Forum Discussion

VictorCreed_192's avatar
VictorCreed_192
Icon for Nimbostratus rankNimbostratus
Oct 26, 2015

Device Group using public NAT

Hello,

 

I need to setup a sync-only Device Group to synchronize the GTM configuration.

 

My devices are located in two different AWS regions. AWS works using NAT so the bigips have private addressing, these addresses are then mapped to AWS public IPs (EC2 Elastic IPs)

 

I setup device trust under 'Device Management > Device Trust > Peer List'

 

I used the public (NAT) IP to retrieve the peer certificate and it works. The devices are happy with the certificates and the group is formed, however in 'Device Management > Overview' the peer appliance show as 'Disconnected'.

 

Using tcpdump I can see the appliances are trying to connect to the privates IPs of the each peer, obviously this will not work because the communication needs to happen over the public IPs.

 

I tried using iptables to do a DNAT but no luck.

 

Any advice will be very welcomed.

 

Many thanks,

 

availability
AWS
BIG-IP DNS
cloud

6 Replies

Sort By
  • VictorCreed_192's avatar
    VictorCreed_192
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2015

    Thanks Guys,

     

    I was following this guide http://tinyurl.com/pjwuplh which under the section "Adding GTM to a GTM synchronization group" indicated to run gtm_add and then create a Device Trust.

     

    So I've removed the device trust now.

     

    In my first appliance under GSLB>Servers>Server List I can see both GTMs showing in green. So the gtm_add script worked ok.

     

    In my second appliance I can see that the information has synchronise under "Zones>ZoneRunner>Zone List" , which is good.

     

    But only the zone information has synchronise. I was expecting the datacenters, gslb servers and gslb pools information to sync as well. It's my assumption correct or do I need to create these manually on the second GTM?

     

    FYI: I'm not using DNSSEC.

     

    Thanks again for the help,

     

  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Oct 27, 2015

    Check the sync settings under System > Configuration > Global Traffic > General and ensure both Zone and GSLB Synchronization are checked.

     

  • VictorCreed_192's avatar
    VictorCreed_192
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2015

    I only have Local Traffic under 'System>Configuration>'.

     

    Under 'DNS>Settings>GSLB>General>Configuration Synchronization' I have enabled Synchronize and Synchronize DNS Zone Files on both appliances.

     

    So the DNS Zone Files have synchronized but not the Data Centers and Servers.

     

  • VictorCreed_192's avatar
    VictorCreed_192
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2015

    So finally I got it working, I had to delete all the configuration and start again.

     

    So I did run the gtm_add script first and then start by adding the servers then other components. At each step making sure the each component synced to the other GTM.

     

    However I had to add the virtual servers manually as the auto-discovery didn't work. To add the virtual servers I used this format /Common/my_vs_server It seems to work because if the virtual server goes down also associated gslb pool goes down.

     

    The following troubleshooting guide confirms that the virtual server auto-discovery does not support NAT: https://support.f5.com/kb/en-us/solutions/public/14000/100/sol14106.html

     

    "Confirm that the BIG-IP virtual servers do not use address translation Auto-discovery is unavailable for virtual servers using translated IP addresses. Before troubleshooting auto-discovery issues, confirm that the BIG-IP virtual servers do not use address translation. For example, if the target BIG-IP virtual server IP addresses reside in a private network space, as defined by RFC1918, and are mapped to public IP addresses that are defined on a network device such as a firewall, the BIG-IP DNS system will silently disable the auto-discovery feature for the BIG-IP system."