Forum Discussion
gtm_add failing
I have a new GTM that i want to add use with my existing GTM.
I have configured the new GTM with a management IP, and provisioned the GTM section. From the doco I have read I now need to run the gtm_add script on the new GTM.
So i run it and i get this:
[root@gtm02:Active] config gtm_add 192.168.26.15
WARNING: Running this script will wipe out the current configuration
files (bigip_gtm.conf, named.conf and named zone files) on the BIG-IP GTM
Controller on which this script is run. The configuration will be
replaced with the configuration of the remote BIG-IP GTM Controller
in the specified sync group
The local BIG-IP GTM MUST already be added in the configuration of the
other GTM.
Are you absolutely sure you want to do this? [y/n] yes
==> Running 'bigstart shutdown gtmd' on the local system
==> Running 'bigstart shutdown zrd' on the local system
==> Running 'bigstart shutdown named' on the local system
Retrieving remote and installing local BIG-IP's SSL certs ...
Enter root password if prompted
Password:
Rekeying Master Key...
Verifying iQuery connection to 192.168.26.15. This may take up to 30 seconds
iQuery connection to 192.168.26.15 failed.
Is big3d running?
Is tcp port 4353 access allowed?
Restarting gtmd
Restarting named
Restarting zrd
So a few quesitons
1) What interface should i use to connect the two GTMs on? Is the management interface OK or should i se the self IP?
2) The gtm_add scirpt says 'The local BIG-IP GTM MUST already be added in the configuration of the
other GTM' How do I do that? This could be why it is failling down im thinking....
I have added each GTM into the servers section on both guys, and also created the data centers
I cal telnet on port 4353 between both GTMs and also SSH between both
Actually - the gtm log shows this:
Sep 26 17:41:18 gtm01 iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sep 26 17:41:18 gtm01 err gtmd[6206]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (3361
thanks,
- Bhanu_9561
Cirrus
Looks like you do not have access to port 4353. - psavalam_195881
Nimbostratus
This may work, you might have to renew the device certificate and give the name other than the default localonly.localhost cert. Altough the internal root cert is same , this resolved issues with the
Sep 26 17:41:18 gtm01 iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sep 26 17:41:18 gtm01 err gtmd[6206]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (3361
This must be followed by the "bigip_add " to ensure iquery comm. and also the check if 4353 is responding.
Another check is to find the group-names are same on these GTMs
- brad_11480
Nimbostratus
having the same message... my device certificates are issued by our internal PKI -- and are not self-signed.
communication is likely there as it does return that message.... and when i do a iqdump it shows it is trying to open the session.
how do i correct the certificate verify problem?
- David__Pasch_24
Nimbostratus
Try installing your SSL cert as a bundle with the full chain to the CA Root Cert.
- brad_11480
Nimbostratus
Bingo. Yes had to go futz it so the cert and its entire chain is provided. Appreciate the help.
- David__Pasch
Altostratus
When using an a CA for the SSL certs used in iQuery, bundle the certificates so that the full chain to the CA is valid.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com