Forum Discussion

cathy_123's avatar
cathy_123
Icon for Cirrus rankCirrus
Feb 26, 2024

Replacing GTM f5

 

hello guys!

this is also related to F5 GTM GSLB replacement | DevCentral 

I have some question on our F5 GTM replacement, we have an issue when we add the new F5 on data center following this KB  https://my.f5.com/manage/s/article/K45907236 on the part "Creating a server (existing BIG-IP DNS)" the new server is in unknown state. When we check the error we see

routines:ssl3_get_server_certificate:certificate verify failed f5

I am thinking bigip_add x.x.x.x will solve the problem however since the existing devices are on production I didnt use it instead, I uploaded the cert of existing f5 to new F5 on device management and Trusted certificate I saw on  https://my.f5.com/manage/s/article/K85555245 

Trusted device certificates System Certificate Management > Device Certificate Management > Device Trust Certificates 
Trusted server certificates DNS GSLB Servers Trusted Server Certificates

the existing and new f5 has same certs now, however the problem is still there but this time error is different

iqmgmt_ssl_connect: SSL error: Connection reset by peer (104) from connection x.x.x.x

Do you guys know how to solve this SSL issue we have?

I also have a question

1. when I updated DNS GSLB Servers Trusted Server Certificates I export the server.crt from existing f5 and upload it on the new device. this overwrites the original server.crt. on the new F5. I am thinking running the bigip_add x.x.x.x but my worry is that it will make the certs doubled? because running bigip_add x.x.x.x will "append" the cert from existing F5 to new F5.. so I am thinking to delete the server.crt on my new f5, but the problem is I didnt save a backup of the original server.crt :(  is there a way I can generate new server.crt on my new F5? do you think it is necessary  to delete the current server.crt?  or what I need is to do below per https://my.f5.com/manage/s/article/K9114? 

cat /config/httpd/conf/ssl.crt/server.crt >> /config/gtm/server.crt

2. Running bigip_add x.x.x.x will be from existing F5 correct

existing f5#  bigip_add x.x.x.x (new F5 IP)

3. new F5 is in v17 and existing F5s are in v14, do you guys think it is a problem?

Thank you!

gslb
gtm
No RepliesBe the first to reply