Config Sync Troubleshooting, F5 BigIP
From NetworkStuff
Config sync issues are common on F5 BigIP platforms, particularly when initially configuring redundant pairs of devices. This article suggests a number of troubleshooting 'targets' that may help you diagnose issues with a particular device;
Configuration That Is Not Sync'd
The following configuration is not synchronised between devices;
- VLAN configuration
- Self IP configuration except floating self IP configuration
Run The Configsync Debug Tool
Available since v9.2. At the command line enter: csTest.pl -v to run this tool. It is very useful in identifying problems. Here's some typical output (with no problems reported);
Status of daemons:
All required daemons are up and running (MCPD, CSSD, HTTPD, and BigDBD).
Configsync configuration:
Failover address (Self): 99.0.9.133
Peer IP address: 99.0.9.136
Configsync port: 443
Configsync username: admin
Acceptable time difference: 600 seconds
Configsync auto detect status:
1 - Local config modified, recommend configsync to peer
Last change (Self): 12/20/2007 17:22:23 (1198171343)
Peer state is: known
Last change (Peer): 12/20/2007 15:38:03 (1198165083)
Last configsync: 12/20/2007 15:38:03 (1198165083)
Peer update interval: 30 (seconds)
Network connection status:
Local system is listening on configsync port (443).
Ping test to peer 99.0.9.136 succeeded.
SOAP connection test to peer 99.0.9.136 succeeded.
SOAP time difference check:
Within the acceptable range.
Product version test:
Major and minor product versions are identical. The maintenance
versions are different.
The configsync tests completed successfully. You can run this diagnostic tool on the peer 99.0.9.136 for further information.
Configsync Service
Confirm the configsync service: cssd is running using the bigstart status command. Look for a line of output similar to the following;
cssd run (pid XXX) XX days
Configsync is Always Required
This is a known issue (SOL3647) with LTM versions 9.0, 9.01 and 9.03. Upgrade!
Configsync User Account Passwords and Passphrase Characters
There have been past issues (SOL4749) where using the @, / and $ symbols in the configsync user account password causes configsync to fail. Although fixed, it's best not to use any characters such as these in user account passwords or passphrases.
Configsync User Account Passwords and Passphrases
Ensure the configsync user account passwords and passphrases are exactly the same on both devices.
- The password is the password of the user account to be used for by configsync to authenticate with the other device
- The passphrase is the password used to encrypt and decrypt the files transferred during the configsync process
v9.4x & Later
The quickest way to do this is to use the bigpipe configsync command available since v9.4x; bigpipe configsync list all the output of which will be similar to this:
configsync {
partition Common
auto detect enable
custom peer addr none
encrypt enable
passphrase crypt "9DKK[\\xOAtzPatI6ZO[[J7KbJciD8;B.INXJc[:6>7T=jRC"
password crypt "1V^=nZ^ObCrbSv90Bej_a4@;I^\\HH:>\\6YSG\\7f?AGL`BO0"
peer update interval 30
time diff 600
user "admin"
}
Ensure the password and passphrase (if configsync encryption is on) crypt values match exactly on both devices. If not, on both devices;
- re-enter the configsync passphrase on both devices, either using the GUI or the configsync command
- reset the password of the user account used for configsync authentication using the f5passwd command
v9.3x & Earlier
If you're running an software version earlier than v9.4x, you'll simply have to re-enter the configsync passphrase manually on both devices to be sure they match. You should probably also reset the password of the user account used for configsync authentication using the f5passwd command on each device.
Device Time Differences
Ensure the time on each device is within 600 seconds of the time on the other device. If you're using NTP this shouldn't be an issue.
From v9.x onwards you can use the bigpipe configsync command to adjust the 600 second value if necessary: bigpipe configsync time diff xxx where xxx is the permitted time difference between device clocks, in seconds.
For earlier software versions the 600 second value can be adjusted using the bigpipe db command as follows: bigpipe db Configsync.timediff xxx where xxx is the permitted time difference between device clocks, in seconds.
Using a Pool Called 'Gateway'
Having a pool called gateway can cause configsync to fail. See (SOL7408)
Check Self IP Port Lockdown
If the port lockdown setting for the self IP being used to configsync is set to 'none' or is set to 'custom' and the custom ports do not include ports 443 and 3306, configsync will fail, normally with an error message including connection refused. Sometimes, configsync will appear to work, but changes will not be reflected on the peer and the message 'Unable to get peers local time ' might appear in the Local Traffic log. Use the 'allow default' or 'allow all' setting or add ports 443 and 3306 to the custom list.
Using Network Failover
v9.3x & Earlier
If a custom configsync peer address has not been specified and you have network failover enabled, ensure the self and peer primary failover addresses have been entered without :: (which appears in the relevant fields by default.)
v9.4x & Later
If a custom configsync peer address has not been specified and you must have primary connection mirror addresses configured. Ensure these are valid and ensure the self and peer primary addresses have been entered without :: (which appears in the relevant fields by default.)
Related Articles
You may also be interested in our Failover, F5 BigIP article.
 We really do appreciate all feedback so please do send your comments, suggestions or corrections to steve#networkstuff.eu (replacing the # with an @)
|
