Forum Discussion

Stefan_Loeve_16's avatar
Stefan_Loeve_16
Icon for Nimbostratus rankNimbostratus
Dec 19, 2014

Why is my trust domain not connecting

I am working on setting up 2 LTM appliances to use ConfigSync in a Sync-Failover device group. I have successfully set up this pairing before however I cannot seem to get it working anymore.

 

The first step I have done is set up each device with users, local IPs, floating IPs and VLANs/Gateways. Once this step is done I can confirm that all of the local IPs are reachable (including the management) and I proceed to use the wizard to configure HA. I follow all of the steps (using a dedicated VLAN for failover) to configure my first device. After completing the setup, I attempt to discover the second device that I would like to sync with. I can input the device IP, username and password and do not get any errors. However at this point both devices cannot see if the other appliance is online. No matter how I try to add/remove servers to the trust group I cannot see the other device in an online state.

 

Any suggestions would be greatly appreciated.

 

Stefan

 

application delivery
availability
config sync
LTM
management

1 Reply

Sort By
  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus
    Dec 20, 2014

    I can't say why your particular trust domain is failing, however I use the following script with every build out. Works every time so far:

    Initial config on each node:

    modify sys global-settings { gui-setup disabled }
modify sys global-settings { hostname your.desired.hostname }
modify sys dns name-servers add { x.x.x.x y.y.y.y }
modify sys dns search add { localhost your.domain }
modify sys ntp { servers add { z.z.z.z w.w.w.w } timezone your/timezone }

    Then apply your licensing. I use the tmsh method as I find it faster (also most of my devices don't have internet access):

    get-dossier -b  [ -a  ]

    Then go to activate.f5.com and cut and paste your dossier into the box, copy and paste your license into /config/bigip.license and then run: reloadlic

    I generally config my LDAP and groups at this point, YMMV.

    If you are not running a VCMP guest, I would do the following:

    mv cm device bigip1 your.desired.hostname

    Now create your Trunks, VLANs and SELF IPs. If you are running VCMP or VE, just the selfs. Below is just the HA interface (if you aren't using trunks, skip that one and just specify the interface rather than the trunk in the vlan):

    create net trunk HA_TRUNK { interfaces add { 1.8 }}
create net vlan HA_VLAN { interfaces add { HA_TRUNK { } } }
create net self ha_failover { address 192.168.0.1/24 allow-service all traffic-group traffic-group-local-only vlan HA_VLAN }

    Next specify your config sync IPs (variable IPs per device):

    modify cm device your.desired.hostname unicast-address {{ ip 192.168.0.1}}
modify cm device your.desired.hostname { configsync-ip 192.168.0.1 }

    Next create a trust relationship on one device only:

    modify cm trust-domain /Common/Root ca-devices add { 192.168.0.2 } name your.other.device username admin password admin

    Now (also on only one device) create a device group:

    create cm device-group your-device-group { devices add { your.desired.hostname your.other.device } auto-sync enabled network-failover enabled type sync-failover }

    Lastly I create however many traffic groups I need (generally one for an active/standby config):

    create cm traffic-group my-traffic-group { ha-order { your.desired.hostname your.other.device } default-device your.desired.hostname }

    At this point they should be paired and I move on to my pools, virtuals, policies, etc using only one device to configure.