Manual Chapter : Overview: SSL Orchestrator High Availability Diagnostics and Sync-Repair Tool

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 16.0.0
Manual Chapter

Overview: SSL Orchestrator High Availability Diagnostics and Sync-Repair Tool

The
ha-sync
script is a tool for diagnosing and repairing BIG-IP REST Framework HA synchronization issues between trusted BIG-IP devices.
The SSL Orchestrator HA diagnostics and sync-repair tool and script may be used in other BIG-IP environments to troubleshoot and fix HA setup issues and repair REST framework synchronization issues.
SSL Orchestrator users with an HA setup may also use this
ha-sync
script to troubleshoot and fix HA setup issues, such as when gossip has gone out of sync, when some REST blocks are missing/out of sync, or even when MCP data is out of sync between devices.
The
ha-sync
script includes the diagnostic capability to identify potential issues and can print out all of the issues found with the HA setup. The
ha-sync
script can then perform a sync-up, which should fix those issues, and ensure that both devices are fully in sync (both in MCP and REST).
Due to varying user scenarios, all scenarios have not been tested with the
ha-sync
script.
In SSL Orchestrator deployments, where a service has been created, you may need to manually create non-syncable network objects if they are missing on the peer device before using the ha-sync script. These network objects include VLANs, non-floating IPs, and route domains created for the service.
This document provides the details SSL Orchestrator users can leverage the ha-sync script.
HA synchronization procedure:
  • Review prerequisites
  • Revert the effect of ssh-copy-id and removing the passwordless SSH access (optional)
  • Use the HA synchronization CLI procedure
    • Use the diagnostics capability
    • Perform local-only repairs
  • Support HA data synchronization for BIG-IP frameworks
    • MCP
    • REST Framework
Prerequisites
Before upgrading the network for high availability, make sure these prerequisites are in place:
  • The
    ha-sync
    script requires
    passwordless SSH access
    from the local BIG-IP device, where the script runs, to the remote BIG-IP HA peer. See the
    Reverting the effect of ssh-copy-id and removing the passwordless SSH access
    section below for the procedural steps. This can also be set up by following the instructions in K13454: Configuring SSH public key authentication on BIG-IP systems (11.x - 15.x).
    • The following is a summary (procedure) of the aforementioned article. Run the following commands on the BIG-IP device where the
      ha-sync
      script would be executed. (Replace
      $HA_PEER
      with the IP address of the remote HA peer device).
      ssh-keygen ssh-copy-id -i ~/.ssh/id_rsa.pub $(whoami)@$HA_PEER
The user account
($(whoami))
should have superuser privileges on the remote BIG-IP HA peer device.

Reverting the effect of ssh-copy-id and removing the passwordless SSH access (optional)

The
ha-sync
script requires passwordless SSH access from the local BIG-IP device, where the script runs, to the remote BIG-IP HA peer.
Optionally, you may use the following procedure to revert the effect of ssh-copy-id and remove the passwordless SSH access. This can also be set up by following the instructions in K13454: Configuring SSH public key authentication on BIG-IP systems (11.x - 15.x).
  1. SSH into the BIG-IP device where ssh-copy-id has been invoked.
  2. Identify the public key used with ssh-copy-id:
    cat ~/.ssh/id_rsa.pub
    .
  3. SSH into the remote HA peer (where the related key has been copied).
  4. Edit the /root/.ssh/authorized_keys file and remove the line containing the key retrieved in step 2.