Forum Discussion
Feb 06, 2015
Hi, Link Controller is using iQuery on TCP/4353 for inter device communication regarding the GTM related part of the configuration.
For this purpose you have the port lockdown settings on your external self IP addresses and perhaps floating self IPs still configured to "allow all" or "default". This opens as well TCP/443 and the WebUI becomes available on these interfaces as well. I highly recommend to configure ACLs on your external routers to prevent everything but DNS to hit the external self IPs including the floating self IP. Link controller (at least as far as I remember) is using some automatism to build the GTM related configuration part. And for this it used to be required to work with open service ports on the external self IPs. Not a good idea in my opinion. Once your Link Controllers work as expected it makes sense to trace the inter device communication by TCPDUMP and to customize the port lockdown settings for the external self IPs asap. Be aware, that changed settings for the floating IP may not be synchronized (version dependent) and verify this setting on both machines. One more thing regarding device certificates. It´s best practice to create long lasting (3650 days) self signed device specific device certs instead of using the default (localhost.localdomain) certificate. Keep in mind these certs are used both as client and server certificates ("purpose" attribute). If you plan to get these certs signed by a CA it need to keep these requested attributes. Changing device certs afterwards will break the iQuery communication as you will notice in /var/log/gtm. It will be necessary to re-import the replaced certs by using the "bigip_add
" script on all involved devices. Keep in mind, that a machine also needs to trust itself and these certs are stored in multiple places (all this is automatically handled by "bigip_add
").
Thanks, Stephan