Forum Discussion

Devlin_T_149357's avatar
Devlin_T_149357
Jul 15, 2014

iQuery fails between GTM & LTM

POST EDITED

 

Hi all

 

Last night I attempted to enable iQuery between our GTMs and LTMs, however, it failed.

 

To walk through the steps here's what I did:

 

  1. Ensured the Self-IPs to which I would be establishing the iQuery to on the LTMs was set to Port Lockdown "Allow Default"
  2. Tested that iQuery, SSH and HTTPs weres not blocked via any firewalls: nc –v –s GTM IP <-> LTM IP 4353/22/443. All returned a success. Great!
  3. Attempted to run the bigip_add command from the GTM -> LTMs in DC1 by targeting the LTM Self-IPs: bigip_add4. Attempted to run the big3d_install command from the GTM -> LTMs in DC2 by targeting the LTM Self-IPs.

From the GTMs to one set of LTMs (in data centre 1) I received the following output:

 

Retrieving remote and installing local BIG-IP's SSL certs ...

 

Enter root password for -a if prompted

 

ssh: mkdir -p /config/big3d; if [ -e /config/httpd/conf/ssl.crt/server.crt ]; then cat /config/httpd/conf: Name or service not known

 

ERROR: Can't read remote cert via /usr/bin/ssh.

 

Enter root password for admin@x.x.x.x if prompted

 

ssh_exchange_identification: Connection closed by remote host

 

ERROR: Can't read remote cert via /usr/bin/ssh.

 

==> Done <==

 

On the other link, that is, the GTMs to the LTMs in data centre 2 I received a different problem:

 

Unable to retrieve version and platform information via iqsh for x.x.x.x

 

Attempting via ssh ...

 

Password: (Entered password 3 times)

 

Permission denied (publickey,keyboard-interactive,hostbased).

 

Unable to retrieve tmsh and/or big3d versions from x.x.x.x

 

Regarding the first issue I found an article that seems to describe our first problem:

 

“SOL13823:The bigip_add script fails to connect to BIG-IP systems running in Appliance mode”

 

http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13823.html

 

However, our LTMs are not in appliance mode, but our GTMs are!? And in addition, we actually already have an iQuery between another pair of LTMs and these very same GTMs.

 

Regarding the second issue, as per the steps above the big3d versions were different so I attempted to run the big3d_install command. I'm wondering if the admin user I am putting in doesn't have the correct permissions. Currently the admin user does not have tmsh rights. Could this be the issue?

 

The versions we're running are:

 

GTMs: 11.2.1, LTM (DC1): 11.4.1, LTM (DC2): 10.1.0

 

Any advice?

 

Thank you

 

application delivery
BIG-IP DNS
deployment
iquery
LTM

3 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 15, 2014

    iirc, certificate exchange on the cli requires root shell access.

     

  • Devlin_T_149357's avatar
    Devlin_T_149357
    Jul 15, 2014

    Thanks Jason. That is very useful to know as I was using our 'admin' account.

     

    Interestingly I tried to SSH from our GTMs to LTMs and found that from the GTMs to the LTMs in DC1 (11.4.1) SSH failed thus:

     

    [admin@gtm-1:Active:Standalone] ~ ssh -b root@DC1 LTM self-IP> ssh_exchange_identification: Connection closed by remote host

     

    The SSH session to the DC2 LTM was successful, however:

     

    [admin@gtm-1:Active:Standalone] ~ ssh -b root@DC2 LTM self-IP> Password: Last login: Tue Jul 15 13:43:09 2014 from

     

    [admin@ltm-dc2:Active] ~

     

    Both LTMs have their port lockdown set to "Allow Default". Yet, when I test SSH in another fashion thus it shows the SSH connection as successful to DC1 LTM:

     

    [admin@gtm-1:Active:Standalone] ~ nc -v -s 22 Connection to DC1 LTM self-IP 22 port [tcp/ssh] succeeded!

     

    So I'm confused now. Will the next attempt of trying iQuery to the DC1 LTM work even using the root password?

     

  • Devlin_T_149357's avatar
    Devlin_T_149357
    Jul 15, 2014

    It turns out there is an SSH Allow list under System > Platform on the DC1 LTM with a specific list that doesn't include the GTM hence SSH not working. On the DC2 LTM it is set to "Allow All".