Check out "Overview: Synchronizing ASM systems for disaster recovery"
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-1-0/4.html
I had this configured in a lab a few years ago, so I don't recall the details/issues.
Scenario:
- Data-Center 1 - primary LTM/ASM pair (1) were in a sync-failover group named dc1_sync_failover
- Data-Center 2 - secondary LTM/ASM pair (2) were in a sync-failover group named dc2_sync_failover
High level:
- Each device must be a part of the trust group of the other three devices (all four devices will trust each other). They (obviously) must also be able to communicate with each other over the selected HA self-IP addresses.
- LTM/ASM pair 1 will be configured in dc1_sync_failover sync-failover device-group, and LTM/ASM pair 2 will be configured in dc2_sync_failover sync-failover device-group.
- LTM/ASM pair 1 devices should see the dc2_sync_failover device group in their device-group configuration, but will not be members in dc2_sync_failover. - NOTE - I do not remember if I had to manually create the dc2_sync_failover device-group on LTM/ASM pair 1 and add the LTM/ASM pair 2 devices or if it automatically appeared due to the trust-group.
- (reverse of 3) LTM/ASM pair 2 devices should see the dc1_sync_failover device group in their device-group configuration, but will not be members in dc1_sync_failover. - NOTE - I do not remember if I had to manually create the dc2_sync_failover device-group on LTM/ASM pair 1 and add the LTM/ASM pair 2 devices or if it automatically appeared due to the trust-group.
- Create a sync-only device group that will be used for all four LTM/ASM devices. Creating the group on one device should propagate to all other devices automatically. You should be able to add all four devices to that sync-only group. Afterwards, all devices should be a member of their local sync-failover group and the 'universal' sync-only group.
- Configure ASM to use the sync-only group for config-sync.
- ASM configs should synchronize among the sync-only device-group, and LTM configuration should sync using the local sync-failover device-group.
I do not remember where ASM config-sync stops and LTM config-sync begins. ASM policies may be synchronized using the sync-only group, but the LTM configuration that assigns the ASM policy to a virtual server, LTM policy profiles or HTTP-classes, are probably only synced using the local sync-failover group. Because of this, you will need to ensure that the profiles are properly created in each location to assign the ASM policies to the local LTM virtual servers.
I highly recommend running through this in a non-prod environment before doing so in production as you could very easily impact production if something goes awry when manipulating prod device-group configurations.
Nimbostratus