Manual Chapter : Overview: SSL Orchestrator High Availability Diagnostics and Sync-Repair Tool
Applies To:Show Versions
F5 SSL Orchestrator
- 17.0.0, 16.1.3, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Overview: SSL Orchestrator High Availability Diagnostics and
ha-syncscript is a tool for diagnosing and repairing BIG-IP REST Framework HA synchronization issues between trusted BIG-IP devices.
The SSL Orchestrator HA diagnostics and sync-repair tool and script may be used in other BIG-IP environments to troubleshoot and fix HA setup issues and repair REST framework synchronization issues.
SSL Orchestrator users with an HA setup may also use this
ha-syncscript to troubleshoot and fix HA setup issues, such as when gossip has gone out of sync, when some REST blocks are missing/out of sync, or even when MCP data is out of sync between devices.
ha-syncscript includes the diagnostic capability to identify potential issues and can print out all of the issues found with the HA setup. The
ha-syncscript can then perform a sync-up, which should fix those issues, and ensure that both devices are fully in sync (both in MCP and REST).
Due to varying user scenarios, all scenarios have not been tested with the
In SSL Orchestrator deployments, where a service has been created, you may need to manually create non-syncable network objects if they are missing on the peer device before using the ha-sync script. These network objects include VLANs, non-floating IPs, and route domains created for the service.
This document provides the details SSL Orchestrator users can leverage the ha-sync script.
HA synchronization procedure:
- Review prerequisites
- Revert the effect of ssh-copy-id and removing the passwordless SSH access (optional)
- Use the HA synchronization CLI procedure
- Use the diagnostics capability
- Perform local-only repairs
- Support HA data synchronization for BIG-IP frameworks
- REST Framework
Before upgrading the network for high availability, make sure these prerequisites are in place:
- Theha-syncscript requirespasswordless SSH accessfrom the local BIG-IP device, where the script runs, to the remote BIG-IP HA peer. See theReverting the effect of ssh-copy-id and removing the passwordless SSH accesssection below for the procedural steps. This can also be set up by following the instructions in K13454: Configuring SSH public key authentication on BIG-IP systems (11.x - 15.x).
- The following is a summary (procedure) of the aforementioned article. Run the following commands on the BIG-IP device where theha-syncscript would be executed. (Replace$HA_PEERwith the IP address of the remote HA peer device).ssh-keygen ssh-copy-id -i ~/.ssh/id_rsa.pub $(whoami)@$HA_PEER
The user account
($(whoami))should have superuser privileges on the remote BIG-IP HA peer device.
Reverting the effect of ssh-copy-id and removing the passwordless SSH
ha-syncscript requires passwordless SSH access from the local BIG-IP device, where the script runs, to the remote BIG-IP HA peer.
Optionally, you may use the following procedure to revert the effect of ssh-copy-id and remove the passwordless SSH access. This can also be set up by following the instructions in K13454: Configuring SSH public key authentication on BIG-IP systems (11.x - 15.x).
- SSH into the BIG-IP device where ssh-copy-id has been invoked.
- Identify the public key used with ssh-copy-id:cat ~/.ssh/id_rsa.pub.
- SSH into the remote HA peer (where the related key has been copied).
- Edit the /root/.ssh/authorized_keys file and remove the line containing the key retrieved in step 2.