After two weeks of working with the consultant and getting nowhere, I booked a hotel for the weekend
We recently retired data centers, and in the process, transported its GTM to our home office. Despite being gentle, its single hard drive failed in the process, and once the RMA unit arrive, I was once again reminded how confusing the configuration process is. The F5 BigIP is loaded with nerd knobs, and the GTM is especially hairy as it has overlapping menus and settings different from the more popular LTM
1) Select the Self IP for Sync communication, and verify iQuery is allowed
This ideally should be an internal interface that has redundancy (for example, is two physical interfaces bonded via LACP).
Usually the internal Self IP is set to “allow all”. Since I had deliberately set this Self IP as “allow none”, I had to change it to “Allow custom”, and add tcp port 4353.
2) Set the config sync source Interface
This will be the step that anyone with F5 HA experience will be familiar with. However, most will assume it to be under System -> High Availability -> Device Connectivity.
Instead, look under Device Management -> Devices -> and click the self GTM. Then look under Device Connectivity -> ConfigSync
Note that this is the only step needed under the entire Device Management tree.
3) On the existing GTM, create the other GTM as a server
This is done under DNS -> GSLB -> Servers. Enter the name and IP address of the other GTM, with the product as “BIG-IP System (Single)”. Chose the same IP address as the Self IP selected in the previous step. Set the health monitor to “bigip”
4) Run bigip_add on both units
This will use SSH to exchange SSL certificates. In order for bigip_add to work, both sides must have SSH enabled, and the account must have advanced shell (bash) set.
admin@(f5bigip01)(cfg-sync In Sync)(Active)(/Common)(tmos)# bash [admin@f5bigip01:Standby:In Sync] ~ # bigip_add email@example.com Retrieving remote and installing local BIG-IP's SSL certs ... Password: ==> Done <== admin@(f5bigip02)(cfg-sync In Sync)(Standby)(/Common)(tmos)# bash [admin@f5bigip02:Active:In Sync] ~ # bigip_add firstname.lastname@example.org Retrieving remote and installing local BIG-IP's SSL certs ... Password: ==> Done <==
If the account does not have SSH & bash enabled (which is the default setting), this error appears:
ERROR: Can’t read remote cert via /usr/bin/ssh
Since this is a 1-time exchange, I simply used the management port IP addresses, as it has SSH enabled.
Once this step has been completed, each GTM should have the other’s certificate installed under DNS -> GSLB -> Servers -> Trusted Server Certificates or /config/gtm/server.crt
5) On the device whos config you want to overwrite, run gtm_add
This will pull the gtm.conf configuration over iQuery (tcp port 4353). The IP address should match the one that was given in the first step. In our case, this was the internal interface.