gtm_add failing

Question

I have a new GTM that i want to add use with my existing GTM.&nbsp;
I have configured the new GTM with a management IP, and provisioned the GTM section.  From the doco I have read I now need to run the gtm_add script on the new GTM.&nbsp;
So i run it and i get this:&nbsp;
[root@gtm02:Active] config  gtm_add 192.168.26.15&nbsp;
WARNING: Running this script will wipe out the current configuration&nbsp;
files (bigip_gtm.conf, named.conf and named zone files) on the BIG-IP GTM&nbsp;
Controller on which this script is run.  The configuration will be&nbsp;
replaced with the configuration of the remote BIG-IP GTM Controller&nbsp;
in the specified sync group&nbsp;
The local BIG-IP GTM MUST already be added in the configuration of the&nbsp;
other GTM.&nbsp;
&nbsp;
Are you absolutely sure you want to do this? [y/n] yes&nbsp;
&nbsp;
==&gt; Running 'bigstart shutdown gtmd' on the local system&nbsp;
==&gt; Running 'bigstart shutdown zrd' on the local system&nbsp;
==&gt; Running 'bigstart shutdown named' on the local system&nbsp;
    Retrieving remote and installing local BIG-IP's SSL certs ...&nbsp;
Enter root password if prompted&nbsp;
Password:&nbsp;
Rekeying Master Key...&nbsp;
Verifying iQuery connection to 192.168.26.15. This may take up to 30 seconds&nbsp;
iQuery connection to 192.168.26.15 failed.&nbsp;
Is big3d running?&nbsp;
Is tcp port 4353 access allowed?&nbsp;
&nbsp;
Restarting gtmd&nbsp;
Restarting named&nbsp;
Restarting zrd&nbsp;
 &nbsp;
So a few quesitons&nbsp;
1) What interface should i use to connect the two GTMs on?  Is the management interface OK or should i se the self IP?&nbsp;
2) The gtm_add scirpt says 'The local BIG-IP GTM MUST already be added in the configuration of the&nbsp;
other GTM'  How do I do that?  This could be why it is failling down im thinking....&nbsp;
I have added each GTM into the servers section on both guys, and also created the data centers&nbsp;
I cal telnet on port 4353 between both GTMs and also SSH between both&nbsp;
 &nbsp;
Actually - the gtm log shows this:&nbsp;
Sep 26 17:41:18 gtm01 iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed&nbsp;
Sep 26 17:41:18 gtm01 err gtmd[6206]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (3361&nbsp;
thanks,&nbsp;

bhanu_9561 · Answer

Looks like you do not have access to port 4353.  
&nbsp;  
&nbsp; It is always better to establish the iQuery connection on the TMM interfaces rather than the management interface. 
&nbsp; Typically the management interfaces live on a separate zone in which case might not have 4353 port access. 
&nbsp;  
&nbsp; My next option would be give 4353 and 22 port access to one of the Selp IP. Change the port lockdown setting on the BIG-IP as well to accept 22 and 4353. 
&nbsp;  
&nbsp; If gtm_add still doesnt work try this: 
&nbsp;  
&nbsp;  
&nbsp; As at this point the key exchange might have been performed remove the entry for the host in the known_hosts file. This will be the IP address against which you have unsuccessfully run the gtm_add command against.  
&nbsp; Log in to the appropriate BIG-IP GTM command line: 
&nbsp; vi /root/.ssh/known_hosts, search for and remove existing entry for   (to run gtm_addl) 
&nbsp; Only remove entries containing address of the GTM (GTM against which you performed the gtm_add). 
&nbsp;  
&nbsp;  
&nbsp; Make sure that only the server.crt exists in the /config/httpd/conf/ssl.crt folder on the GTM against which you are performing the gtm_add against. &nbsp;

psavalam_195881 · Answer

This may work, you might have to renew the device certificate and give the name other than the default localonly.localhost cert. Altough the internal root cert is same , this resolved issues with the &nbsp;
Sep 26 17:41:18 gtm01 iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
 Sep 26 17:41:18 gtm01 err gtmd[6206]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (3361&nbsp;
This must be followed by the "bigip_add " to ensure iquery comm. and also the check if 4353 is responding. &nbsp;
Another check is to find the group-names are same on these GTMs&nbsp;

brad_11480 · Answer

having the same message...  my device certificates are issued by our internal PKI -- and are not self-signed.    
&nbsp;
communication is likely there as it does return that message.... and when i do a iqdump it shows it is trying to open the session.&nbsp;
how do i correct the certificate verify problem?&nbsp;

david__pasch_24 · Answer

Try installing your SSL cert as a bundle with the full chain to the CA Root Cert. &nbsp;

brad_11480 · Answer

Bingo. Yes had to go futz it so the cert and its entire chain is provided.   Appreciate the help.&nbsp;

Forum Discussion

gtm_add failing

7 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

gtm_add failure

remove ssh after gtm_add/bigip_add/big3d_add ?

External Data Group Import Failing.

gtm_add failed

gtm_add failing due to CERT error

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS