Hi - I would appreciate some advice on best way to transfer config and certificates to our Disaster Recovery F5.
Both Production and DR sites both use i2600 appliances. Our production BIGIP are configured with high availability with the DR site having standalone appliances.
In the event of a real DR we were hoping to take the latest UCS backup and apply this to the standalone appliance in the DR location. Problem we have is our legacy process no longer works since release of version 11, as the interface and license is carried over in the UCS now.
The main issue I believe is with the bigip_base.conf and the bigip.license. Would it be acceptable to take the latest UCS file and simply replace (within the zip archive) the bigip_base.conf and the bigip.license with the existing one applied to the DR appliance (with correct addressing) and then load the UCS?
Alternatively what would be the recommended method for quickly deploying the same device to another appliance on same hardware and software versions?
Using the UCS archives for this purpose creates a few obstacles as you have pointed out. You also have the Master key used to encrypt passphrases and other confidential data inside the UCS archive. In a ConfigSync cluster, the original master key is transfered over to the other HA device/s.
My first thought, since you really just want the bigip.conf file, is it possible for you to add the DR sites's BIG-IP devices to a Sync-Only group and have the production site sync over the the configuration but not be configured in HA? That way you get an identical configuration, with certificates, user accounts etc. and you have the same master key.
This way you won't have to do any manual step for the Disaster Recovery Site failover.
Here is an example when this is performed for APM Policy Synchronization:
Hi Philip, thanks for the response.
We are looking for the certificates and bigip.conf to be synchronized between the two locations. Does this also sync the certificates?
Can the config sync be actioned over the management interface (LAN will be admin shut) and management interface of the will be on different subnets and routed across an MPLS network?
If so seems a good way to achieve this 🙂
Using the MGMT port for synchronization can be done but it is not recommended. You will have to modify the following DB value: configsync.allowmanagement. In some cases it can cause strange behavior.
Would it be possible for you to create a new subnet and route that over the MPLS network instead? You should be able to simply add the new subnet/vlan on all devices and then add the DR BIG-IPs to the trust by using the new self-IP addresses in the configsync subnet. Before you do any more changes, make sure there are connectivity between all devices.
Then, change the configsync IP to the same subnet as the devices in the DR site. You can keep the same settings for failover and mirroring addresses since those are only relevant for the primary site.
Afterwards you would have 4 devices that can communicate with each other over the sync network. Now you create a sync-only group consisting of all 4 devices. If the sync in the primary site would fail, simply change back to the original address and you're back where you begun. If there is any outage, only the sync will be affected.
Another option would be to purchase BIG-IQ and use the Central Management function to push the same configuration to all devices. In that case you just need to make sure BIG-IQ has a connection to each BIG-IP device. BIG-IQ can make sure the certificates and configuration is the same on all devices and it can also backup your devices.