Forum Discussion

patonbike's avatar
patonbike
Icon for Cirrus rankCirrus
Oct 02, 2020

Adding a virtual to physical HA pair for ConfigSync

I have 2 physical devices, let's say bigip01 and bigip02. They are in an HA pair with ConfigSync, a traffic group etc. Running version 13.1.3.4.

 

I am trying to add a 3rd, virtual device called bigip03; this will normally be in a forced offline state, however I would like to keep the configuration from bigip01/02 sync'd over to bigip03 as backup.

 

I tried to setup device trust by adding bigip03 to bigip01 under device trust members. It successfully adds bigip03 as a trusted device to bigip01 and big02 when I do this, however on bigip03 it only adds bigip01 as a trusted device. bigip02 is not trusted. As a result, I get errors in the logs for attempting to sync that say:

 

bigip03 err mcpd[6078]: 01071470:3: Disconnecting from CMI device /Common/bigip02.xxxxx.com, the device is not in a trust domain.

 

Does anyone have any suggestions? I already made the mistake of trying to manually adding bigip02 as a trusted device on bigip03. bigip03 and bigip02 then split off and create their own HA pair away from bigip01. Not good!

4 Replies

  • Most HA configurations fail because of communication issues, typically in the misconfigured HA communication settings realm. Common causes include IP address conflicts, HA VLAN misconfiguration, mismatched software versions, and devices/systems not reachable on the network. Have you tried all the troubleshooting tips described in K13946: Troubleshooting ConfigSync and device service clustering issues? If not, I would start there. Also, there's a pretty good video on adding a new device to an existing device group on the F5 YouTube channel here: https://www.youtube.com/watch?v=Auc13Q31qUA Although this is for a Sync-Only device group, the steps are similar.

  • Thanks - the problem I have is that that when I go to add bigip03 to bigip01 as a new trusted device, bigip03 does not also get bigip02 as a trusted device. The actions are:

     

    Device trust -> device trust members -> add device. This appears to work, but the result is that:

     

    01 has 02 and 03 as trusted devices

    02 has 01 and 03 as trusted devices.

    03 only has 01 as a trusted device, so it will not sync with 02.

     

    They can all reach one another on the network.

     

    If I try to sync bigip01 device_trust_group to the group (Awaiting intial sync), it fails.

     

    Logs in 03 read:

    Disconnecting from CMI device /Common/bigip02.mydomain.com, the device is not in a trust domain.

     

    How do I add 02 as a trusted device on 03? I have already made the mistake of trying to manually add bigip02 to bigip03 as a trusted device, and it caused an outage. What happened is 02 and 03 formed a pair, and 02 went "active" while 01 was also active! Perhaps if I forced both (02 and 03) offline, I could work it out by modifying the device groups, I am not sure.

     

    Do I need to manually add trust certificate for 03->02 ?

  • Still looking for help here. When I add a 3rd device to an existing device trust group... the new device only sees one of the 2 existing devices as trusted devices. As a result sync's are failing.

     

    There is full network connectivity between the 3 devices.

    How do I get device 3 to trust device 2.

    Device 1 trusts 1+2

    Device 2 trusts 1+3

    Device 3 only trusts 1.

     

    How do I rectify this?