Manual Chapter : Determine DNS Sync Group Health

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

Determine DNS Sync Group Health

How do I check my sync group health?

Using the tools available on the F5 BIG-IP device user interface, it can be difficult to determine the health of your DNS sync groups. When you use F5 BIG-IQ Centralized Management to manage your DNS sync groups, the task becomes quite straightforward. You can do a quick health check, diagnose health issues, and even set up an alert to notify you if a sync group health issue occurs.

Check DNS sync group health

Before you can monitor the sync group health, you must add a BIG-IP device configured in a DNS sync group to the BIG-IP Devices inventory list, and import the LTM and DNS services.
When you use F5 BIG-IQ Centralized Management to manage your DNS sync group, you can monitor the health status of the group. Sync group health relies on complete alignment of a variety of device configuration elements. Using BIG-IQ simplifies the process of determining the health of your DNS sync groups.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP CLUSTERS
    DNS Sync Groups
    .
    The screen displays the list of DNS sync groups defined on this device. A health indicator icon and a message describes the status of each group.
  3. To view the general properties for a sync group, click the sync group name.
    For a list of Health Status error messages, refer to
    DNS sync group messages
    .
    The screen displays the properties for the selected group. This screen shows an overview of your DNS sync group health. Under Status, you can see the current state (for example,
    Required Services Down
    , or
    Health Check(s) Passed
    ) for each device in the group.
  4. To view the health for an individual sync group member, on the left click
    HEALTH
    .
    The Health screen displays detailed information for each factor that contributes to the health of a DNS sync group. Following a definition of each factor, a Status row provides additional detail. For each indicator, the most serious issues impacting that indicator are listed first. Finally, if the status for a health indicator is not
    Health Check(s) Passed
    , the
    Recommended Action
    setting describes what you can do to correct the issue.
  5. Resolve any reported issues on the managed devices, and then return to the DNS Sync Groups screen and click
    Refresh Status
    .
    Once you resolve all reported issues, the status for the DNS sync group changes to
    Health Check(s) Passed
    .

DNS sync group status messages

When BIG-IQ Centralized Management completes the health checks for a DNS sync group, an icon and a message display to indicate the current status. There are four icons, each with its own associated meaning.
Health indicator icons
Icon
Meaning
Indicates that all health checks passed satisfactorily (green).
Indicates that the health status is unknown or uncertain (blue).
Indicates a warning, or that the group health is sub-optimal (yellow).
Indicates that a critical issue was found (red).
Health indicator messages
Message
Health indicator color
Description
Corrective Action
Awaiting Sync
Yellow
When you are considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon.
MCP
stores the configuration information for the BIG-IP device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are.
Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution.
Related Solutions:
SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections.
Certificate Expired
Red
BIG-IP DNS uses the device's Apache server certification to act as the server certification when establishing iQuery connections. If this certificate expires, then all iQuery communication to and from this device is prevented. This indicator informs the DNS admin when one of the devices in a sync group has a device certificate that is near expiration, or is currently expired.
This indicator only validates the expiration on the server certificate for each device. It does not examine the traffic certificates used in SSL profiles or DNSSEC certifications.
Renew the device certificate or import a new certificate.
Related Solutions:
SOL6353: Updating an SSL device certificate on a BIG-IP system.
Certificates Expiring
Yellow
The device certificate for this BIG-IP DNS device is near expiration. If the certificate expires, this BIG-IP DNS device will not be able to communicate with other BIG-IP devices using the iQuery protocol.
Either renew the device certificate or import a new certificate.
Changes Pending
Yellow
When considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon.
MCP
stores the configuration information for the BIG-IP device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are.
Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution.
Related Solutions:
SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections.
Collecting Data
Blue
Either the certificate has not yet been discovered by BIG-IQ or the device is unreachable.
If the certificate is the issue, the needed data should be collected automatically. If this condition persists, check the BIG-IQ logs for any error messages.
If the device is unreachable, determine why BIG-IQ can not contact the BIG-IP device. There could be network issues, the device could be offline, or BIG-IQ Restjavad service could be is down.
Incompatible Device Versions
Red
A GTM sync group consists of one or more GTM devices. For sync to perform correctly, each device must have the same base version of TMOS installed. To determine the version of TMOS: view the version component of the output of
tmsh show sys version
.
Upgrade all BIG-IP devices in the sync group to the same version.
Related Solutions:
SOL8759: Displaying the BIG-IP Software Version.
SOL13734: BIG-IP DNS synchronization group requirements.
Member Sync Disabled
Red
BIG-IP DNS devices have properties to control which sync group a device belongs to, and whether synchronization is enabled. A device can be a member of a sync group, but have synchronization disabled. Any changes made on a device on which synchronization is disabled cannot sync changes to the other devices. F5 recommends not having sync groups with synchronization disabled on some of the devices. We also recommend not making changes on devices if synchronization is disabled.
Enable synchronization on all devices in the group.
Related Solutions:
SOL13734: BIG-IP DNS synchronization group requirements.
Required Services Down
Red
For the BIG-IP DNS devices to be able to sync configuration changes, the following services (daemons) must be running on all the devices in the sync group:
  • mcpd
  • gtmd
  • big3d
  • tmm
If any of these services is down, then configuration will not sync between the devices in the sync group. The sync group health is primarily concerned with reporting the health of only the sync group itself; not the health of the functionality provided by each device in the sync group.
Start stopped services
Related Solutions:
SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons.
Server Object Missing
Red
On the BIG-IP device, the DNS server objects define the IP address on which iQuery connections are made. There must be a server object for every DNS device in the sync group so that they can establish the necessary connections. This indicator validates that all devices have a server object, and that the necessary ports are open to allow the iQuery communication that happens over port 4353.
Verify that the DNS server objects have an associated self IP address.
Related Solutions:
SOL13734: BIG-IP DNS synchronization group requirements.
Syncing Changes
Yellow
When considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon.
MCP
stores the configuration information for the BIG-IP device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are.
Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution.
Related Solutions:
SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections.
Unknown Device Availability
Blue
The BIG-IQ device must collect data from each device in a sync group to be able to determine if the overall sync group is healthy. If BIG-IQ cannot reach one of the devices, then it cannot detect changes that make the overall group unhealthy.
If a device cannot be reached, then the group is marked as unhealthy because there is no other way to know the health of the group.
Determine and fix loss of device availability.
Related Solutions:
SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons.
Unreachable Devices
Red
The BIG-IQ device must collect data from each device in a sync group to be able to determine if the overall sync group is healthy. If BIG-IQ cannot reach one of the devices, then it cannot detect changes that make the overall group unhealthy.
If a device cannot be reached, then the group is marked as unhealthy because there is no other way to know the health of the group.
Determine and fix loss of device availability.
Related Solutions:
SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons.

How do I set up an alert for DNS sync group issues?

You can configure a BIG-IQ SMTP alert to send email notifications when specific DNS sync group issues occur.
The following issues can trigger an alert:
  • A new health status is generated for a DNS sync group. For instance, you might have just discovered a new sync group.
  • The overall health status changes. For example, a device group that was healthy becomes unhealthy.
  • The primary indicator (the most significant reason for the group's current health status) changed. (For example, the group is still unhealthy, but the reason is different than before.)
You enable or disable DNS alerts from the
System Management
Alerts
screen. For detailed instructions on creating an SMTP alert, refer to
How do I set up BIG-IQ to work with SMTP?
in the
F5 BIG-IQ Centralized Management: Licensing and Initial Setup
guide on
support.F5.com
.