Hi everyone I've some problem about sync I can't sync F5 module APM v.11.4.1 HF2 which reside on differrent site When I add peer apm, Log shown "Can't connect to CMI peer x.x.x.x, port:6699, Transport endpoint is not connected" What does it mean ? ps. Before add peer , we can iquery to each other. but after add peer we can't iquery anymore. Thank you in advance

Hi! Have you verified that port 6699 is allowed on the self IPs used for synchronization? /Patrik

before add peer , I can telnet port 4353 from local to peer after add peer, I cannot telnet port 4353 from local to peer It's strange

port 6699 is used between local mcpd and tmm (i.e. not between unit in ha pair). sol13946: Troubleshooting ConfigSync and device service clustering issues (11.x) (CMI communication channel) http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html

I don't know how to troubleshooting before add peer , I can telnet port 4353 from local to peer. But after add peer, I cannot telnet port 4353 from local to peer It's strange Sync status is show disconnect because iquery communication can't established . Question is why iquery is working properly but after add peer it's struck. :(

F5 Sync Problem v. 11.4.1

25 Replies

kridsana
Cirrocumulus
Jun 06, 2014
My college has do something and we seem to passed this problem (I'll ask him detail and share with all of you around next week)

But we face another problem

When we tried to sync >> It show sync failed and log show about "master decrypt fail during rekey"

So I want to rekey by "f5mku -r [keyofpeerunit]"

Problem is error occur >>> "master decrypt failed during rekey"

Anyone experience this problem?

Thank you
Techgeeeg
Nimbostratus
Jun 07, 2014
Hi Teepan,

After reading the above thread I m assuming that there are only two devices in the Sync-Failover group. Have you tried by resetting the device trust and removing the devices from Syn-failover group, delete the existing sync-failover group and start from scratch everything (Follow the right steps or the document).

I believe it should work.

Regards.
nitass_89166
Noctilucent
Jun 08, 2014
When we tried to sync >> It show sync failed and log show about "master decrypt fail during rekey"

can you try to delete configuration on standby which requires passphrase (e.g. delete ltm virtual, delete ltm profile client-ssl, delete ltm profile server-ssl) then re-key (e.g. f5mku) and configsync?
- kridsana
  Cirrocumulus
  Jun 17, 2014
  You are right, We try to delete many configuration and see the problem happen with apm "rewrite profile" . When we delete rewrite profile and try to rekey ... It's working now..
nitass
Employee
Jun 08, 2014
When we tried to sync >> It show sync failed and log show about "master decrypt fail during rekey"

can you try to delete configuration on standby which requires passphrase (e.g. delete ltm virtual, delete ltm profile client-ssl, delete ltm profile server-ssl) then re-key (e.g. f5mku) and configsync?
- kridsana
  Cirrocumulus
  Jun 17, 2014
  You are right, We try to delete many configuration and see the problem happen with apm "rewrite profile" . When we delete rewrite profile and try to rekey ... It's working now..
kridsana
Cirrocumulus
Jun 17, 2014
Right now We can sync properly with some limitation

we can sync from external (public IP)
We can't sync via internal IP (Differrent site but can routable) . This is due to Active-Active Firewall that reside in customer network and behavior when add peer of F5

for choice 2 ...I'll open case and collect more information and let you know.

Thank you very much
lostinberlin_11
Nimbostratus
Aug 13, 2015
I know this is an old thread but I root cause in our case was that the physical switch in the vCenter had been changed/altered and no longer contained all the necessary VLANs.

In our case at least, the BigIP instances could find each other without a problem but would not sync, regardless of what we did. Both were 'Active' and 'Disconnected'.

Hope it helps someone.
- Patrik_Jonsson
  MVP
  Aug 14, 2015
  Thanks for sharing!