For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kridsana_52318's avatar
kridsana_52318
Icon for Nimbostratus rankNimbostratus
Jun 03, 2014

F5 Sync Problem v. 11.4.1

Hi everyone

 

I've some problem about sync

 

I can't sync F5 module APM v.11.4.1 HF2 which reside on differrent site

 

When I add peer apm, Log shown

 

"Can't connect to CMI peer x.x.x.x, port:6699, Transport endpoint is not connected"

 

What does it mean ?

 

ps. Before add peer , we can iquery to each other. but after add peer we can't iquery anymore.

 

Thank you in advance

 

availability
BIG-IP Access Policy Manager (APM)
security
TMOS
TMSH

25 Replies

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jun 03, 2014

    Hi!

     

    Have you verified that port 6699 is allowed on the self IPs used for synchronization?

     

    /Patrik

     

  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Jun 03, 2014
    before add peer , I can telnet port 4353 from local to peer after add peer, I cannot telnet port 4353 from local to peer It's strange
    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      Jun 03, 2014
      I don't know how to troubleshooting before add peer , I can telnet port 4353 from local to peer. But after add peer, I cannot telnet port 4353 from local to peer It's strange Sync status is show disconnect because iquery communication can't established . Question is why iquery is working properly but after add peer it's struck. :(
    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      Jun 03, 2014
      I don't know how to troubleshooting before add peer , I can telnet port 4353 from local to peer. But after add peer, I cannot telnet port 4353 from local to peer It's strange Sync status is show disconnect because iquery communication can't established . Question is why iquery is working properly but after add peer it's struck. :(
  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Jun 03, 2014

    Many people affected by this kind issue and still don't know the actual cause

     

    https://devcentral.f5.com/questions/ha-problem-v1120

     

    https://devcentral.f5.com/questions/high-availability-issue-on-bigip-1600-rel-1121-hf1

     

    https://devcentral.f5.com/questions/configsync-issue-with-ltm-112-hf1

     

  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Jun 04, 2014

    After webex session with F5 support today

     

    We still don't know the root cause.

     

    From my point of view,

     

    It's may be a bug because after add F5 peer unit, Local unit can't establish iquery connection to peer unit , (peer unit also can't connect to local unit)

     

    What strange is , we type command "tcpdump -nni Internal tcp port 4353" and try to "telnet peer 4353",... But no traffic show in tcpdump ??? It's mean F5 didn't even try to send packet from this port. But From "tmsh run /cm sniff-updates", we can see daemon want to send packet to peer unit. :(

     

    So sync status still disconnect and we struck :(

     

    Just update to all of you

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 04, 2014

    What strange is , we type command "tcpdump -nni Internal tcp port 4353" and try to "telnet peer 4353",... But no traffic show in tcpdump ??? It's mean F5 didn't even try to send packet from this port.

     

    network (e.g. subnet) and route on both units are configured correctly, aren't they?

     

    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      Jun 04, 2014
      Everything is correct, Before add peer Everything is fine , we can telnet port 4353 to unit 2 and what is necessary. But after add peer, We can't telnet port 4353 to unit2 anymore (Then BIGIP always in disconnect sync state because it can't establish iquery connection)
    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      Jun 04, 2014
      but we can telnet port 4353 to other F5 that is not their peer , :( So strange
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Jun 04, 2014

    What strange is , we type command "tcpdump -nni Internal tcp port 4353" and try to "telnet peer 4353",... But no traffic show in tcpdump ??? It's mean F5 didn't even try to send packet from this port.

     

    network (e.g. subnet) and route on both units are configured correctly, aren't they?

     

    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      Jun 04, 2014
      Everything is correct, Before add peer Everything is fine , we can telnet port 4353 to unit 2 and what is necessary. But after add peer, We can't telnet port 4353 to unit2 anymore (Then BIGIP always in disconnect sync state because it can't establish iquery connection)
    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      Jun 04, 2014
      but we can telnet port 4353 to other F5 that is not their peer , :( So strange
  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jun 04, 2014

    Have you been running tcpdumps in the firewall/routers on the way to the peer unit? I mean, if you can see the packets leaving the local interface there must be something stopping it on the way. Firewall? IPS? Bad routing configuration?

     

    /Patrik

     

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jun 06, 2014

    Tried to reload mcpd? http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html

     

    Try to do a tcpdump between the two interfaces without a port filter?

     

    Can you post your config and a network topology?

     

    /Patrik