Device Trust issues after v11 upgrade

I have been upgrading my 6900 estate to v11 and the latest problem for me is Device Trust.

On the other HA pairs I have upgraded I have had varying degrees of success

1)First pair did not form device trust relationship but after deleting and recreating I managed to resolve issue

2)Second pair formed device trust relationship with no errors.

3)Would not form device trust

So for 3) the initial problem was that device trust was not formed

error message in log =

The requested device group (/Common/device_trust_group) was not found.

I deleted the device group and ensured all mention of peer was removed.

I then tried to add peer back in – Device Management/Peer List/Add – and received the following message:

getDeviceInfo failed: get_local_device: Unknown method “ “{urn:iControl:Management/Device}:get_local_device"

I tried various times and also confirmed userid/password were valid. I rebooted the newly upgraded device and tried again – still same issue.

I treid to create device trust from command line and received exactly the same error.

Command= (tmsh modify /cm trust-domain ?common/Root ca-device add { 172.31.31.31 } name device.domain.com username xxxxxx password yyyyyy

NTP was configured on both devices.

No other error messages in log.

Has anyone seen this before?

Many thanks in advance.

application delivery

deployment

LTM

11 Replies

kunjan_118660
Cumulonimbus
Jun 19, 2014
You may want to try this:

touch /service/mcpd/forceload

reboot

http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html?sr=36679609
- LyonsG_85618
  Cirrostratus
  Jun 23, 2014
  Thanks. As per text below I have a chnage up to test v11 tomorrow. Will see what happens on 2nd attempt.
kunjan
Nimbostratus
Jun 19, 2014
You may want to try this:

touch /service/mcpd/forceload

reboot

http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html?sr=36679609
- LyonsG_85618
  Cirrostratus
  Jun 23, 2014
  Thanks. As per text below I have a chnage up to test v11 tomorrow. Will see what happens on 2nd attempt.
Steve_M__153836
Nimbostratus
Jun 19, 2014
There is one more piece to the trust that you may or may have not completed. I've had v11 pairs where it was required and where it wasn't. I had to export the device certificate from each device and import them on the other device in the pair. You have to go to System>Device Certificates>Trusted Device Certificates and import the certificate from the other device in the pair. I think best practice is to do this before building any other part of the device trust so you probably should completely disassemble your device trust before doing this. I don't think it would hurt if you didn't though....

Sorry to waste your time if you've already done this.
- Patrik_Jonsson
  MVP
  Jun 20, 2014
  Interesting! I've upgraded many v10's and never encountered this solution. Establishing trust should be enough to exchange certificates. Will keep this in mind. :)
- Steve_M__153836
  Nimbostratus
  Jun 20, 2014
  Patrik I agree. Most times I've not had to take these steps, but it's happened just enough times I thought it would be worth sharing (only in v11 though; and usually when upgrading minor versions, i.e. 11.2.x > 11.3.x).
- LyonsG_85618
  Cirrostratus
  Jun 23, 2014
  Thanks Steve. I havent tried this but have a change up to test implementation again tomorrow so will try the certficate thing. I'll post my findings back on Wednesday.
JG
Cumulonimbus
Jul 09, 2014
Which version of the BIG-IP did you upgrade from?