Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.4.0
How do I check my sync group health?
Using the tools available on the BIG-IP® user interface, it can be difficult to determine the health of your DNS sync groups. When you use F5® BIG-IQ® Centralized Management to manage your DNS sync groups, the task becomes quite straightforward. You can do a quick health check, diagnose health issues, and even set up an alert to notify you if a sync group health issue occurs.
Check DNS sync group health
DNS sync group status messages
When BIG-IQ® Centralized Management completes health checks for a DNS sync group, an icon and a message display to indicate the current status. There are four icons, each with its own associated meaning.
Icon | Meaning |
---|---|
Indicates that all health checks passed satisfactorily (green). | |
Indicates that the health status is unknown or uncertain (blue). | |
Indicates a warning, or that the group health is sub-optimal (yellow). | |
Indicates that a critical issue was found (red). |
Message | Health indicator color | Description | Corrective Action |
---|---|---|---|
Awaiting Sync | Yellow | When considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon. MCP stores the configuration information for the BIG-IP® device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are. |
Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution. Related Solutions: SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections. |
Certificate Expired | Red |
BIG-IP DNS uses the device's Apache server certification to act as the server certification when establishing iQuery® connections. If this certificate expires, then all iQuery communication to and from this device is prevented. This indicator informs the DNS admin when one of the devices in a sync group has a device certificate that is near expiration, or is currently expired. This indicator only validates the expiration on the server certificate for each device. It does not examine the traffic certificates used in SSL profiles or DNSSEC certifications. |
Renew the device certificate or import a new certificate. Related Solutions: SOL6353: Updating an SSL device certificate on a BIG-IP system. |
Certificates Expiring | Yellow | The device certificate for this BIG-IP DNS device is near expiration. If the certificate expires, this BIG-IP DNS device will not be able to communicate with other BIG-IP devices using the iQuery protocol. | Either renew the device certificate or import a new certificate. |
Changes Pending | Yellow | When considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon. MCP stores the configuration information for the BIG-IP device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are. |
Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution. Related Solutions: SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections. |
Collecting Data | Blue | Either the certificate has not yet been discovered by BIG-IQ or the device is unreachable. | If the certificate is the issue, the needed data should be collected
automatically. If this condition persists, check the BIG-IQ logs for any error
messages. If the device is unreachable, determine why BIG-IQ can not contact the BIG-IP device. There could be network issues, the device could be offline, or BIG-IQ Restjavad service could be is down. |
Incompatible Device Versions | Red |
A GTM sync group consists of one or more GTM devices. For sync to perform correctly, each device must have the same base version of TMOS installed. To determine the version of TMOS: view the version component of the output of tmsh show sys version. |
Upgrade all BIG-IP devices in the sync group to the same version. Related Solutions: SOL8759: Displaying the BIG-IP Software Version. SOL13734: BIG-IP DNS synchronization group requirements. |
Member Sync Disabled | Red | BIG-IP DNS devices have properties to control which sync group a device belongs to, and whether synchronization is enabled. A device can be a member of a sync group, but have synchronization disabled. Any changes made on a device on which synchronization is disabled cannot sync changes to the other devices. F5 recommends not having sync groups with synchronization disabled on some of the devices. We also recommend not making changes on devices if synchronization is disabled. |
Enable synchronization on all devices in the group. Related Solutions: SOL13734: BIG-IP DNS synchronization group requirements. |
Required Services Down | Red |
For the BIG-IP DNS devices to be able to sync configuration changes, the following services (daemons) must be running on all the devices in the sync group:
If any of these services is down, then configuration will not sync between the devices in the sync group. The sync group health is primarily concerned with reporting the health of only the sync group itself; not the health of the functionality provided by each device in the sync group. |
Start stopped services Related Solutions: SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons. |
Server Object Missing | Red | On the BIG-IP device, the DNS server objects define the IP address on which iQuery connections are made. There must be a server object for every DNS device in the sync group so that they can establish the necessary connections. This indicator validates that all devices have a server object, and that the necessary ports are open to allow the iQuery communication that happens over port 4353. |
Verify that the DNS server objects have an associated self IP address. Related Solutions: SOL13734: BIG-IP DNS synchronization group requirements. |
Syncing Changes | Yellow | When considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon. MCP stores the configuration information for the BIG-IP device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are. |
Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution. Related Solutions: SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections. |
Unknown Device Availability | Blue |
The BIG-IQ device must collect data from each device in a sync group to be able to determine if the overall sync group is healthy. If BIG-IQ cannot reach one of the devices, then it cannot detect changes that make the overall group unhealthy. If a device cannot be reached, then the group is marked as unhealthy because there is no other way to know the health of the group. |
Determine and fix loss of device availability. Related Solutions: SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons. |
Unreachable Devices | Red |
The BIG-IQ device must collect data from each device in a sync group to be able to determine if the overall sync group is healthy. If BIG-IQ cannot reach one of the devices, then it cannot detect changes that make the overall group unhealthy. If a device cannot be reached, then the group is marked as unhealthy because there is no other way to know the health of the group. |
Determine and fix loss of device availability. Related Solutions: SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons. |
How do I set up an alert for DNS sync group issues?
You can configure a BIG-IQ® SMTP alert to send email notifications when specific DNS sync group issues occur.
The following issues can trigger an alert:
- A new health status is generated for a DNS sync group. For instance, you might have just discovered a new sync group.
- The overall health status changes. For example, a device group that was healthy becomes unhealthy.
- The primary indicator (the most significant reason for the group's current health status) changed. (For example, the group is still unhealthy, but the reason is different than before.)
You enable or disable DNS alerts from the support.F5.com.
screen. For detailed instructions on creating an SMTP alert, refer to How do I set up BIG-IQ to work with SMTP? in the F5 BIG-IQ Centralized Management: Licensing and Initial Setup guide on