Forgive me for my ignorance as I'm brand new to F5... I'm trying to set up a simple two-node failover cluster and I'm having nothing but problems. Here is my general process that I'm following: Create the HA VLAN and self IPConfigure the ConfigSync to use the HA self IPConfigure Failover to use the HA self IP and management IPGo to the Peer Trust and add the second device via its management IP When I add the second device into the peer trust, the first sees its serial number and MAC address and such. But the second device never sees the information for the first. I can manually add it, but they both see each other as disconnected. Turning up the logging I see SSL handshake failures for port 4353. I've tried this both on the 10200v-FIPS appliances with 11.4.1 and on the trial of the virtual edition 11.3.0. They both exhibit the same behavior. This looks like it should be such a simple process from looking at the documentation and YouTube videos, but I'm getting nowhere. Have any of you seen this type of behavior? I am certain I have connectivity between the two. Thanks, Ben

Just to be clear, I have done this with the setup utility also where you have the internal, external VLANs with the floating IPs. It doesn't make any difference. I get the same behavior.

I would recommend opening a support ticket. Probably related to the FIPS module.

I do have a support ticket open, but I'm unable to use WebEx so I'm not getting very far with it. I find it very odd that I have the same problem using the virtual edition, though. It makes me wonder if there's some step I'm missing.

After you add the peer as trusted, you also need to Create a Sync-Failover device group, and add both devices to it. Make sure that the Failover checkbox is ticked on the device group.

If you proceed to creating the failover group, only the first device will get it. If you create it on both, both devices show the other as disconnected.

Certificate issues getting a cluster established

12 Replies

benmgood36
Nimbostratus
Feb 17, 2015
Just to be clear, I have done this with the setup utility also where you have the internal, external VLANs with the floating IPs. It doesn't make any difference. I get the same behavior.
Brad_Parker
Cirrus
Feb 18, 2015
I would recommend opening a support ticket. Probably related to the FIPS module.
ben_good_187922
Nimbostratus
Feb 18, 2015
I do have a support ticket open, but I'm unable to use WebEx so I'm not getting very far with it. I find it very odd that I have the same problem using the virtual edition, though. It makes me wonder if there's some step I'm missing.
BinaryCanary_19
Historic F5 Account
Feb 18, 2015
After you add the peer as trusted, you also need to Create a Sync-Failover device group, and add both devices to it.

Make sure that the Failover checkbox is ticked on the device group.
- benmgood36
  Nimbostratus
  Feb 18, 2015
  If you proceed to creating the failover group, only the first device will get it. If you create it on both, both devices show the other as disconnected.
- BinaryCanary_19
  Historic F5 Account
  Feb 18, 2015
  Add both devices to a single group on one device, and then synchronize.
BinaryCanary_19
Historic F5 Account
Feb 18, 2015
Concentrate on only one device. Once both are trusted and in the same device group, then you synchronize the changes to the other device.

if it still shows as disconnected then very likely you have no IP addresses specified in Network failover for one or more of the devices, or the ports are locked down, or network failover is not enabled on the device group.
- benmgood36
  Nimbostratus
  Feb 18, 2015
  It seems like the trust is the issue and I can't get it to the point where they would ever sync the failover group. I immediately get errors in the LTM log about the device_trust_group being inconsistent as soon as I add one to the other's peer trust. The IPs are all in place and I used the Allow All on the HA self IP. The setup utility looks like it performs this in the order you're saying to do where it sets up the peer trust and failover all on one device, but I get the same behavior there. The second device never sees the failover group and only shows the hostname of the first device and never learns the rest of its details like the serial number, MAC, and so on.
- nathe
  Cirrocumulus
  Feb 18, 2015
  what happens if you telnet from one of the bigips to the other one on port 4353? i.e. telnet
- nathe
  Cirrocumulus
  Feb 18, 2015
  is NTP configured and the dates/times the same on both boxes?
benmgood36
Nimbostratus
Feb 18, 2015
So I've rebuilt the boxes from a thumbdrive and started from a clean slate because I had so many issues during the first go round. I also reinitialized the FIPS modules which took two attempts on each device for some reason. Anyway, the devices do seem to be working just fine now.

Thanks for the assistance.