Cloud Native应用交付

  • 首页
  • 关于本站
  • 个人介绍
  • Downloads
  • Repo
    • Github
    • Container
  • F5
    • F5 Python SDK
    • F5-container
    • F5-LBaaS
  • 社交
    • 联系我
    • 微信/微博
    • 公众号
    • 打赏赞助
行至水穷处 坐看云起时
Cloud Native Application Services: cnadn.net
  1. 首页
  2. F5技术
  3. 正文

[原]config sync 排错指导

2010年07月28日 13344点热度 1人点赞 0条评论
此文仅适用与F5 V10版本

在GUI点击config sync to peer和命令b config sync 具有等同的效果,都是将配置推送到对端设备上,当执行b config sync时候:

1.  系统将尝试连接对端icontrol接口(运行在对端的443之上),其间要建立SSL,并向对方出示web管理员账号和密码。

2.  同步设备master key,检查时间差异

3.  本机产生一份当前的配置的ucs,放在/var/tmp下

4.  传送ucs文件到对端的/var/local/ucs下,作为一个临时ucs

5.  通知对端备份当前配置为cs_backup.ucs

6.  通知对端机器上执行b config install安装传送过来的临时ucs文件

7.  通知对端删除临时ucs

8.  通过获取对端/var/log/configsync_peer.log日志,将对端ucs安装情况打印在屏幕上

从上述过程可以看出,任何一步受到影响都可能造成同步的失败,因此当遇到同步失败时候可以从这些过程入手,分解测试各个环节是否都正常:

1.  任何影响tcp通讯,ssl建立,账号验证的因素都将影响通道的完成,从而引发错误,一般情形下此时的报错都是报系统需要是冗余系统或对方机器不是冗余系统等错误。此时一般不会发生soap类错误。此时可以排错的方法有:

  1. 运行csTest.pl –v ,这个脚本将首先检查配置同步的先决条件是否都满足,一般情况下最好两边都检查一遍
  2. 运行soap协议运行的条件是否满足,分别运行

SOAPCSTest --query

SOAPCSTest --imediff

SOAPCSTest –version

2. 本地手工保存ucs是否正常,产生的ucs文件是否很大很大,正常ucs不会很大

3.对端机器手工保存ucs是否正常,对端机器的/config,/var,/home等目录是否可用空间不是很多

4. 手工传送ucs文件到对端,并手工执行ucs安装工作,看是否能正常成功 (这一步可能受到ucs里的名字和设备名字不同的影响)

如果排错发现总是发生SOAP异常错误,则可以考虑通过手工执行soap操作,如下:

Soap客户端解释 及 用法

[root@B6900-R21-S8:Active] bin # SOAPCSClient --help

Usage: SOAPCSClient --host <Host name/IP> --port <Port> --userid <user> --password <password>

--source <source config> --destination <dest config> [--passphrase <passphrase>] [--pull] [--timediff] [--help] [--verbose]

verbose        Print out extra messages -- debug mode.

help           Print out this message.

timediff       Checks if the time difference of the two machines is acceptable.

pull           Perform configsync in pull mode, i.e. pulling configuration from peer.

host           Host name or IP address of target BIG-IP where the iControl Portal resides.

port           Port number to communicate with the iControl Portal.

userid         User name used in the communication with the iControl Portal.

password       Password used in the communication with the iControl Portal.

source         In Push mode:

Local source configuration archive to transfer to peer system.

In Pull mode:

Remote source configuration archive on peer system from which

to retrieve. No path information should be specified with archive name.

destination    In Push mode:

Remote destination configuration archive to save on peer system.

No path information should be specified with archive name.

In Pull mode:

Local destination configuration archive to save on local system.

passphrase     Passphrase used to decrypt/encrypt the UCS.

/usr/local/bin/SOAPCSClient --verbose --host 1.1.1.2 --port 443 --userid admin --password admin --source /var/local/ucs/728.ucs --destination sync.ucs

命中用户和password只要是对端存在的即可,不必和本机一致,因此这个可以作为一个排错点。

+++++ Debug +++++

Target : https://1.1.1.2:443/iControl/iControlPortal.cgi   UserID/Password: admin/admin

Source: /var/local/ucs/728.ucs

Destination: sync.ucs

Configsync Mode: Push

-----------------

Local time: 1280289042, Remote time: 1280289041

Configsync Mode: Push

Transferring UCS to peer...

Uploading - Local file: /var/local/ucs/728.ucs ==> Remote file: sync.ucs

Total bytes sent: 262144

Total bytes sent: 363585

传送文件给对端机器

Installing UCS on peer...

Installing configuration - Remote file: sync.ucs

在对端机器上开始安装ucs,对端机器用b config install命令运行

Obtaining results of remote configuration installation...

本机获取远端机器ucs安装情况,通过下面download对端的安装日志,并显示到屏幕上,所以下面输出内容其实是表示对端机器情况。

Downloading - Remote file: /var/local/ucs/__configsync__.out ==> Local file: /var/log/configsync_peer.log

Saving active configuration...

Current configuration backed up to /var/local/ucs/cs_backup.ucs.

Product : BIG-IP

Version : 10.0.1

Hostname: UCS   : B6900-R21-S8.lab.ss.f5net.com

System: B6900-R21-S12.lab.ss.f5net.com

Installing shared configuration on host B6900-R21-S12.lab.ss.f5net.com

Installing configuration...

Reloading configuration - this may take a few minutes...

Reading configuration from /defaults/config_base.conf.

Reading configuration from /config/bigip_base.conf.

Reading configuration from /config/bigip_sys.conf.

Reading configuration from /usr/bin/monitors/builtins/base_monitors.conf.

Reading configuration from /config/profile_base.conf.

Reading configuration from /config/daemon.conf.

Reading configuration from /config/bigip.conf.

Reading configuration from /config/bigip_local.conf.

Loading the configuration ...

对端成功完成,删除对端对应的ucs文件

Deleting configuration - Remote file: sync.ucs

Deleting configuration - Remote file: __configsync__.out

从上可以看出soap客户端绕过了很多检查工作,这是一个纯soap通信过程,如果这个过程产生错误,理论上b config sync也就会有对应错误。

附一些错误情形的发生情况(截取自我处理过的一个case):

Ip address of config sync was not defined

peer ip can not be reached like peer selfip lockdown set to none

peer httpd is not running,or can not finish 3 tcp handshake with peer

config sync user name or password is not same to peer unit

Above situation will show below error:

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box...

Peer's IP address: 172.24.170.210

Error: The peer box is not a redundant pair.

BIGpipe parsing error:

01110034:3: This system needs to be a redundant pair and have a peer address specification.

I can not repro SOAP error on lab as most SOAP error are caused by strange reason.The SOAP protocol provides the messaging framework for configsync communication, and it uses HTTPS to securely transport the configuration data set to the peer BIG-IP system.

Usually,there should not be connectivity issue if soap error happening.We do not need to research what is Error reading from secure socket or Error negotiating secure connection : Connection reset by peer or Error negotiating secure connection : Connection timed out,just need know these are all soap issue.

I searched many old cases ,found various situations,summary as below:

1.web certificate expired, but certificate expired will not must result in the issue.

2.some directories like /config,/home,/usr include big size file

3.Unit include ASM module is likely encountered this issue

4.some version have bug ,maybe use "peer" as destination address but it is not inclue in /etc/hosts

5.wrong config sync ip address.found a case change ip to MGTM address,then issue was fixed.

6.a case that from HongKong,configuration are all ok,fixed the problem just use another user as config sync user(actually ,admin user have no problem)

7.a case that from USA,confirm the admin password are same on both units ,but always display soap error,reset admin password ,then ok.

Here are my research notes:

(1) ------------------------------------------------------------------------------------------------------

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box...

Peer's IP address: 172.24.170.210

Error: The peer box is not a redundant pair.

BIGpipe parsing error:

01110034:3: This system needs to be a redundant pair and have a peer address specification.

---->

(if config sync ip was not defined or peer ip can not be reached   ,like peer selfip lockdown set to none,peer httpd is not running,or can not set 3 tcp handshake,config sync user name or password is not same to peer unit)

(2) ------------------------------------------------------------------------------------------------------

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box...

Peer's IP address: 172.24.170.210

Synchronizing Master Keys...

Saving active configuration...

Configsync Mode: Push

Transferring UCS to peer...

Installing UCS on peer...

SOAPException: 'Error reading from secure socket'

Transport and install failed

---->

(maybe ucs file is too big--some folders include big size file)

(3) ------------------------------------------------------------------------------------------------------

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box...

Peer's IP address: 172.24.170.210

Synchronizing Master Keys...

Saving active configuration...

Configsync Mode: Push

Transferring UCS to peer...

Installing UCS on peer...

SOAPException: 'Error reading from secure socket'

Transport and install failed

Error running config sync all.

BIGpipe parsing error:

01110001:3: Error running config sync all

---->

(similar case : cert expired, most happened on unit include asm module)

(4) ------------------------------------------------------------------------------------------------------

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box...

Peer's IP address: 172.24.170.210

Synchronizing Master Keys...

Saving active configuration...

SOAPException: 'Error negotiating secure connection : Connection reset by peer '

Transport and install failed

---->

(one similar case:

Operation Status

Checking configuration on local system and peer system...

Peer's IP address: 198.18.252.14

Caught SOAP exception: Error negotiating secure connection : Connection reset by peer

Error: There is a problem accessing the peer system.

BIGpipe parsing error:

01110034:3: The configuration for running config-sync is incorrect.

---------->/usr usage is high ,delete some file and reboot ,ok

)

(5) ------------------------------------------------------------------------------------------------------

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box...

Peer's IP address: 172.24.170.210

Synchronizing Master Keys...

Saving active configuration...

SOAPException: 'Error negotiating secure connection : Connection reset by peer '

Transport and install failed

Error running config sync all.

BIGpipe parsing error:

01110001:3: Error running config sync all

(6) ------------------------------------------------------------------------------------------------------

[root@ml7ts003p:Active] config # b config sync

Checking configuration on local box and peer box...

Peer's IP address: 172.24.170.73

Synchronizing Master Keys...

Saving active configuration...

Configsync Mode: Push

Transferring UCS to peer...

Installing UCS on peer...

SOAPException: 'Error negotiating secure connection : Connection timed out '

Transport and install failed

Error running config sync all.

BIGpipe parsing error:

01110001:3: Error running config sync all

---->

(microsoft case ,wrong config sync ip addr. other cases have large file in config folder)

相关文章

  • 项目:k8s Gateway API 的BIG-IP实现
  • CIS增强版在线文档
  • F5-k8s解决方案(2)-基于Calico BGP网络的F5 k8s容器平台方案实践
  • openstack heat模板之配置基本LB到F5 BIGIP
  • F5常见log日志解释
本作品采用 知识共享署名-非商业性使用 4.0 国际许可协议 进行许可
标签: configsync F5
最后更新:2017年08月15日

纳米

linjing.io

打赏 点赞
< 上一篇
下一篇 >

文章评论

razz evil exclaim smile redface biggrin eek confused idea lol mad twisted rolleyes wink cool arrow neutral cry mrgreen drooling persevering
取消回复

这个站点使用 Akismet 来减少垃圾评论。了解你的评论数据如何被处理。

页面AI聊天助手

纳米

linjing.io

☁️迈向Cloud Native ADC ☁️

认证获得:
TOGAF: ID 152743
Kubernetes: CKA #664
Microsoft: MCSE MCDBA
Cisco: CCNP
Juniper: JNCIS
F5:
F5 Certified Solution Expert, Security
F5 Certified Technology Specialist, LTM/GTM/APM/ASM
F5 Certified BIG-IP Administrator
  • 点击查看本博技术要素列表
  • 归档
    分类
    • AI
    • Automation
    • Avi Networks
    • Cisco ACI
    • CISCO资源
    • F5 with ELK
    • F5-Tech tips
    • F5技术
    • Juniper
    • Linux
    • NGINX
    • SDN
    • ServiceMesh
    • WEB编程
    • WINDOWS相关
    • 业界文章
    • 交换机技术
    • 化云为雨/Openstack
    • 协议原理
    • 容器/k8s
    • 我的工作
    • 我的生活
    • 网站技术
    • 路由器技术
    • 项目案例
    标签聚合
    F5 bigip nginx envoy api network DNS openstack gtm docker neutron istio k8s irule flannel
    最近评论
    汤姆 发布于 8 个月前(09月10日) 嗨,楼主,里面的json怎么下载啊,怎么收费啊?
    汤姆 发布于 8 个月前(09月09日) 大佬,kib的页面可以分享下吗?谢谢
    zhangsha 发布于 1 年前(05月12日) 资料发给我下,谢谢纳米同志!!!!lyx895@qq.com
    李成才 发布于 1 年前(01月02日) 麻烦了,谢谢大佬
    纳米 发布于 1 年前(01月02日) 你好。是的,因为以前下载系统插件在一次升级后将所有的下载生成信息全弄丢了。所以不少文件无法下载。DN...
    浏览次数
    • Downloads - 183,676 views
    • 联系我 - 118,966 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 116,205 views
    • Github - 103,555 views
    • F5常见log日志解释 - 79,729 views
    • 从传统ADC迈向CLOUD NATIVE ADC - 下载 - 74,510 views
    • Sniffer Pro 4 70 530抓包软件 中文版+视频教程 - 74,320 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 67,770 views
    • 关于本站 - 60,808 views
    • 这篇文档您是否感兴趣 - 55,463 views
    链接表
    • F5SE创新
    • Jimmy Song‘s Blog
    • SDNlab
    • Service Mesh社区
    • 三斗室
    • 个人profile
    • 云原生社区

    COPYRIGHT © 2023 Cloud Native 应用交付. ALL RIGHTS RESERVED.

    Theme Kratos Made By Seaton Jiang

    京ICP备14048088号-1

    京公网安备 11010502041506号