GTM Upgrade FAIL - DC Links & ICMP Monitors

We are fairly close in code levels, so I find this an interesting post. But they are not exactly the same - our GTMs run 10.2.2HF1. I did recently upgrade one LTM pair from 10.2.0 to 10.2.3HF1, but I didn't have any trouble with LTM/GTM communication.

 

 

You definitely did the right thing trying bigip_add and iqdump. If you don't get an SSL handshake error and you get XML output, then communication should be OK. Another thing to verify, after executing bigip_add, is that the LTM certificate is in the GTM's Trusted Server Certificates list, and that the GTM is in the LTM's Trusted Device Certificates list. When I've encountered handshake errors in the past, I cleared out the Trusted Device Certificates list on both LTMs, and the Trusted Device Certificates and Trusted Server Certificates list on the GTM. Then I executed bigip_add (GTM) on both LTMs, and bigip_add (LTMs) on the GTM.

 

 

I have encountered one other problem , but it is not likely something you will see. While troubleshooting LTM/GTM communication after an upgrade one time, I performed a network trace between the two units. Looking at the handshake, I noticed that the Subject Name on the certificate which was presented by the LTM referenced the name of an application. Searching the filesystem, I found I had SSL certificates on the LTM in a weird path - I suspect left over from a v4->v9 upgrade at some point. Once I removed those certificates, the LTM chose the right certificate and that fixed the SSL communication.

 

 

I don't use NAT, so I'm not clear on exactly how that fits into the picture.

 

 

One other thought...I find the documentation about what files are retained after booting from one volume to another extremely lacking. It might be possible that the SSL certificate being used by the LTM or the GTM after the upgrade was not retained on the new boot volume. However if you ran bigip_add, I think it would fix that particular problem.