Applies To:Show Versions
Setting up F5 SSL
Orchestrator in a High Availability Environment
Overview: Setting up F5
SSL Orchestrator in high availability
- HA Setup: BIG-IP HA (CMI) must be set to Active-Standby mode with network failover. See theBIG-IP Device Service Clustering: Administrationdocument for detailed information on Active-Standby HA mode.
- HA Setup: If the deployed device group is not properly synced or RPM packages are not properly syncing, make sure your HA self IP (for example,ha_self)Port Lockdownsetting is not set toAllow None. On the Main tab, click and click yourha_self. IfPort Lockdownis set toAllow Custom, check that the HA network port 443 is open on self IP.
- BIG-IP HA Devices: Only manual sync is supported.
- BIG-IP HA Devices: Devices in each BIG-IP HA pair must be the same model and run the same version of TMOS® (including any hotfixes). Except for the management interface, you must configure both devices to use the same arrangement of network interfaces, trunks, VLANs, self IPs (address and subnet mask), and routes. For example, if one BIG-IP device is connected to a specific VLAN/subnet using interface 1.1, the other BIG-IP device must also be connected to that VLAN/subnet using interface 1.1. If the BIG-IP device configurations do not match, this implementation will not deploy correctly, and HA failover will not work.
- User Experience: Deployment must be initiated from the active HA BIG-IP device.
- User Experience: If the environment is changed from non-HA to HA, or from HA to non-HA, the application must be redeployed.
- User Experience: You can refresh the SSL Interception Rules screen () for each peer device in order to see all modified changes.
Task summary for deploying in a high
- Installing and Upgrading F5 SSL Orchestrator
- Configuring the network for high availability
- Configuring the ConfigSync and Failover IP address
- Adding a device to the local trust domain
- Creating a Sync-Failover device group
- Synchronizing the device group
- Setting up a basic configuration for deployment
- The information used to configure your devices is identical on both devices. Without identical information on both devices, the HA deployment process can suffer from errors or fail.
- The latest version of BIG-IP SSL Orchestrator is successfully installed on the first device (the Active device). See the sectionInstalling and Upgrading F5 SSL Orchestratorto ensure that this prerequisite has been properly completed.
- Successfully set up an HA ConfigSync device group prior to starting the configuration. See the sectionConfiguring the network for high availabilityand its subsections to ensure that this prerequisite has been properly completed. For additional information, refer to theBIG-IP Device Service Clustering: Administrationdocument, sectionManaging Configuration Synchronization.
- SSL Orchestrator is installed with the appropriate license information using the SSL Orchestrator Setup Utility (or the CLI) and made sure your device setup information is identical on both devices:
Do not attempt to duplicate the configuration by saving and restoring a user configuration set (UCS) file from one machine to the other, or any other cloning approach. There are several IDs that must be unique that will also be duplicated, causing additional problems.For more detailed information on using the SSL Orchestrator setup utility, see theUsing the SSL Orchestrator setup utilitysection.
- While using the SSL Orchestrator Setup Utility, you have noted the details used for NTP and DNS setup and made sure they will be identical on both devices. To verify duplication, on the Main tab, clickand selectNTPorDNS.
- Ensure that any certificates used in the configuration are copied to all devices.
- Ensure that information is identical on all devices. This information should include any of the following that are needed:
- Client network
- External network
- Decrypt zone network
- Decrypt zone control network
- Networks providing access to ICAP devices and Receive-only devices
- Ensure that the log publishers are configured and named the same.
- Ensure that all systems use the same interfaces for any services. (If interface 1.1 is used to send traffic to an inline Layer 2 device on system A, then interface 1.1 must also be used on systems B, C, and D.)
upgrading F5 BIG-IP SSL Orchestrator
- Go to https://downloads.f5.com and clickDownloads. The Downloads Overview screen opens.
- ClickFind a Download. The Select a Product Line screen opens.
- In theF5 Product Familycolumn, find the Security section.
- In theProduct Linecolumn, clickSSL Orchestrator. The Select a Product Version and Container for SSL Orchestrator screen opens.
- Select14.1.0from the list of BIG-IP version numbers and then click SSL Orchestrator. The Software Terms and Conditions screen opens.
- ClickI Accept. The Select a Download screen appears.
- Click the appropriate filename to download BIG-IP SSL Orchestrator.
- To install BIG-IP SSL Orchestrator, on the Main tab, click. The Images List screen opens.
- From theAvailable Imagessection, select the check box next the to BIG-IP 14.1.0 ISO image.
- ClickInstall. The Install Software Image popup screen opens.
- In theVolume set namelist, type a Boot Location name or number.
- ClickInstall. The Images List screen opens.If necessary, click the browser Refresh button if the BIG-IP version 14.1.0 image does not appear in the Installed Images list.
- The BIG-IP installation is complete once theInstall Statuscolumn for version 14.1.0 indicatescomplete.
Configuring the network for high
- On the Main tab, click.The VLAN List screen opens.
- ClickCreate.A New VLAN screen opens where you can configure your new VLAN.
- In theNamefield, type the name (for example,ha_vlan).
- For theInterfacessetting:
- From theInterfacelist, select an interface number.
- From theTagginglist, selectTaggedfor traffic for that interface to be tagged with a VLAN ID.
- ClickAdd.The interface you selected appears in theInterfaceslist as a tagged service.
- ClickFinished.Next to the F5 logo, your device status appears showingONLINE (ACTIVE)andStandalonewith green indicators showing their status as up and running.
- On the Main tab, click.The Self IP List screen opens.
- ClickCreate.A New Self IP screen opens where you can configure your new self IP.
- In theNamefield, type the self IP name (for example,ha_self).
- In theIP Addressfield, type the IP address for the device.
- In theNetmaskfield, type the netmask for the device.
- From theVLAN/Tunnellist, select the VLAN name (ha_vlan).
Configuring ConfigSync and failover IP
- On the Main tab, click.The Devices List screen opens.
- Click your device in the device list.The properties screen for the device opens.
- ClickConfigSync.The screen shows the ConfigSync Configuration area, with the local address of the device.
- From theLocal Addresslist, select the VLAN address (ha_vlan).
- ClickFailover Network, and then clickAdd.The New Failover Unicast Address screen opens.
- In theAddressfield, make sure that the VLAN address (ha_vlan) is present.
- After the screen refreshes, from theAddresslist, select the Management Address.Connection Mirroring is not supported.
- ClickFinished.The Failover Unicast Configuration area lists both the VLAN HA (ha_vlan) and Management Address devices.
Adding a device to local trust
- On the Main tab, click.The Device Trust screen opens.
- On the menu bar, clickDevice Trust Membersto view peer and subordinate device settings.The Device Trust Members screen opens.
- ClickAdd.The Device Trust screen opens, showing Retrieve Device Credentials (Step 1 of 3).
- From theDevice Typelist, selectPeer.
- In theDevice IP Addressfield, type the IP address of your device.
- ClickRetrieve Device Information.The screen shows Verify Device Certificates (Step 2 of 3).
- ClickDevice Certificate Matches.The screen shows Add Device (Step 3 of 3).
- In theNamefield, type the name of the device you are adding.
- ClickAdd Device.At the upper right, next to the F5 logo, the status of your device should showONLINE (ACTIVE)andConnected, with a green indicator next to them showing its active and connected status.
Creating a sync-failover device
- On the Main tab, click.The Device Group List screen opens.
- ClickCreate.The New Device Group screen opens.
- In the General Properties area, name your new device group and select the group type.
- In theNamefield, type the name of your device group.
- From theGroup Typelist, selectSync-Failover.
- For theConfigurationsetting, retain theBasicconfiguration type, and then select members and define the sync type.
- In theMemberssetting, select available devices from theAvailablelist and add them to theIncludeslist.
- From theSync Typelist, selectManual with Incremental Sync.You must do a manual sync. If you selectAutomatic with Incremental Sync, your HA deployment will fail.
Synchronizing the device group
- Next to the F5 logo, clickAwaiting Initial Sync.On the Main tab, you can also click.The Device Management Overview screen opens, showing your Device Groups.
- In the Sync Issues area, selecthato expand the Devices and Sync Options areas of the screen.
- In the Devices area, select the device showingChanges Pending.
- In the Sync Options area, selectPush the selected device configuration to the group.
Setting up a basic configuration for
- On the Main tab, click.The Deployment Settings screen opens.
- Refer to theConfiguring deployment settingssection for complete instructions.After you deploy your configuration on the active device, the system automatically synchronizes the configuration with all of the other devices in the device group. Since some errors may not be apparent, it is critical that you thoroughly test and diagnose the success or failure of the deployment. Refer toTask summary for diagnosing and fixing high availability deploymentfor steps to test and verify your HA deployment.
Task summary for diagnosing and fixing high
- Verifying deployment and viewing logs
- Verifying the RPM file version on both devices
- Configuring deployment settings and redeploying
- Reviewing error logs and performing recovery steps
Verifying deployment and viewing
- Verify that all expected and required virtuals, profiles, and BIG-IP LTM and network objects (route-domains, VLANs, self IPs) have been created on each device in the HA device group.These will be items beginning with the name given to the application (for example, if the application was named SSLO, verify that all of the items named | Summary SSL Orchestrator 14.1.0 | 9 SSLO_* are the same on all devices).
- Ensure that all RPM file versions are identical.
- Verify your deployment with, or without, services.
- Review the following logs for failures:
Verifying the RPM file version on both
- On the Main tab, click.The Updates screen opens.
- Check the RPM versions in theVersionfield.
settings and redeploying
- Remove all configurations present on all devices.
- For all devices, individually configure each section in the F5 SSL Orchestrator™ deployment settings and selectFinished. Verify that all new objects are properly synced and deployed.If synchronization or deployment issues persist after deploying after each section, attempt to deploy after updating each item (instead of after each section) in the SSL Orchestrator deployment settings and verify that all new objects are properly synced and deployed.See theConfiguring deployment settingssection for more detailed information.
Reviewing error logs and performing
- Verify that all BIG-IP® LTMand network objects are present on each of the devices in the HA device group.
- If the configuration deployment fails on each device, review the logs:
- Use the following REST GET command to determine the state of the deployed device block in the REST storage:
- curl -s -k -u admin:adminhttps://localhost/mgmt/shared/iapp/blocks| json-format
- Since failure scenarios can vary, after reviewing the logs, attempt the following recovery steps:
- Redeploy SSL Orchestrator.If this succeeds, you have recovered from the failure situation.
- Undeploy SSL Orchestrator.By undeploying, a cleanup of MCP objects on each of the devices occurs while also cleaning up required data properties within the block stored in REST storage. If this succeeds, attempt to redeploy again.
- If redeploy or undeploy fails, do the following:
- From command line (back door),run > touch /var/config/rest/iapps/enable.
- Refresh the SSL Orchestrator menu UI.
- Select the deployed application from the list and delete the application.
- Redeploy and undeploy again.
- Once done, remove the filerm -f /var/config/rest/iapps/enable.
- If these recovery steps do not work, you may need to clean up the REST storage.