F5 Automated Backups - The Right Way

Hi all,   Often I've been scouring the devcentral fora and codeshares to find that one piece of handywork that will drastically simplify my automated backup needs on F5 devices. Based on the wo...
Published Mar 13, 2014
Version 1.0
archive
automated
availability
backup
cloud
deployment
devops
iApps
iCall
management
tatmotiv's avatar
tatmotiv
Icon for Cirrostratus rankCirrostratus
Sep 23, 2016

I'm running into the same problem, syncing between two HA members renders this iApp inoperational on the standby node. Even when using the same key for both machines, I always end up with only one ucs on the remote (SCP) server. reconfigure and re-apply the iApp/Application Service on the second node after configuring it on the first node as suggested above also won't help. Has anybody solved that issue? I'm running 11.6.0 HF6.

EDIT: After doing some analysis it appears that the standby machine (.210) fails to establish the SSH connection, whereas the active machine (.110) successfully can set it up (and transfer files over it):

Sep 23 12:58:05 my_upload_target sshd[58009]: Accepted publickey for lbupload from 10.x.x.110 port 40067 ssh2: RSA xxxxx [MD5]
Sep 23 12:58:05 my_upload_target sshd[58040]: Connection closed by 10.x.x.210 [preauth]

Obviously, the key synchronisation between both machines seems not to work...

EDIT2: In order to affirm that assumption, I replaced the private key on the active machine with rubbish to see if that provokes the same logging entry. The device-group is configured with config auto-sync, so this change will also immediately get synced to the standby device. Now, when the iCall script is running, these messages are logged by the upload server:

Sep 23 13:30:08 my_upload_target sshd[54899]: Failed password for my_upload_user from 10.x.x.110 port 42862 ssh2
Sep 23 13:30:08 my_upload_target sshd[54899]: Connection closed by 10.x.x.110 [preauth]
Sep 23 13:30:11 my_upload_target sshd[54904]: Connection closed by 10.x.x.210 [preauth]

As expected, the active machine is now rejected due to bad authentication (failed password), but the other one is not - it's just closing the connection during preauth and it seems that it does not even start any key exchange...

EDIT3: OK, it's actually that easy... The entry in /root/.ssh/known_hosts was missing on the failover unit, but was present in the active one. After manually establishing an ssh connection to the destination host, thus adding its public key to known_hosts, the automated backup now works for both.

EDIT4 (and that will probably be the last one - I hope this help anybody experiencing the same problems...): I added 

-o StrictHostKeyChecking=no
to the scp command in the iApp definition in order avoid future trouble (e.g. after hotfix installations etc). Now it works like a charm.