Manual Chapter : High availablity considerations

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 16.0.0, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 16.0.0, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

High availablity considerations

System behavior for master-key sync

When your BIG-IP devices are configured in a Device Service Clustering (DSC) device group, all devices in the device group must have the same master key. To ensure this, DSC behaves in these ways:
  • When a new device joins a device group, the device that syncs its configuration to the new device also syncs a copy of its master key to the new device.
  • Whenever you modify the master key on a device group member, the BIG-IP system syncs the updated key to all other members of the device group. The updated key overwrites the master key that's currently on each device. To verify that the master key synced properly (either automatically or manually) to each device in the device group, you can open a console window on each device and at the system prompt, use the command
    f5mku -K
    to view the encrypted master key and compare it to the master key on the other devices.
  • Encrypted passwords and passphrases for BIG-IP configuration objects specified in the file
    /config/bigip.conf
    might appear differently when comparing the configuration files from different devices in the device group. This is because each device's instance of the mcpd process uses a different salt, or random data, to encrypt and decrypt passwords and passphrases. This does not affect configuration synchronization (config sync) in any way.

Syncing the master key when creating a device group

When you attempt to create a Device Service Clustering (DSC) device group, the device that you are logged in to sends a copy of its BIG-IP configuration, including the master key, to all other devices that join the device group. In a working device group, the same master key lives on all devices.
For example, suppose you have two devices,
Device_A
and
Device_B
, and you want to create a device group. You can log in to
Device_A
, navigate to the Device Trust settings, and specify that you want
Device_B
to be the device that joins
Device_A
to comprise the trust domain. Then, while still logged in to
Device_A
, you can create a device group with both devices as members.
In this case, when
Device_B
joins the device group, it receives a copy of
Device_A
's master key, as part of the initial config sync that the BIG-IP system does to form the device group.

Syncing the master key when adding a device to a device group

When you have an existing Device Services Clustering (DSC) device group that contains two or more devices, and you want to add another BIG-IP device to the device group, you can log in to any device in the device group, navigate to the Device Group settings, and specify the device in the local trust domain that you want to add to the device group. When you do this, the device you are logged in to automatically syncs its BIG-IP configuration, including the shared master key, to the new device.
Before you attempt to add another device to an existing device group, make sure that the new device is in the local trust domain and that all device group members are in sync.
For example, suppose you have a device group with two devices,
Device_A
and
Device_B
, and you want to add
Device_C
to the device group. You can log in to any device in the device group (for example,
Device_A
), navigate to the Device Group settings, and specify that you want
Device_C
to join the device group.
In this case, when joining the device group,
Device_C
receives a copy of
Device_A
's shared master key, as part of the initial config sync to that new device.