Forum Discussion

danielc's avatar
danielc
Icon for Cirrus rankCirrus
Jun 22, 2022

DNS sync between 2 active-standby bigip load banalcers

Hello,


I am trying to setup DNS sync between 2 bigip , which is a cluster and in Active - Standby status. I can follow this article:

https://techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-12-1-0/12.html

I have no difficulity of setting up GLSB, datacenter, servers , and run the commands gtm_add in the standby lb.

But I found that the DNS are still not sync automatically after new DNS records created. I am not sure what I have missed. Is it suppose that the DNS will actomatically sync, or i must do it via zone transfer?


 
Thanks

Daniel

cloud

7 Replies

Sort By
  • danielc's avatar
    danielc
    Icon for Cirrus rankCirrus
    Jun 22, 2022

    I found that I can use gtm_add command in standby node to "update" the DNS records on Standby Node to sync again if I make changes on the DNS records of the Active node. But without gtm_add, the DNS records between are not sync to each other.

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Jun 23, 2022

    Hi,

    DNS records should sync automatically. Make sure you have added both nodes as GSLB servers, in GUI and in CLI using bigip_add script.

    Also, if you want to sync zonerunner zones, make sure in DNS > Settings > GSLB > General, you enable "Synchronize DNS Zone Files"

    • danielc's avatar
      danielc
      Icon for Cirrus rankCirrus
      Jun 24, 2022

      Hello Amine,

      I have no problem follow this:

      both nodes as GSLB servers -> Yes, node have added to a Datacenter and all with Green lights

      in CLI using bigip_add script. -> Ok, I have run bigip_add and gtm_add in the standby node without any problem

       

      make sure in DNS > Settings > GSLB > General, you enable "Synchronize DNS Zone Files"-> yes and already done...

      But the records are still not sync if I just create a new DNS records in zone file of the active node.  I just use zone runner....Both nodes can serve DNS zones successfully with floating ip... Just the zone files are not in sync between nodes .....How can we troubleshoot this out-sync issue? 

      Should they sync immediately when the active node being updated, or by how long will it get to update and sync to standby node?

      Thanks

      Daniel

    • danielc's avatar
      danielc
      Icon for Cirrus rankCirrus
      Jun 27, 2022

      Hello Amine,

       

      Both LB got the following logs, but the DNS not in SYNC automatically.

      [root@LB1:Active:In Sync] config # cat /var/log/gtm.1 | grep gtm
      Jun 24 14:46:28 LB1 notice gtmd[14472]: 011a New key or certificate file detected, attempting to create new SSL Conte
      Jun 24 14:46:28 LB1 notice gtmd[14472]: 011a SSL Context created with cipher list 'AESGCM:AES:!ADH:!AECDH:!PSK:!aECDHECDSA:!AES128:-SHA1:AES256-SHA' and minimum TLS version 'TLSv1'.

      [root@LB2:Standby:In Sync] config # cat /var/log/gtm.1 | grep gtmd
      Jun 24 14:45:48 LB2 notice gtmd[3262]: 011ae054:5: New key or certificate file detected, attempting to create new SSL Context.
      Jun 24 14:45:48 LB2 notice gtmd[3262]: 011ae05f:5: SSL Context created with cipher list 'AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA' and minimum TLS version 'TLSv1'.
      Jun 24 14:46:12 LB2 notice gtm_add[3895]: ==> Running 'bigstart shutdown gtmd' on the local system
      Jun 24 14:46:25 LB2 notice gtm_add[3895]: Restarting gtmd
      Jun 24 14:46:26 LB2 notice gtmd[4205]: 011a0007:5: /usr/sbin/gtmd started ===============================
      Jun 24 14:46:26 LB2 notice gtmd[4205]: 011ae05f:5: SSL Context created with cipher list 'AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA' and minimum TLS version 'TLSv1'.
      Jun 24 14:46:32 LB2 notice gtmd[4205]: 011ae01c:5: Connection complete to 192.168.29.112. Starting SSL handshake
      Jun 24 14:46:32 LB2 notice gtmd[4205]: 011ae01c:5: Connection complete to 192.168.29.111. Starting SSL handshake
      Jun 24 14:46:32 LB2 notice gtmd[4205]: 011ae01a:5: SSL handshake complete to 192.168.29.111
      Jun 24 14:46:32 LB2 alert gtmd[4205]: 011a500b:1: SNMP_TRAP: Box 192.168.29.111 state change blue --> green
      Jun 24 14:46:32 LB2 alert gtmd[4205]: 011a5003:1: SNMP_TRAP: Server /Common/LB1 (ip=192.168.29.111) state change blue --> green
      Jun 24 14:46:32 LB2 alert gtmd[4205]: 011ab003:1: SNMP_TRAP: Data center /Common/DC state change blue --> green
      Jun 24 14:46:32 LB2 notice gtmd[4205]: 011ae01a:5: SSL handshake complete to 192.168.29.112
      Jun 24 14:46:32 LB2 alert gtmd[4205]: 011a500b:1: SNMP_TRAP: Box 192.168.29.112 state change blue --> green
      Jun 24 14:46:32 LB2 alert gtmd[4205]: 011a5003:1: SNMP_TRAP: Server /Common/LB2 (ip=192.168.29.112) state change blue --> green
      Jun 24 14:46:43 LB2 notice gtmd[4205]: 011a0059:5: hookOnChild: tmsh config save exited with status == 0.(success)

  • danielc's avatar
    danielc
    Icon for Cirrus rankCirrus
    Jun 28, 2022

    Hello Anime, 

    But I have found something new when read the document:

    https://support.f5.com/csp/article/K13690

    I Found that when run tmsh show /gtm iquery , it is not reporting BIGIP-DNS but just BIGIP

     

    [root@LB1:Active:In Sync] config # tmsh show /gtm iquery

    --------------------------------------------------
    Gtm::IQuery: 192.168.29.111
    --------------------------------------------------
    Server LB1
    Server Type BIGIP
    Data Center dc
    Connection Time 06/28/22 18:13:55
    State connected
    Connection ID 25
    Reconnects 1
    Backlogs 0
    Bits In 729.8M
    Bits Out 5.4M
    Bytes Dropped 65
    Cert Expiration Date 03/16/32 03:02:31
    Configuration Time None
    Configuration Commit ID 0
    Configuration Commit Originator ---
    Local TMOS version 16.1.2
    Remote TMOS version 16.1.2.2
    Local big3d version
    Remote big3d version 16.1.2.2.0.0.28
    Cipher Name AES256-GCM-SHA384
    Cipher Bits 256
    Cipher Protocol TLSv1.2

    --------------------------------------------------
    Gtm::IQuery: 192.168.29.112
    --------------------------------------------------
    Server LB2
    Server Type BIGIP
    Data Center dc
    Connection Time 06/28/22 18:13:55
    State connected
    Connection ID 34
    Reconnects 29
    Backlogs 0
    Bits In 754.9M
    Bits Out 5.6M
    Bytes Dropped 1.2K
    Cert Expiration Date 03/16/32 00:57:28
    Configuration Time None
    Configuration Commit ID 0
    Configuration Commit Originator ---
    Local TMOS version 16.1.2
    Remote TMOS version 16.1.2.2
    Local big3d version
    Remote big3d version 16.1.2.2.0.0.28
    Cipher Name AES256-GCM-SHA384
    Cipher Bits 256
    Cipher Protocol TLSv1.2

     

    I then try to create a new Prober Pool and put them in, and it seems that makes some progress

    Jun 28 18:13:55 LB1 notice gtmd[14472]: 011ae01c:5: Connection complete to 192.168.29.111. Starting SSL handshake
    Jun 28 18:13:55 LB1 notice gtmd[14472]: 011ae01c:5: Connection complete to 192.168.29.112. Starting SSL handshake
    Jun 28 18:13:55 LB1 notice gtmd[14472]: 011ae01a:5: SSL handshake complete to 192.168.29.111
    Jun 28 18:13:55 LB1 notice gtmd[14472]: 011ae01a:5: SSL handshake complete to 192.168.29.112
    Jun 28 18:13:56 LB1 notice gtmd[14472]: 011ae058:5: iQuery connection ID:12 to Remote IP:192.168.29.111 replaced with connection ID:25.
    Jun 28 18:13:56 LB1 notice gtmd[14472]: 011ae058:5: iQuery connection ID:30 to Remote IP:192.168.29.112 replaced with connection ID:34.
    Jun 28 18:30:03 LB1 notice gtmd[14472]: 011ae054:5: New key or certificate file detected, attempting to create new SSL Context.
    Jun 28 18:30:03 LB1 notice gtmd[14472]: 011ae05f:5: SSL Context created with cipher list 'AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA' and minimum TLS version 'TLSv1'.
    Jun 28 18:30:14 LB1 notice big3d[9952]: 012b3008:5: SSL Context Cipher list set to: AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA.
    Jun 28 18:30:14 LB1 notice big3d[9952]: 012b3007:5: SSL Context created using minimum TLS version tlsv1, SSL cipher list 'AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA'.
    Jun 28 18:35:11 LB1 notice zrd[14591]: 01150216:5: Notice from named-checkzone: zone 1.1.1.in-addr.arpa/IN: loaded serial 1
    Jun 28 18:35:11 LB1 notice zrd[14591]: 01150216:5: Notice from named-checkzone: OK
    Jun 28 18:35:11 LB1 notice zrd[14591]: 01150216:5: Notice from named-checkconf: zone abc,hk/IN: loaded serial 2022062104
    Jun 28 18:35:11 LB1 notice zrd[14591]: 01150216:5: Notice from named-checkconf: zone jellybase.hk/IN: loaded serial 2022062802
    Jun 28 18:35:11 LB1 notice zrd[14591]: 01150216:5: Notice from named-checkconf: zone 1.1.1.in-addr.arpa/IN: loaded serial 1

    However it still shows as BIGIP and the DNS still not sync, I am not sure how to fix it, would you please advise how should i fix it so that it can report as BIGIP-DNS when run  tmsh show /gtm iquery?

     

    Thanks

    • Amine_Kadimi's avatar
      Amine_Kadimi
      Icon for MVP rankMVP
      Jun 28, 2022

      This may indicate a dns sync group failure. The server type big ip means the node is not member of a dns sync group. Double check the steps and requirements for setting up the sync group and if the problem persists then betterment to check with the theme support since it is a relatively recent version of tmos used