在GUI点击config sync to peer和命令b config sync 具有等同的效果,都是将配置推送到对端设备上,当执行b config sync时候:
1. 系统将尝试连接对端icontrol接口(运行在对端的443之上),其间要建立SSL,并向对方出示web管理员账号和密码。
2. 同步设备master key,检查时间差异
3. 本机产生一份当前的配置的ucs,放在/var/tmp下
4. 传送ucs文件到对端的/var/local/ucs下,作为一个临时ucs
5. 通知对端备份当前配置为cs_backup.ucs
6. 通知对端机器上执行b config install安装传送过来的临时ucs文件
7. 通知对端删除临时ucs
8. 通过获取对端/var/log/configsync_peer.log日志,将对端ucs安装情况打印在屏幕上
从上述过程可以看出,任何一步受到影响都可能造成同步的失败,因此当遇到同步失败时候可以从这些过程入手,分解测试各个环节是否都正常:
1. 任何影响tcp通讯,ssl建立,账号验证的因素都将影响通道的完成,从而引发错误,一般情形下此时的报错都是报系统需要是冗余系统或对方机器不是冗余系统等错误。此时一般不会发生soap类错误。此时可以排错的方法有:
- 运行csTest.pl –v ,这个脚本将首先检查配置同步的先决条件是否都满足,一般情况下最好两边都检查一遍
- 运行soap协议运行的条件是否满足,分别运行
SOAPCSTest --query
SOAPCSTest --imediff
SOAPCSTest –version
2. 本地手工保存ucs是否正常,产生的ucs文件是否很大很大,正常ucs不会很大
3.对端机器手工保存ucs是否正常,对端机器的/config,/var,/home等目录是否可用空间不是很多
4. 手工传送ucs文件到对端,并手工执行ucs安装工作,看是否能正常成功 (这一步可能受到ucs里的名字和设备名字不同的影响)
如果排错发现总是发生SOAP异常错误,则可以考虑通过手工执行soap操作,如下:
Soap客户端解释 及 用法
[root@B6900-R21-S8:Active] bin # SOAPCSClient --help
Usage: SOAPCSClient --host <Host name/IP> --port <Port> --userid <user> --password <password>
--source <source config> --destination <dest config> [--passphrase <passphrase>] [--pull] [--timediff] [--help] [--verbose]
verbose Print out extra messages -- debug mode.
help Print out this message.
timediff Checks if the time difference of the two machines is acceptable.
pull Perform configsync in pull mode, i.e. pulling configuration from peer.
host Host name or IP address of target BIG-IP where the iControl Portal resides.
port Port number to communicate with the iControl Portal.
userid User name used in the communication with the iControl Portal.
password Password used in the communication with the iControl Portal.
source In Push mode:
Local source configuration archive to transfer to peer system.
In Pull mode:
Remote source configuration archive on peer system from which
to retrieve. No path information should be specified with archive name.
destination In Push mode:
Remote destination configuration archive to save on peer system.
No path information should be specified with archive name.
In Pull mode:
Local destination configuration archive to save on local system.
passphrase Passphrase used to decrypt/encrypt the UCS.
/usr/local/bin/SOAPCSClient --verbose --host 1.1.1.2 --port 443 --userid admin --password admin --source /var/local/ucs/728.ucs --destination sync.ucs
命中用户和password只要是对端存在的即可,不必和本机一致,因此这个可以作为一个排错点。
+++++ Debug +++++
Target : https://1.1.1.2:443/iControl/iControlPortal.cgi UserID/Password: admin/admin
Source: /var/local/ucs/728.ucs
Destination: sync.ucs
Configsync Mode: Push
-----------------
Local time: 1280289042, Remote time: 1280289041
Configsync Mode: Push
Transferring UCS to peer...
Uploading - Local file: /var/local/ucs/728.ucs ==> Remote file: sync.ucs
Total bytes sent: 262144
Total bytes sent: 363585
传送文件给对端机器
Installing UCS on peer...
Installing configuration - Remote file: sync.ucs
在对端机器上开始安装ucs,对端机器用b config install命令运行
Obtaining results of remote configuration installation...
本机获取远端机器ucs安装情况,通过下面download对端的安装日志,并显示到屏幕上,所以下面输出内容其实是表示对端机器情况。
Downloading - Remote file: /var/local/ucs/__configsync__.out ==> Local file: /var/log/configsync_peer.log
Saving active configuration...
Current configuration backed up to /var/local/ucs/cs_backup.ucs.
Product : BIG-IP
Version : 10.0.1
Hostname: UCS : B6900-R21-S8.lab.ss.f5net.com
System: B6900-R21-S12.lab.ss.f5net.com
Installing shared configuration on host B6900-R21-S12.lab.ss.f5net.com
Installing configuration...
Reloading configuration - this may take a few minutes...
Reading configuration from /defaults/config_base.conf.
Reading configuration from /config/bigip_base.conf.
Reading configuration from /config/bigip_sys.conf.
Reading configuration from /usr/bin/monitors/builtins/base_monitors.conf.
Reading configuration from /config/profile_base.conf.
Reading configuration from /config/daemon.conf.
Reading configuration from /config/bigip.conf.
Reading configuration from /config/bigip_local.conf.
Loading the configuration ...
对端成功完成,删除对端对应的ucs文件
Deleting configuration - Remote file: sync.ucs
Deleting configuration - Remote file: __configsync__.out
从上可以看出soap客户端绕过了很多检查工作,这是一个纯soap通信过程,如果这个过程产生错误,理论上b config sync也就会有对应错误。
附一些错误情形的发生情况(截取自我处理过的一个case):
Ip address of config sync was not defined
peer ip can not be reached like peer selfip lockdown set to none
peer httpd is not running,or can not finish 3 tcp handshake with peer
config sync user name or password is not same to peer unit
Above situation will show below error:
[root@ml7ts007p:Active] config # b config sync
Checking configuration on local box and peer box...
Peer's IP address: 172.24.170.210
Error: The peer box is not a redundant pair.
BIGpipe parsing error:
01110034:3: This system needs to be a redundant pair and have a peer address specification.
I can not repro SOAP error on lab as most SOAP error are caused by strange reason.The SOAP protocol provides the messaging framework for configsync communication, and it uses HTTPS to securely transport the configuration data set to the peer BIG-IP system.
Usually,there should not be connectivity issue if soap error happening.We do not need to research what is Error reading from secure socket or Error negotiating secure connection : Connection reset by peer or Error negotiating secure connection : Connection timed out,just need know these are all soap issue.
I searched many old cases ,found various situations,summary as below:
1.web certificate expired, but certificate expired will not must result in the issue.
2.some directories like /config,/home,/usr include big size file
3.Unit include ASM module is likely encountered this issue
4.some version have bug ,maybe use "peer" as destination address but it is not inclue in /etc/hosts
5.wrong config sync ip address.found a case change ip to MGTM address,then issue was fixed.
6.a case that from HongKong,configuration are all ok,fixed the problem just use another user as config sync user(actually ,admin user have no problem)
7.a case that from USA,confirm the admin password are same on both units ,but always display soap error,reset admin password ,then ok.
Here are my research notes:
(1) ------------------------------------------------------------------------------------------------------
[root@ml7ts007p:Active] config # b config sync
Checking configuration on local box and peer box...
Peer's IP address: 172.24.170.210
Error: The peer box is not a redundant pair.
BIGpipe parsing error:
01110034:3: This system needs to be a redundant pair and have a peer address specification.
---->
(if config sync ip was not defined or peer ip can not be reached ,like peer selfip lockdown set to none,peer httpd is not running,or can not set 3 tcp handshake,config sync user name or password is not same to peer unit)
(2) ------------------------------------------------------------------------------------------------------
[root@ml7ts007p:Active] config # b config sync
Checking configuration on local box and peer box...
Peer's IP address: 172.24.170.210
Synchronizing Master Keys...
Saving active configuration...
Configsync Mode: Push
Transferring UCS to peer...
Installing UCS on peer...
SOAPException: 'Error reading from secure socket'
Transport and install failed
---->
(maybe ucs file is too big--some folders include big size file)
(3) ------------------------------------------------------------------------------------------------------
[root@ml7ts007p:Active] config # b config sync
Checking configuration on local box and peer box...
Peer's IP address: 172.24.170.210
Synchronizing Master Keys...
Saving active configuration...
Configsync Mode: Push
Transferring UCS to peer...
Installing UCS on peer...
SOAPException: 'Error reading from secure socket'
Transport and install failed
Error running config sync all.
BIGpipe parsing error:
01110001:3: Error running config sync all
---->
(similar case : cert expired, most happened on unit include asm module)
(4) ------------------------------------------------------------------------------------------------------
[root@ml7ts007p:Active] config # b config sync
Checking configuration on local box and peer box...
Peer's IP address: 172.24.170.210
Synchronizing Master Keys...
Saving active configuration...
SOAPException: 'Error negotiating secure connection : Connection reset by peer '
Transport and install failed
---->
(one similar case:
Operation Status
Checking configuration on local system and peer system...
Peer's IP address: 198.18.252.14
Caught SOAP exception: Error negotiating secure connection : Connection reset by peer
Error: There is a problem accessing the peer system.
BIGpipe parsing error:
01110034:3: The configuration for running config-sync is incorrect.
---------->/usr usage is high ,delete some file and reboot ,ok
)
(5) ------------------------------------------------------------------------------------------------------
[root@ml7ts007p:Active] config # b config sync
Checking configuration on local box and peer box...
Peer's IP address: 172.24.170.210
Synchronizing Master Keys...
Saving active configuration...
SOAPException: 'Error negotiating secure connection : Connection reset by peer '
Transport and install failed
Error running config sync all.
BIGpipe parsing error:
01110001:3: Error running config sync all
(6) ------------------------------------------------------------------------------------------------------
[root@ml7ts003p:Active] config # b config sync
Checking configuration on local box and peer box...
Peer's IP address: 172.24.170.73
Synchronizing Master Keys...
Saving active configuration...
Configsync Mode: Push
Transferring UCS to peer...
Installing UCS on peer...
SOAPException: 'Error negotiating secure connection : Connection timed out '
Transport and install failed
Error running config sync all.
BIGpipe parsing error:
01110001:3: Error running config sync all
---->
(microsoft case ,wrong config sync ip addr. other cases have large file in config folder)
文章评论