Forum Discussion
williamtan
Altostratus
Altostratusgtm_add failed
I'm planning to join new GTM to existing GTM sync group. Both GTM have same big3d version. Existing GTM external interface is set to allow default. When I try to type gtm_add in new GTM it showed error message as below.
root@(NEWGTM)(cfg-sync Standalone)(Active)(/Common)(tmos) run gtm gtm_add X.X.Y.Y Retrieving remote and installing local BIG-IP's SSL certs ... Enter root password for X.X.Y.Y if prompted ssh: connect to host X.X.Y.Y port 22: Connection refused
ERROR: Can't read remote cert via /usr/bin/ssh.
==> Done <== root@(NEWGTM)(cfg-sync Standalone)(Active)(/Common)(tmos)
TCP port 22 need to be allowed on the existing GTM to allow ssh. Certificates exchange is made via ssh.
RaghavendraSYPlease check the Self-IP configuration for the interface/VLAN and confirm whether the Port Lockdown setting is allowed ssh.
williamtanSelf IP port lockdown is set to allow default.
- RaghavendraSY
what version you are running on GTM devices?
- RaghavendraSY
I hope bash shell is enabled on both F5 devices.
RaghavendraSY_7Cumulonimbus
Please check the Self-IP configuration for the interface/VLAN and confirm whether the Port Lockdown setting is allowed ssh.
- williamtan
Self IP port lockdown is set to allow default.
- RaghavendraSY_7
what version you are running on GTM devices?
- RaghavendraSY_7
I hope bash shell is enabled on both F5 devices.
Do you have the AFM module / packet filters / another firewall device in between the GTMs that may be blocking this traffic?
From the bash prompt try doing a netcat from one GTM to the peer GTM device to see if it can connect.
nc -v X.X.Y.Y 22Is sshd running? ps aux|grep sshd
- williamtan
I found the root cause. The old GTM configured packet filter rule and only allow few ip to ssh. Thank you for all your effort. Really appreciate.
Michael_Saleem1Cirrus
I am glad you found the root cause :-D
