Forum Discussion
NimbostratusTwo sync-falover groups (LTM) and one sync-group (for asm sync) setup
Hi All, I'm trying to create a setup where I have two pairs of F5s running ASM and LTM with the LTMs sync'd in two groups (sync-failover) and the ASMs sync'd in a single sync-only group. The url below provides details on how to do this and I'm generally ok with the procedure although I have a few questions which someone may be able to answer.
1. Will this setup work when I have multiple customers setup using many route domains, partitions and traffic groups. 2. When the configuration is not the same on each of the failover groups 3. When the naming of ViPs is not the same on each failover group 4. Do I need to default one pair to factory-default when creating this setup as when I try to create a trust to the second pair of devices I get an error stating the device already belongs to a traffic group. Any other advice would be appreciated. Thanks for reading
8 Replies
gsharriAltostratus
Hi Neil,
1. Will this setup work when I have multiple customers setup using many route domains, partitions and traffic groups.Route domains and traffic groups should not pose a problem. Any admin partition which contains an ASM security policy will be synced to all ASMs in the sync-only group. Note that only the security policies sync not any LTM config. If an admin partition contains virtual servers, pools, etc they will not sync. Also keep in mind that the sec policy must be in /Common or the same partition as the virtual server to which it is assigned.
2. When the configuration is not the same on each of the failover groupsI'm not sure what you're asking here. Please clarify.
3. When the naming of ViPs is not the same on each failover groupVIP names do not matter. What will happen is that after the initial sync of the sec policies to an LTM/ASM HA pair using different VIP names the policies will not be assigned to any VIP. You must manually assign the policies to the correct VIP.
4. Do I need to default one pair to factory-default when creating this setup as when I try to create a trust to the second pair of devices I get an error stating the device already belongs to a traffic group.All four bigips must be in the same device trust domain with each other and a bigip may only be in one trust domain at a time. Apparently what you have now is two HA pairs each in their own trust domain. You will need to break one of the HA pairs sync-failover device group and remove the trust while taking care not to have them active-active (assuming you have active-standby right now). You can force the standby unit offline so it won't go active after deleting the device group. See this article for an overview: SOL15757.
After the device group/trust is torn down on one pair then add them to the device trust of the remaining HA pair. Once all four are in a trust together then recreate the sync-failover dev group for the second HA pair and create the sync-only dev group including all four. Then assign the sync-only group for ASM sync.
Be aware that you should always use the same bigip to configure trusts. For example if the remaining HA pair are bigipA-bigipB and bigipA was were the trust was originally created then you must use bigipA to add bigipC & D (the HA pair you tore down) to the trust group.Scott
neil_t_66364Hi Scott, I've stripped back the sync groups and re-peered everything so now I have devices A and B in a HA pair and C and D in a second HA pair. I also have a sync-only group for all ASMs so the groups are all configured. So HA failover is working fine for both HA pairs. When I try and sync the ASMs I see the HA pair that I made the last ASM change on appear to be sync'd but the second pair fail sync even though I can see the ASM policies have been synchronised. If I then make a change on the second HA pair which failed the sync I then see the second pair are now in sync and the first pair are out of sync. The error message I get is 'the request folder cd01-tg01 was not found'. The name of this folder is the same as admin partition 1 so I guess the message relates to that partition and there are six admin partitions. It looks like the systems are functioning and ASM is synchronising but I don't like the sync failure messages. Is this what I should be expecting to see?
- gsharriSo the sync error pertains to the sync-only group containing the 4 ASMs? Are the admin partition lists identical on both ASMs?
- neil_t_66364The sync error is Sync error on x.x.x.x.net: Load failed from y.y.y.y.net 01020036:3: The requested folder (/DD01-TG01) was not found. x.x.x.x being the destination device and y.y.y.y being the source device. A second error lists the same issue with the second device at the second DC. the name DD01-TG01 is an admin partition and this prefix is identical on all four devices. I'm wondering if this is listed as it's the first error discovered and every partition will fail or whether it's the only error
- gsharriWhere these admin partitions manually created on each HA pair and predated the sync-only group setup? Are the partition names absolutely identical on each HA pair down to upper/lower case? Everything on bigip is case-sensitive.
