Forum Discussion

cathy_123's avatar
Icon for Cirrus rankCirrus
Feb 26, 2024

Replacing GTM f5


hello guys!

this is also related to F5 GTM GSLB replacement | DevCentral 

I have some question on our F5 GTM replacement, we have an issue when we add the new F5 on data center following this KB on the part "Creating a server (existing BIG-IP DNS)" the new server is in unknown state. When we check the error we see

routines:ssl3_get_server_certificate:certificate verify failed f5

I am thinking bigip_add x.x.x.x will solve the problem however since the existing devices are on production I didnt use it instead, I uploaded the cert of existing f5 to new F5 on device management and Trusted certificate I saw on 

Trusted device certificates System Certificate Management > Device Certificate Management > Device Trust Certificates 
Trusted server certificates DNS GSLB Servers Trusted Server Certificates

the existing and new f5 has same certs now, however the problem is still there but this time error is different

iqmgmt_ssl_connect: SSL error: Connection reset by peer (104) from connection x.x.x.x

Do you guys know how to solve this SSL issue we have?

I also have a question

1. when I updated DNS GSLB Servers Trusted Server Certificates I export the server.crt from existing f5 and upload it on the new device. this overwrites the original server.crt. on the new F5. I am thinking running the bigip_add x.x.x.x but my worry is that it will make the certs doubled? because running bigip_add x.x.x.x will "append" the cert from existing F5 to new F5.. so I am thinking to delete the server.crt on my new f5, but the problem is I didnt save a backup of the original server.crt :(  is there a way I can generate new server.crt on my new F5? do you think it is necessary  to delete the current server.crt?  or what I need is to do below per 

cat /config/httpd/conf/ssl.crt/server.crt >> /config/gtm/server.crt

2. Running bigip_add x.x.x.x will be from existing F5 correct

existing f5#  bigip_add x.x.x.x (new F5 IP)

3. new F5 is in v17 and existing F5s are in v14, do you guys think it is a problem?

Thank you!

No RepliesBe the first to reply