Manual Chapter :
Overview: SSL Orchestrator High Availability Diagnostics and
Sync-Repair Tool
Applies To:
Show Versions
F5 SSL Orchestrator
- 17.0.0, 16.1.3, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Overview: SSL Orchestrator High Availability Diagnostics and
Sync-Repair Tool
The
ha-sync
script is a tool for diagnosing and repairing
BIG-IP REST Framework HA synchronization issues between trusted BIG-IP devices.The
SSL Orchestrator HA diagnostics and sync-repair tool and script may be used in other
BIG-IP environments to troubleshoot and fix HA setup issues and repair REST
framework synchronization issues.
SSL Orchestrator users with an HA setup may also use this
ha-sync
script
to troubleshoot and fix HA setup issues, such as when gossip has gone out of sync, when
some REST blocks are missing/out of sync, or even when MCP data is out of sync between
devices.The
ha-sync
script includes the diagnostic capability to identify
potential issues and can print out all of the issues found with the HA setup. The
ha-sync
script can then perform a sync-up, which should fix those
issues, and ensure that both devices are fully in sync (both in MCP and REST).Due
to varying user scenarios, all scenarios have not been tested with the
ha-sync
script.In SSL Orchestrator deployments,
where a service has been created, you may need to manually create non-syncable
network objects if they are missing on the peer device before using the ha-sync
script. These network objects include VLANs, non-floating IPs, and route domains
created for the service.
This document provides the details SSL Orchestrator users can leverage the ha-sync
script.
HA synchronization procedure:
- Review prerequisites
- Revert the effect of ssh-copy-id and removing the passwordless SSH access (optional)
- Use the HA synchronization CLI procedure
- Use the diagnostics capability
- Perform local-only repairs
- Support HA data synchronization for BIG-IP frameworks
- MCP
- REST Framework
Prerequisites
Before upgrading the network for high availability, make sure these prerequisites are in
place:
- Theha-syncscript requirespasswordless SSH accessfrom the local BIG-IP device, where the script runs, to the remote BIG-IP HA peer. See theReverting the effect of ssh-copy-id and removing the passwordless SSH accesssection below for the procedural steps. This can also be set up by following the instructions in K13454: Configuring SSH public key authentication on BIG-IP systems (11.x - 15.x).
- The following is a summary (procedure) of the aforementioned article. Run the following commands on the BIG-IP device where theha-syncscript would be executed. (Replace$HA_PEERwith the IP address of the remote HA peer device).ssh-keygen ssh-copy-id -i ~/.ssh/id_rsa.pub $(whoami)@$HA_PEER
The user account
($(whoami))
should have superuser privileges on the
remote BIG-IP HA peer device.Reverting the effect of ssh-copy-id and removing the passwordless SSH
access (optional)
The
ha-sync
script requires
passwordless SSH access from the local BIG-IP device, where the script runs, to the
remote BIG-IP HA peer. Optionally, you may use the following procedure to
revert the effect of ssh-copy-id and remove the passwordless SSH access. This can also
be set up by following the instructions in K13454: Configuring SSH public key authentication on BIG-IP systems (11.x -
15.x).
- SSH into the BIG-IP device where ssh-copy-id has been invoked.
- Identify the public key used with ssh-copy-id:cat ~/.ssh/id_rsa.pub.
- SSH into the remote HA peer (where the related key has been copied).
- Edit the /root/.ssh/authorized_keys file and remove the line containing the key retrieved in step 2.
