 17:50:30 F5DNSDC02 Timeout : 300 (sec)
Mar 15 17:50:30 F5DNSDC02 Verify return code: 0 (ok)
Mar 15 17:50:30 F5DNSDC02 ---
Mar 15 17:50:30 F5DNSDC02 err gtmd[11207]: 011a0005:3: hookOnChild: SYNC syncer exited with error code 255
Has anyone seen this before?
I will keep fiddling with it to see if I can get it to work, But as far as I can tell I have followed all the documentation I can find.
EMI ran into a similar problem and same error message right now.
Issue was that both boxes used a self-signed certificate with the same common name (localhost.localdomain). Renewing these with a real hostname resolved my problem.