[原]config sync 排错指导

Posted on by

在GUI点击config sync to peer和命令b config sync 具有等同的效果,都是将配置推送到对端设备上,当执行b config sync时候:

1.  系统将尝试连接对端icontrol接口(运行在对端的443之上),其间要建立SSL,并向对方出示web管理员账号和密码。

2.  同步设备master key,检查时间差异

3.  本机产生一份当前的配置的ucs,放在/var/tmp下

4.  传送ucs文件到对端的/var/local/ucs下,作为一个临时ucs

5.  通知对端备份当前配置为cs_backup.ucs

6.  通知对端机器上执行b config install安装传送过来的临时ucs文件

7.  通知对端删除临时ucs

8.  通过获取对端/var/log/configsync_peer.log日志,将对端ucs安装情况打印在屏幕上

从上述过程可以看出,任何一步受到影响都可能造成同步的失败,因此当遇到同步失败时候可以从这些过程入手,分解测试各个环节是否都正常:

1.  任何影响tcp通讯,ssl建立,账号验证的因素都将影响通道的完成,从而引发错误,一般情形下此时的报错都是报系统需要是冗余系统或对方机器不是冗余系统等错误。此时一般不会发生soap类错误。此时可以排错的方法有:

  1. 运行csTest.pl –v ,这个脚本将首先检查配置同步的先决条件是否都满足,一般情况下最好两边都检查一遍
  2. 运行soap协议运行的条件是否满足,分别运行

SOAPCSTest –query

SOAPCSTest –imediff

SOAPCSTest –version

2. 本地手工保存ucs是否正常,产生的ucs文件是否很大很大,正常ucs不会很大

3.对端机器手工保存ucs是否正常,对端机器的/config,/var,/home等目录是否可用空间不是很多

4. 手工传送ucs文件到对端,并手工执行ucs安装工作,看是否能正常成功 (这一步可能受到ucs里的名字和设备名字不同的影响)

如果排错发现总是发生SOAP异常错误,则可以考虑通过手工执行soap操作,如下:

Soap客户端解释 及 用法

[root@B6900-R21-S8:Active] bin # SOAPCSClient –help

Usage: SOAPCSClient –host <Host name/IP> –port <Port> –userid <user> –password <password>

–source <source config> –destination <dest config> [--passphrase <passphrase>] [--pull] [--timediff] [--help] [--verbose]

verbose        Print out extra messages — debug mode.

help           Print out this message.

timediff       Checks if the time difference of the two machines is acceptable.

pull           Perform configsync in pull mode, i.e. pulling configuration from peer.

host           Host name or IP address of target BIG-IP where the iControl Portal resides.

port           Port number to communicate with the iControl Portal.

userid         User name used in the communication with the iControl Portal.

password       Password used in the communication with the iControl Portal.

source         In Push mode:

Local source configuration archive to transfer to peer system.

In Pull mode:

Remote source configuration archive on peer system from which

to retrieve. No path information should be specified with archive name.

destination    In Push mode:

Remote destination configuration archive to save on peer system.

No path information should be specified with archive name.

In Pull mode:

Local destination configuration archive to save on local system.

passphrase     Passphrase used to decrypt/encrypt the UCS.

/usr/local/bin/SOAPCSClient –verbose –host 1.1.1.2 –port 443 –userid admin –password admin –source /var/local/ucs/728.ucs –destination sync.ucs

命中用户和password只要是对端存在的即可,不必和本机一致,因此这个可以作为一个排错点。

+++++ Debug +++++

Target : https://1.1.1.2:443/iControl/iControlPortal.cgi   UserID/Password: admin/admin

Source: /var/local/ucs/728.ucs

Destination: sync.ucs

Configsync Mode: Push

—————–

Local time: 1280289042, Remote time: 1280289041

Configsync Mode: Push

Transferring UCS to peer…

Uploading – Local file: /var/local/ucs/728.ucs ==> Remote file: sync.ucs

Total bytes sent: 262144

Total bytes sent: 363585

传送文件给对端机器

Installing UCS on peer…

Installing configuration – Remote file: sync.ucs

在对端机器上开始安装ucs,对端机器用b config install命令运行

Obtaining results of remote configuration installation…

本机获取远端机器ucs安装情况,通过下面download对端的安装日志,并显示到屏幕上,所以下面输出内容其实是表示对端机器情况。

Downloading – Remote file: /var/local/ucs/__configsync__.out ==> Local file: /var/log/configsync_peer.log

Saving active configuration…

Current configuration backed up to /var/local/ucs/cs_backup.ucs.

Product : BIG-IP

Version : 10.0.1

Hostname: UCS   : B6900-R21-S8.lab.ss.f5net.com

System: B6900-R21-S12.lab.ss.f5net.com

Installing shared configuration on host B6900-R21-S12.lab.ss.f5net.com

Installing configuration…

Reloading configuration – this may take a few minutes…

Reading configuration from /defaults/config_base.conf.

Reading configuration from /config/bigip_base.conf.

Reading configuration from /config/bigip_sys.conf.

Reading configuration from /usr/bin/monitors/builtins/base_monitors.conf.

Reading configuration from /config/profile_base.conf.

Reading configuration from /config/daemon.conf.

Reading configuration from /config/bigip.conf.

Reading configuration from /config/bigip_local.conf.

Loading the configuration …

对端成功完成,删除对端对应的ucs文件

Deleting configuration – Remote file: sync.ucs

Deleting configuration – Remote file: __configsync__.out

从上可以看出soap客户端绕过了很多检查工作,这是一个纯soap通信过程,如果这个过程产生错误,理论上b config sync也就会有对应错误。

附一些错误情形的发生情况(截取自我处理过的一个case):

Ip address of config sync was not defined

peer ip can not be reached like peer selfip lockdown set to none

peer httpd is not running,or can not finish 3 tcp handshake with peer

config sync user name or password is not same to peer unit

Above situation will show below error:

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box…

Peer’s IP address: 172.24.170.210

Error: The peer box is not a redundant pair.

BIGpipe parsing error:

01110034:3: This system needs to be a redundant pair and have a peer address specification.

I can not repro SOAP error on lab as most SOAP error are caused by strange reason.The SOAP protocol provides the messaging framework for configsync communication, and it uses HTTPS to securely transport the configuration data set to the peer BIG-IP system.

Usually,there should not be connectivity issue if soap error happening.We do not need to research what is Error reading from secure socket or Error negotiating secure connection : Connection reset by peer or Error negotiating secure connection : Connection timed out,just need know these are all soap issue.

I searched many old cases ,found various situations,summary as below:

1.web certificate expired, but certificate expired will not must result in the issue.

2.some directories like /config,/home,/usr include big size file

3.Unit include ASM module is likely encountered this issue

4.some version have bug ,maybe use “peer” as destination address but it is not inclue in /etc/hosts

5.wrong config sync ip address.found a case change ip to MGTM address,then issue was fixed.

6.a case that from HongKong,configuration are all ok,fixed the problem just use another user as config sync user(actually ,admin user have no problem)

7.a case that from USA,confirm the admin password are same on both units ,but always display soap error,reset admin password ,then ok.

Here are my research notes:

(1) ——————————————————————————————————

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box…

Peer’s IP address: 172.24.170.210

Error: The peer box is not a redundant pair.

BIGpipe parsing error:

01110034:3: This system needs to be a redundant pair and have a peer address specification.

—->

(if config sync ip was not defined or peer ip can not be reached   ,like peer selfip lockdown set to none,peer httpd is not running,or can not set 3 tcp handshake,config sync user name or password is not same to peer unit)

(2) ——————————————————————————————————

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box…

Peer’s IP address: 172.24.170.210

Synchronizing Master Keys…

Saving active configuration…

Configsync Mode: Push

Transferring UCS to peer…

Installing UCS on peer…

SOAPException: ‘Error reading from secure socket’

Transport and install failed

—->

(maybe ucs file is too big–some folders include big size file)

(3) ——————————————————————————————————

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box…

Peer’s IP address: 172.24.170.210

Synchronizing Master Keys…

Saving active configuration…

Configsync Mode: Push

Transferring UCS to peer…

Installing UCS on peer…

SOAPException: ‘Error reading from secure socket’

Transport and install failed

Error running config sync all.

BIGpipe parsing error:

01110001:3: Error running config sync all

—->

(similar case : cert expired, most happened on unit include asm module)

(4) ——————————————————————————————————

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box…

Peer’s IP address: 172.24.170.210

Synchronizing Master Keys…

Saving active configuration…

SOAPException: ‘Error negotiating secure connection : Connection reset by peer ‘

Transport and install failed

—->

(one similar case:

Operation Status

Checking configuration on local system and peer system…

Peer’s IP address: 198.18.252.14

Caught SOAP exception: Error negotiating secure connection : Connection reset by peer

Error: There is a problem accessing the peer system.

BIGpipe parsing error:

01110034:3: The configuration for running config-sync is incorrect.

———->/usr usage is high ,delete some file and reboot ,ok

)

(5) ——————————————————————————————————

[root@ml7ts007p:Active] config # b config sync

Checking configuration on local box and peer box…

Peer’s IP address: 172.24.170.210

Synchronizing Master Keys…

Saving active configuration…

SOAPException: ‘Error negotiating secure connection : Connection reset by peer ‘

Transport and install failed

Error running config sync all.

BIGpipe parsing error:

01110001:3: Error running config sync all

(6) ——————————————————————————————————

[root@ml7ts003p:Active] config # b config sync

Checking configuration on local box and peer box…

Peer’s IP address: 172.24.170.73

Synchronizing Master Keys…

Saving active configuration…

Configsync Mode: Push

Transferring UCS to peer…

Installing UCS on peer…

SOAPException: ‘Error negotiating secure connection : Connection timed out ‘

Transport and install failed

Error running config sync all.

BIGpipe parsing error:

01110001:3: Error running config sync all

—->

(microsoft case ,wrong config sync ip addr. other cases have large file in config folder)

Share

发表评论

电子邮件地址不会被公开。 必填项已用 * 标注

*

验证图片

*

您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>