Forum Discussion

Aaron_Baxter_13's avatar
Aaron_Baxter_13
Icon for Nimbostratus rankNimbostratus
Aug 12, 2015

Device trust setup issues

I am running BigIP 11.6 HF4 but for a long time have had this issue, but never remember how to solve it.

 

When I request a peer to be established, the configuration details are loaded from the soon-to-be peer on the requesting unit (the one I am connected to and entered the credentials on for the remote system). However upon checking the peer unit, only the device name is presented, MAC, version etc from the "primary" system are not shown. I have the 2 Self IPs set to Allow All and the ConfigSync addresses set to those self IPs. Can someone help me out here? I'm trying to get our Active/Standby back after a device failure as well as setup a new cluster for HA Active/Active

 

application delivery
availability
config sync
deployment
hp
LTM

4 Replies

Sort By
  • Greg_Robinson_1's avatar
    Greg_Robinson_1
    Icon for Cirrus rankCirrus
    Aug 13, 2015

    Check NTP ... there are major clustering issues if NTP is out of sync and the clocks differ a lot. Let me know if that doesn't work.

     

    • Aaron_Baxter_13's avatar
      Aaron_Baxter_13
      Icon for Nimbostratus rankNimbostratus
      Aug 13, 2015
      Yea NTP is in sync, each have unique management IPs, hostnames, etc.
  • Greg_Robinson_1's avatar
    Greg_Robinson_1
    Icon for Cirrus rankCirrus
    Aug 13, 2015

    Do this...

     

    1. Remove all devices from any device groups.
    2. Delete the device groups.
    3. Remove all peer devices from any traffic groups if you've changed the default traffic group configuration.
    4. Remove all peers from both devices. You should now see Standalone status.
    5. Verify ntp sync (ntpq -pn in bash)
    6. Verify that you can ping each peer's HA self IP address from the other peer (A to B and B to A)
    7. Ensure those self-IPs have "allowed services" set to default or all (not none)
    8. Reset the local device trust on both peers (Device Management -> Device Trust -> Local Domain -> Reset Device Trust...) - Generate a new self signed authority
    9. REBOOT

    After that, rebuild your trust as you normally would.

     

  • Greg_Robinson_1's avatar
    Greg_Robinson_1
    Icon for Cirrus rankCirrus
    Aug 13, 2015

    FYI, if you want "Active/Active", you will want to create another traffic group once the clustering is back to normal. Set traffic-group-1 to be A/B and set the new traffic-group to be B/A as far as failover order. Then you'll need to assign some of your LTM objects to traffic-group-2 to allow for the "standby" chassis to own the traffic processing for those objects.