F5 sync options

Forgot to mention I am running 11.4.1 HF7.

Hi Aaron,

Can't you configure the Sync-Failover group to only automatically fail to a specified list of devices?

Hi Aaron,

Hi Aaron,

we have the exact same challange... We have a DR-site with same IP addresses, vlan etc. So the config should be exactly the same. We took the approach first to make a backup of the F5 cluster on our primary site and install it on the DR site F5. But that came with alot of other problems, one example is that the mgmt-port is not the same because we need to manage the devices out-of-band and that failed first with routing and interface setup not matching 100%. Also there was a bug that we ran into: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15835.html

So that approach did not seem to work for us. So now we are looking into other options, but we are stuck. I would be very interested in using the API to sync the config, between the sites. But we cannot create a new application to make changes to both the enviroments as we are very dependent on the GUI today because we have other people than ourselves in the network-team working in the BigIPs. So it would be nice with some function that could take all the config changes done and push them to the other F5 cluser on the DR site. But im not that familiar with the API yet so im not sure if that would even work? An idea is just to export all Nodes, Pools, VIPs etc. and diff them to the other cluster then add the missing ones. BUT then the question becomes could you do this through the API with for example certificates, persistence policys, http profiles etc. it becomes quite complex when you need a full config sync.

This should not be that hard really? But it seems like the BigIP product is not built for HA in multiple datacenters if you dont want to make the changes done in one F5 cluster then add it to the other manually. I red about sync-only groups but it will not suit our current production enviroment as we already use multiple partitions and folders. As i understand it you will need a seperate folder for the sync-only objects? So that is not possible im afraid.

We continue to search for a solution for this, but in the meantime its just old fasion manual work. :)

Hello Aaron,

We have the same problem, we have a production site in Miami, and our DR in Brasil. I have tried to setting up the trust domain with more than 2 units, but every time that we add the third we lost the trust relation between the first two. Did you get the solution to this problem? Please, what must we do? Thanks

The F5 iControl REST API has a newer iteration of a module for the Python language, with its documentation available here. http://f5-sdk.readthedocs.org/en/latest/index.html

The F5 SDK (and its predecessors) should be able to do a majority of the heavy lifting for you, instead of manipulating the REST API by hand. Unless of course you're interested in that sort of thing.

Another great tool that might help make it easier to sync up changes to a secondary set of F5s is the Application Integration Services iApp. It provides a fairly consistent interface to deploying a service. You can operate it via the WebUI and the REST API. It is not F5 supported, however. https://github.com/0xHiteshPatel/appsvcs_integration_iapp

Aaron...how did you finally end up syncing your configs across the DC's? I have almost exactly the same challenge and would be curious to hear what solution you ended up using. Thanks

Aaron...how did you finally end up syncing your configs across the DC's? I have almost exactly the same challenge and would be curious to hear what solution you ended up using. Thanks

It seems like there are a lot of engineers out there with this same issue (like me) and I'm curious what Aaron (or any of you) implemented that is working. I'm currently doing manual changes on both Prod and DR but that can't be the final solution...too much overhead and room for error.