Manual Chapter :
Setting up F5 Guided
Configuration for SSL Orchestrator in High Availability
Applies To:
Show VersionsF5 SSL Orchestrator
- 17.0.0
Setting up F5 Guided
Configuration for SSL Orchestrator in High Availability
Overview: Setting up F5
Guided Configuration for SSL Orchestrator in high availability
This section describes how to deploy F5 SSL Orchestrator high availability
(HA). SSL Orchestrator HA configuration and deployment ensures a decrease in downtime and
eliminates single points of failure. The deployment of SSL Orchestrator’s HA works with the
BIG-IP device groups support to sync the SSL Orchestrator specific configuration items and is
transparent to the user.
The deployment occurs after completing a configuration change and
selecting Deploy. The deployment request is first routed to one of the devices in the HA
device group. This first device configures the device where the request is received. After
successful deployment on that device, the request is repeated on other BIG-IP devices.
With SSL Orchestrator installed onto a dedicated system with failover, it
automatically takes over in case of system failure. Data is synchronized between the two
systems, ensuring high availability and consistent protection.
SSL Orchestrator high
availability deployment is supported for use only with SSL Orchestrator versions 2.1 and
later.
Set up BIG-IP ISO with F5 Guided Configuration for SSL
Orchestrator in high availability
To ensure that your F5 SSL Orchestrator high availability (HA)
deployment succeeds, it is critical that you closely follow each deployment step, as
well as the assumptions and dependencies, for both devices in the device group. In
addition, you should adhere to all prerequisites. If the systems in the device group are
not configured consistently, the deployment synchronization process may suffer errors or
fail. You would require two devices that are a part of the sync-failover group. The Port
Lockdown setting should be either Allow All, Allow Default, or Allow Custom.
To install and setup the BIG-IP ISO with SSL Orchestrator Guided
Configuration in HA, you will perform the following tasks to ensure your HA deployment
succeeds:
- Configure the network for HA.
- Configure the ConfigSync and Failover IP address.
- Add a device to the local trust domain.
- Create a Sync-Failover device group.
A Sync-Only device group is not supported. - Synchronize the device group.
- Set up a basic configuration for deployment.
Assumptions and dependencies
To ensure that your SSL Orchestrator HA deployment succeeds, it is
critical that you closely review and follow all assumptions and dependencies.
- HA Setup: BIG-IP HA (CMI) must be set to Active-Standby mode with network failover. See theBIG-IP Device Service Clustering: Administrationdocument for detailed information on Active-Standby HA mode.
- HA Setup: If the deployed device group is not properly synced or RPM packages are not properly syncing, make sure your HA self IP (for example,ha_self)Port Lockdownsetting is not set toAllow None. On the Main tab, click and click yourha_self. IfPort Lockdownis set toAllow Custom, check that the HA network port 443 is open on self IP.
- BIG-IP HA Devices: Manual and auto sync is supported.
- BIG-IP HA Devices: Devices in each BIG-IP HA pair must be the same model and run the same version of TMOS® (including any hotfixes). Except for the management interface, you must configure both devices to use the same arrangement of network interfaces, trunks, VLANs, self IPs (address and subnet mask), and routes. For example, if one BIG-IP device is connected to a specific VLAN/subnet using interface 1.1, the other BIG-IP device must also be connected to that VLAN/subnet using interface 1.1. If the BIG-IP device configurations do not match, this implementation will not deploy correctly, and HA failover will not work.
- User Experience: If the environment is changed from non-HA to HA, or from HA to non-HA, the application must be redeployed.
- User Experience: You can refresh the SSL Interception Rules screen () for each peer device in order to see all modified changes.
Prerequisites
Before configuring the network for HA, make sure these
prerequisites are in place:
- The information used to configure your devices is identical on both devices. Without identical information on both devices, the HA deployment process can suffer from errors or fail.
- The latest version of BIG-IP SSL Orchestrator is successfully installed on both devices.
- Successfully set up an HA ConfigSync device group prior to starting the configuration. See the sectionConfiguring the network for high availabilityand its subsections to ensure that this prerequisite has been properly completed. For additional information, refer to theBIG-IP Device Service Clustering: Administrationdocument, sectionManaging Configuration Synchronization.
- SSL Orchestrator is installed with the appropriate license information using the SSL Orchestrator Setup Utility (or the CLI) and made sure your device setup information is identical on both devices:
- While using the SSL Orchestrator Setup Utility, you have noted the details used for NTP and DNS setup and made sure they will be identical on both devices. To verify duplication, on the Main tab, clickand selectNTPorDNS.
- Ensure that any certificates used in the configuration are copied to all devices.
- Ensure that information is identical on all devices. This information should include any of the following that are needed:
- Client network
- External network
- Decrypt zone network
- Decrypt zone control network
- Networks providing access to ICAP devices and Receive-only devices
- Ensure that the log publishers are configured and named the same.
- Ensure that all systems use the same interfaces for any services. (If interface 1.1 is used to send traffic to an inline Layer 2 device on system A, then interface 1.1 must also be used on systems B, C, and D.)
Do not attempt to duplicate the configuration by saving and restoring a user configuration set (UCS) file from one machine to the other, or any other cloning approach. There are several IDs that must be unique that will also be duplicated, causing additional problems.
Configuring the network for high
availability
You can specify the settings for VLAN HA and self IP addresses on the active device
to configure your network for high availability. If needed, you can configure all
devices involved in the high availability group for HA.
This network connects the various
devices and must be a common Layer-2 network between all devices.
- On the Main tab, click.The VLAN List screen opens.
- ClickCreate.A New VLAN screen opens where you can configure your new VLAN.
- In theNamefield, type the name (for example,ha_vlan).
- For theInterfacessetting:
- From theInterfacelist, select an interface number.
- From theTagginglist, select tagging as desired for your network.
- ClickAdd.The interface you selected appears in theInterfaceslist as a tagged service.
- ClickFinished.Next to the F5 logo, your device status appears showingONLINE (ACTIVE)andStandalonewith green indicators showing their status as up and running.
- On the Main tab, click.The Self IP List screen opens.
- ClickCreate.A New Self IP screen opens where you can configure your new self IP.
- In theNamefield, type the self IP name (for example,ha_self).
- In theIP Addressfield, type the IP address for the device.
- In theNetmaskfield, type the netmask for the device.
- From theVLAN/Tunnellist, select the VLAN name (ha_vlan).
- ClickFinished.
Configuring ConfigSync and failover IP
addresses
Before creating the device group, you should configure the configuration
synchronization (ConfigSync) and Failover IP addresses for each
BIG-IP system in the device group. The ConfigSync address is the IP
address that the system uses when synchronizing configuration with peer devices, and
the failover address is the IP address that the system uses for network
failover.
- On the Main tab, click.The Devices List screen opens.
- Click your device in the device list.The properties screen for the device opens.
- ClickConfigSync.The screen shows the ConfigSync Configuration area, with the local address of the device.
- From theLocal Addresslist, select the VLAN address (ha_vlan).
- ClickUpdate.
- ClickFailover Network, and then clickAdd.The New Failover Unicast Address screen opens.
- In theAddressfield, make sure that the VLAN address (ha_vlan) is present.
- ClickRepeat.
- After the screen refreshes, from theAddresslist, select the Management Address.Connection Mirroring is not supported.
- ClickFinished.The Failover Unicast Configuration area lists both the VLAN HA (ha_vlan) and Management Address devices.
Adding a device to local trust
domain
Any BIG-IP devices that you intend to add to a device group
must first be members of the same local trust domain. When a BIG-IP device joins the
local trust domain, it establishes a trust relationship with peer BIG-IP devices
that are members of the same trust domain. For example, if you are creating a device
group with two members, you must log in to one of the devices and join the other
device to that system's local trust domain. The devices can then exchange their
device properties and device connectivity information.
- On the Main tab, click.The Device Trust screen opens.
- On the menu bar, clickDevice Trust Membersto view peer and subordinate device settings.The Device Trust Members screen opens.
- ClickAdd.The Device Trust screen opens, showing Retrieve Device Credentials (Step 1 of 3).
- From theDevice Typelist, selectPeer.
- In theDevice IP Addressfield, type the IP address of your device.
- ClickRetrieve Device Information.The screen shows Verify Device Certificates (Step 2 of 3).
- ClickDevice Certificate Matches.The screen shows Add Device (Step 3 of 3).
- In theNamefield, type the name of the device you are adding.
- ClickAdd Device.At the upper right, next to the F5 logo, the status of your device should showONLINE (ACTIVE)andConnected, with a green indicator next to them showing its active and connected status.
Creating a sync-failover device
group
For an HA configuration, you need to establish failover capability between two or
more BIG-IP devices. Then, if an active device in a
sync-failover device group becomes unavailable, the configuration objects fail over
to another member of the device group, and traffic processing is unaffected. You
perform this task on any one of the authority devices within the local trust
domain.
A Sync-Only device group is not supported.
- On the Main tab, click.The Device Group List screen opens.
- ClickCreate.The New Device Group screen opens.
- In the General Properties area, name your new device group and select the group type.
- In theNamefield, type the name of your device group.
- From theGroup Typelist, selectSync-Failover.
- For theConfigurationsetting, retain theBasicconfiguration type, and then select members and define the sync type.
- In theMemberssetting, select available devices from theAvailablelist and add them to theIncludeslist.
- From theSync Typelist, selectManual with Incremental Sync.
- ClickFinished.
The Device Groups list screen opens,
listing your new device group. The ConfigSync Status column will indicate
waiting
Initial Sync
.Synchronizing the device group
For an HA configuration, you need to synchronize the BIG-IP®
configuration data from the local device to the devices in the device group. This
synchronization ensures that devices in the device group operate properly. When
synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP
addresses only.
- Next to the F5 logo, clickAwaiting Initial Sync.On the Main tab, you can also click.The Device Management Overview screen opens, showing your Device Groups.
- In the Sync Issues area, selecthato expand the Devices and Sync Options areas of the screen.
- In the Devices area, select the device showingChanges Pending.
- In the Sync Options area, selectPush the selected device configuration to the group.
- ClickSync.
You have now completed your F5 SSL Orchestrator HA deployment. You
can now navigate to SSL Orchestrator configuration menu. If the RPM is not yet
installed, it will auto-install the on-box RPM. Once the RPM is installed, you can
proceed in setting up your SSL Orchestrator configuration for deployment.
Overview: Upgrading BIG-IP ISO with F5 Guided Configuration for SSL
Orchestrator in high availability
Refer to the Update or Upgrade the F5 SSL
Orchestrator chapter in the
BIG-IP update and
upgrade
guide for detailed steps on installing and upgrading to the newest
version of SSL Orchestrator in high availability. F5 recommends you follow the
procedures that match your current version details when upgrading to the newest version
of SSL Orchestrator:Upgrade BIG-IP ISO to a major or point release version with F5 Guided Configuration for SSL Orchestrator in high availability
Perform the following task to upgrade your BIG-IP ISO to a major, or point,
release version with SSL Orchestrator in high availability (HA). Make sure you review
all Assumptions and dependencies and verify all Prerequisites prior to starting the
upgrade.
During the SSL Orchestrator RPM upgrade, use the message's table for
explanations that may appear during the process and provide insight on the upgrade or
issues that may need to be resolved. Make sure you review all Assumptions and
dependencies and verify all Prerequisites prior to starting the upgrade.
Upgrading BIG-IP ISO to a major or point release version with F5
Guided Configuration for SSL Orchestrator in high availability
Verify all Prerequisites before starting the
upgrade
- If your HA device pair are not in sync, perform a manual configuration sync and take a UCS backup on to both devices.
- Download the target ISO from https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=big-ip_v17.x and select 17.0.0 from the list to see all the available downloads for the17.0.0version of BIG-IP.
- To upload the new ISO on both devices, perform the following steps (this process can be initiated on both devices in parallel and in any sequence):
- Using the management IP, on the Main tab, clickand clickImport.
- ClickChoose Fileand select the newly downloaded ISO and clickImport.
- Update the standby box:
- Perform the below steps to install the new ISO:
- On the Main tab, click.
- Select the check box next to the software image to be installed and clickInstall.Do not perform any configuration changes until the image installation is complete. This screen will continue to refresh to display the install status.
- After the image installation successfully completes, perform the following steps to boot into the new partition:
- On the Main tab, click.
- Click on theBoot Locationwhere the new software image is installed. The General Properties screen appears.
- ClickActivateandOKon the confirmation dialog and wait until the device is fully booted into the new partition.
- After the standby device successfully boots, verify that the software upgrade was successful by checking the logs (restnoded, restjavad, ltm) for errors.Do not click on any tab or link on the SSL Orchestrator menu, submenu, or screen during the verification.
- Update the active device
- Perform the below steps to install the new ISO:
- On the Main tab, click.
- Select the check box next to the software image to be installed and clickInstall.Do not perform any configuration changes until the image installation is complete. This screen will continue to refresh to display the install status.
- Boot into the new partition:
- On the Main tab, click.
- Click on theBoot Locationwhere the new software image is installed. The General Properties screen appears.
- ClickActivateandOKon the confirmation dialog and wait until the device is fully booted into the new partition.
- After the active device successfully boots, verify that the software upgrade was successful by checking the logs (restnoded, restjavad, ltm) for errors.Do not click on any tab or link on the SSL Orchestrator menu, submenu, or screen during the verification.
- Verify HA is in a good state after both devices are on same ISO version. Use manual steps for the verification. See the following section for manual steps: Verifying the high availability device pair before installing the ISO.Do not click on any tab or link on the SSL Orchestrator menu, submenu, or screen during the verification.Do not proceed further if HA is not in a good state. You must fix all HA issues before proceeding.
- TheChanges Pendingwarning will appear on top left side of the screen. Click on the message and perform the device sync.
- Perform the same steps described above for the second box after the first box installation is complete.
- After verifying a successful ISO upgrade, on the Main tab, clickto auto upgrade SSL Orchestrator with the new on-box RPM. If you do not want to upgrade to the on-box package version, use the package management UI to upload the new RPM.Once the SSL Orchestrator screen loads, do not click on any tab or link on the SSL Orchestrator menu, submenu, or screen.After installing the RPM, it may take some time to re-build the HA.Once the RPM is installed on both devices and the HA status is good, the configuration upgrade will begin and will take additional time based on your system speed and setup.During the SSL Orchestrator RPM upgrade, the following messages may appear providing insight on the upgrade or issues that may need to be resolved:MessageExplanationLoading SSL Orchestrator Configuration. Any configuration changes are not allowed until the configuration is fully loaded.This message appears when the UI is loaded but the HA verification did not yet start. This message may not appear on fast system.Validating SSL Orchestrator Setup. Any configuration changes are not allowed until the validation in progress.This message appears when the system is attempting to verify the state of the device (for example, if the device is either HA or standalone or what is the health of HA state).The SSL Orchestrator configuration cannot upgrade due to an invalid BIG-IP HA setup. Wait 2 minutes for self-recovery. If HA remains invalid, select HA-Status for more details and correct the issues. Configuration changes are not allowed until all HA issues are resolved.This message appears on a HA device (this will not appear for a standalone device) when the HA setup is not valid. This event is common during the RPM upgrade process because the new RPM installation involves restarting the restnoded and and the HA status will become invalid for a short period of time. Most often, when the restnoded restart finishes, the HA status returns to a good state. However, even after restnoded restarts and is up and running, this message may appear because the system cannot recover by itself. For more details about this message, click on the HA Status icon from the SSL Orchestrator configuration screen.Upgrading SSL Orchestrator configuration(s). Configuration changes are not allowed until the upgrade process is complete.This message appears on the HA device which is triggering the upgrade and starts the deployment and means that the HA verification has passed (both devices are in a good state and the configuration upgrade has begun).The upgrade process is now complete.This message appears once the upgrade process has completed.The upgrade process is running on a peer device <<MANAGEMENT_IP>>. Configuration changes are not allowed until the upgrade process is complete.This message appears on a HA device that is not initiating the configuration upgrade. The configuration upgrade is triggered only on one device. In this case, the MANAGEMENT_IP is the management IP of the device in which the configuration upgrade is triggered.The upgrade process cannot determine the device configuration. Configuration changes are not allowed until the upgrade process is complete.This message appears when the system is not able to determine the HA status. This may be caused by a coding exception or a framework issue (for example, when a call to a rest URL is failing).
- On the Main tab, clickand validate that the system is still deploying a configuration. If system is deploying a configuration, wait on this screen until all deployments are complete.
- In case of an error, perform the following troubleshooting step:
- Correct the configuration and trigger the upgrade again by clicking on the blinking red icon at the top right side of the UI.
- After the upgrade is successful and there are no configurations in error state, initiate a configuration sync. ClickSync.You have now completed your upgrade.
- After a successful upgrade, if you want to install a different version of the SSL Orchestrator RPM, perform the following steps:
- On the Main tab of an active box, clickand click on theUpgrade SSL Orchestratorlink.
- Select a new RPM and clickUpload and install.
- Wait until the installation completes and the screen is refreshed.
- Repeat the same steps above for the second box.Before continuing with any further configurations, log in to the standby device and validate that the standby device also upgraded to the new RPM version.
Upgrade BIG-IP ISO to a major or point release version with SSL Orchestrator and Access Policy Manager (APM) in high availability
Perform the following task to upgrade your BIG-IP ISO to a major, or point,
release version with SSL Orchestrator and APM in high availability (HA). Make sure you
review all Assumptions and dependencies and verify all Prerequisites prior to starting
the upgrade.
Upgrading BIG-IP ISO to a major or point release version with SSL Orchestrator and Access Policy Manager (APM) in high availability
Before upgrading the BIG-IP ISO to a major or point
release version with SSL Orchestrator and APM in high availability, review the
assumptions and dependencies above and verify all prerequisites before starting the
upgrade.
- If your HA device pair are not in sync, perform a manual configuration sync and take a UCS backup on to both devices.
- Download the target ISO from https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=big-ip_v17.x and select 17.0.0 from the list to see all the available downloads for the17.0.0version of BIG-IP.
- To upload the new ISO on both devices, perform the following steps (this process can be initiated on both devices in parallel and in any sequence):
- Using the management IP, on the Main tab, clickand clickImport.
- ClickChoose Fileand select the newly downloaded ISO.
- ClickImport.
- Updating the standby device
- Perform the below steps to install the new ISO:
- From the Main tab, click.
- Select the check box next to the software image to be installed and clickInstall.
Do not perform any configuration changes until the image installation is complete. This screen will continue to refresh to display the install status. - After the image installation successfully completes, perform the following steps to boot into the new partition:
- On the Main tab, click.
- Click on theBoot Locationwhere the new software image is installed. The General Properties screen appears.
- ClickActivateandOKon the confirmation dialog and wait until the device is fully booted into the new partition.
- After the standby device successfully boots, verify that the software upgrade was successful by checking the logs (restnoded, restjavad, ltm) for errors.Do not click on any part of the SSL Orchestrator menu or submenu in the UI.
Flushing out the old APM session
The following steps are a part of the available
content at the following location:
https://support.f5.com/csp/article/K25872674.
- After the standby device has been upgraded and booted into the new volume, selectForce Offlineon the [active] device to trigger a failover to this newly upgraded device: . The newly upgraded device will take over as the active device.
- Once the upgraded device takes over as active, you must restart the upgraded device again:.This extra step or additional restart is required to flush out any of the old sessions which may have been introduced from the previously active device while on the older version of the software.
- Wait for the upgraded device to come back up.
- Once the upgraded device becomes the active device, you are now ready to update the second device.
Updating the second device by installing the new ISO
Perform the following steps to install the new ISO
on the second device:
- From the Main tab, click.
- Select the check box next to the software image to be installed and clickInstall.Do not perform any configuration changes until the image installation is complete. This screen will continue to refresh to display the install status.
- Boot into the new partition:
- On the Main tab, click.
- Select theBoot Locationthe new software image is installed (this will appear on the General Properties screen).
- ClickActivateandOKand wait until the device fully boots into the new partition.
- After the device successfully boots and comes back up, bring it back online by selecting. This device should be standby.
- Verify the software successfully upgrades on the device and review the logs for errors.Do not click on any tab or link on the SSL Orchestrator menu, submenu, or screen.
- Verify HA is in a good state after both devices are on same ISO version. Use manual steps for the verification. See the following section for manual steps:Verifying the high availability device pair before installing the ISO.Do not click on any tab or link on the SSL Orchestrator menu, submenu, or screen.Do not proceed further if HA is not in a good state. You must fix all HA issues before proceeding.
- TheChanges Pendingwarning will appear on the top left side of the screen. Click on the message and perform the device sync.
- This step must be performed separately on both boxesAfter verifying HA, on the Main tab, click to auto upgrade SSL Orchestrator with the new on-box RPM. If you do not want to upgrade to the on-box package version, use the package management UI to upload the new RPM.Once the SSL Orchestrator screen loads, do not click on any tab or link on the SSL Orchestrator menu, submenu, or screen.After installing the RPM, it may take some time to re-build the HA.Once the RPM is installed on both devices and the HA status is good, the configuration upgrade will begin and will take additional time based on system speed and setup.
Diagnosing and fixing a high availability deployment
Use the following methods to help diagnose, verify, and fix a failed high
availability (HA) deployment:
- Perform alternate upgrade if standard upgrade fails
- Verify your deployment and view the logs.
- Verify the RPM file version on both devices.
- Configure your deployment settings and redeploy.
- Review the error logs and perform any necessary recovery steps.
Performing alternate upgrade if
standard upgrade fails
Performing alternate upgrade if
standard upgrade fails
Install new ISO on both
devices.
Perform the following tasks if your
standard upgrade fails:
- Boot into new partition on both the active first device and the standby second device.
- Click theChanges Pendingwarning that appears on the top left side of the screen where theIn Syncmessage was for both the devices.
- Navigate toand clickSync.
- Wait for theIn Syncmessage to appear in the top left side of the screen. PressSyncagain if the message does not appear.
- When theIn Syncmessage appears on both the devices, verify that the App LX blocks match in . Upload the RPM file by following either step 6 or step 7.
- Upload the RPM file using.
- Upload the required RPM usingfor the active device.
- Once the upload completes, upload the required RPM usingfor the standby device.
- Once the upload completes, clickon both devices.Do not click Sync yet!
ClickingSynctoo soon could put the HA pair of devices into an unrecoverable error state. - Or use the Onboard (default) RPM.
- If the Application LX blocks match for both devices, clickon the active device.
- The top panel displays aInvalid BIG-IP HA Setup...message on a red horizontal bar.
- Clickon the standby device. This loads the onboard (default) RPM for the standby box and closes theSoftware Version Mismatchmessage on the active box.
- The black vertical upgrade arrow on the upper-right flashes red.Do not press it!
Clicking the red arrow could put the HA pair of devices into an unrecoverable error state. - Wait until theCMI sync has not been triggered after deploying configuration. Please initiate CMI syncmessage appears on the active device. Navigate to and clickSync.
- Wait for theIn Syncmessage to appear in the top left side of the screen. PressSyncagain if the message does not appear for both devices.
- When both devices reach anIn Syncstate, click on both devices.
- Verify that their topologies display and various IR's, services, service chains, security policies, and SSL configurations match.
Upgrade should be complete.
Verifying deployment and viewing
logs
You can verify your deployment by
verifying that the required virtuals, profiles, and
BIG-IP LTM and network objects have been created, checking that the RPM
files are in sync, and reviewing logs for failures, for example.
Because the initial device in the HA
device group repeats the configuration requests and propagates the configuration to
other BIG-IP devices, make sure you verify the initial configured device first,
followed by each device in the HA device group. If the initial device deployment
configuration fails, all other device configuration deployments will not
successfully be configured.
- Verify that all expected and required virtuals, profiles, and BIG-IP LTM and network objects (route-domains, VLANs, self IPs) have been created on each device in the HA device group.These will be items beginning with the name given to the application (for example, if the application was named SSLO, verify that all of the items named | Summary SSL Orchestrator 15.1.0 | 9 SSLO_* are the same on all devices).
- Ensure that all RPM file versions are identical.
- Verify your deployment with, or without, services.
- Review the following logs for failures:
- /var/log/restnoded/restnoded.log
- /var/log/restjavad.0.log
Verifying the RPM file version on both
devices
After a successful F5® SSL Orchestrator™ HA deployment, verify that the latest version
of the SSL Orchestrator zip file is installed on both devices.
The following details are for SSL Orchestrator versions 14.1.x-5.x or
higher.
- On the Main tab, click.The SSL Orchestrator screen opens.
- For both devices, validate the SSL Orchestrator RPM Version number showing in the top right banner. You can also hover your mouse over the information icon for more detailed version information.
If the versions are not identical, you must install an updated RPM file and verify
that both devices are identically configured.
Configuring deployment
settings and redeploying
If your configured deployment continues to fail, you can remove
and reconfigure all deployment settings.
- Remove all configurations present on all devices.
- For all devices, individually configure each section in the F5® SSL Orchestrator™ deployment settings and selectFinished. Verify that all new objects are properly synced and deployed.If synchronization or deployment issues persist after deploying after each section, attempt to deploy after updating each item (instead of after each section) in the SSL Orchestrator deployment settings and verify that all new objects are properly synced and deployed.
Reviewing error logs and performing
recovery steps
You can review log messages to help you debug system activity and
perform recovery steps. Refer to the
Setting up F5
Guided Configuration for SSL Orchestration logs settings
section of this
document for more information on generating logs and setting the level of logging
you want the system to perform.- Verify that all BIG-IP® LTM® and network objects are present on each of the devices in the HA device group.
- If the configuration deployment fails on each device, review the logs:
- /var/log/restnoded/restnoded.log
- /var/log/restjavad.0.log
- Use the following REST GET command to determine the state of the deployed device block in the REST storage:
- curl -s -k -u admin:adminhttps://localhost/mgmt/shared/iapp/blocks| json-format
- Since failure scenarios can vary, after reviewing the logs, attempt the following recovery steps:
- Redeploy SSL Orchestrator.If this succeeds, you have recovered from the failure situation.
- Undeploy SSL Orchestrator.By undeploying, a cleanup of MCP objects on each of the devices occurs while also cleaning up required data properties within the block stored in REST storage. If this succeeds, attempt to redeploy again.
- If redeploy or undeploy fails, do the following:
- From command line (back door),run > touch /var/config/rest/iapps/enable.
- Refresh the SSL Orchestrator menu UI.
- Select the deployed application from the list and delete the application.
- Redeploy and undeploy again.
- Once done, remove the filerm -f /var/config/rest/iapps/enable.
- If these recovery steps do not work, you may need to clean up the REST storage.
For more detailed information on
setting up HA, see the
BIG-IP Device Service Clustering: Administration
document.