Manual Chapter : Determine DNS Sync Group Health

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.3.0
Manual Chapter

How do I check my sync group health?

Using the tools available on the BIG-IP® user interface, it can be difficult to determine the health of your DNS sync groups. When you use F5® BIG-IQ® Centralized Management to manage your DNS sync groups, the task becomes quite straightforward. You can do a quick health check, diagnose health issues, and even set up an alert to notify you if a sync group health issue occurs.

Check DNS sync group health

Before you can monitor the sync group health, you must add a BIG-IP® device configured in a DNS sync group to the BIG-IP Devices inventory list, and import the LTM® and DNS services.
When you use F5® BIG-IQ® Centralized Management to manage your DNS sync group, you can monitor the health status of the group. Sync group health relies on complete alignment of a variety of device configuration elements. Using BIG-IQ simplifies the process of determining the health of your DNS sync groups.
  1. At the top of the screen, click Devices.
  2. On the left, click BIG-IQ CLUSTERS > DNS Sync Groups .
    The screen displays the list of DNS sync groups defined on this device. A health indicator icon and a message describes the status of each group.
  3. To view the general properties for a sync group, click the sync group name.
    Note: For a list of Health Status error messages, refer to DNS sync group messages.
    The screen displays the properties for the selected group. This screen shows an overview of your DNS sync group health. Under Status, you can see the current state (for example, Required Services Down, or Health Check(s) Passed) for each device in the group.
  4. To view the health for an individual sync group member, click Health .
    The Health screen displays detailed information for each factor that contributes to the health of a DNS sync group. Following a definition of each factor, a Status row provides additional detail. For each indicator, the most serious issues impacting that indicator are listed first. Finally, if the status for a health indicator is not Health Check(s) Passed, the Recommended Action setting describes what you can do to correct the issue.
  5. Resolve any reported issues on the managed devices, and then return to the DNS Sync Groups screen and click Refresh Status.
    Once you resolve all reported issues, the status for the DNS sync group changes to Health Check(s) Passed.

DNS sync group status messages

When BIG-IQ® Centralized Management completes health checks for a DNS sync group, an icon and a message display to indicate the current status. There are four icons, each with its own associated meaning.

Table 1. Health indicator icons
Icon Meaning
Indicates that all health checks passed satisfactorily (green).
Indicates that the health status is unknown or uncertain (blue).
Indicates a warning, or that the group health is sub-optimal (yellow).
Indicates that a critical issue was found (red).
Table 2. Health indicator messages
Message Health indicator color Description Corrective Action
Awaiting Sync Yellow When considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon. MCP stores the configuration information for the BIG-IP® device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are.

Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution.

Related Solutions:

SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections.
Certificate Expired Red

BIG-IP DNS uses the device's Apache server certification to act as the server certification when establishing iQuery® connections. If this certificate expires, then all iQuery communication to and from this device is prevented. This indicator informs the DNS admin when one of the devices in a sync group has a device certificate that is near expiration, or is currently expired.

This indicator only validates the expiration on the server certificate for each device. It does not examine the traffic certificates used in SSL profiles or DNSSEC certifications.

Renew the device certificate or import a new certificate.

Related Solutions:

SOL6353: Updating an SSL device certificate on a BIG-IP system.
Certificates Expiring Yellow The device certificate for this BIG-IP DNS device is near expiration. If the certificate expires, this BIG-IP DNS device will not be able to communicate with other BIG-IP devices using the iQuery protocol. Either renew the device certificate or import a new certificate.
Changes Pending Yellow When considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon. MCP stores the configuration information for the BIG-IP device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are.

Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution.

Related Solutions:

SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections.
Collecting Data Blue Either the certificate has not yet been discovered by BIG-IQ or the device is unreachable. If the certificate is the issue, the needed data should be collected automatically. If this condition persists, check the BIG-IQ logs for any error messages.

If the device is unreachable, determine why BIG-IQ can not contact the BIG-IP device. There could be network issues, the device could be offline, or BIG-IQ Restjavad service could be is down.

Incompatible Device Versions Red

A GTM sync group consists of one or more GTM devices. For sync to perform correctly, each device must have the same base version of TMOS installed. To determine the version of TMOS: view the version component of the output of tmsh show sys version.

Upgrade all BIG-IP devices in the sync group to the same version.

Related Solutions:

SOL8759: Displaying the BIG-IP Software Version.

SOL13734: BIG-IP DNS synchronization group requirements.
Member Sync Disabled Red BIG-IP DNS devices have properties to control which sync group a device belongs to, and whether synchronization is enabled. A device can be a member of a sync group, but have synchronization disabled. Any changes made on a device on which synchronization is disabled cannot sync changes to the other devices. F5 recommends not having sync groups with synchronization disabled on some of the devices. We also recommend not making changes on devices if synchronization is disabled.

Enable synchronization on all devices in the group.

Related Solutions:

SOL13734: BIG-IP DNS synchronization group requirements.
Required Services Down Red

For the BIG-IP DNS devices to be able to sync configuration changes, the following services (daemons) must be running on all the devices in the sync group:

  • mcpd
  • gtmd
  • big3d
  • tmm

If any of these services is down, then configuration will not sync between the devices in the sync group. The sync group health is primarily concerned with reporting the health of only the sync group itself; not the health of the functionality provided by each device in the sync group.

Start stopped services

Related Solutions:

SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons.
Server Object Missing Red On the BIG-IP device, the DNS server objects define the IP address on which iQuery connections are made. There must be a server object for every DNS device in the sync group so that they can establish the necessary connections. This indicator validates that all devices have a server object, and that the necessary ports are open to allow the iQuery communication that happens over port 4353.

Verify that the DNS server objects have an associated self IP address.

Related Solutions:

SOL13734: BIG-IP DNS synchronization group requirements.
Syncing Changes Yellow When considering the health of a DNS sync group, the single most important indicator of health is whether the devices in the sync-group have the same configuration in the master control program (MCP) daemon. MCP stores the configuration information for the BIG-IP device. If the configuration is not the same (for devices in the sync group and MCP), then the devices could handle traffic differently, depending on what the configuration differences are.

Recommended Action: Wait a few minutes for synchronization to each member to occur. If synchronization does not complete, refer to troubleshooting solution.

Related Solutions:

SOL13690: Troubleshooting BIG-IP GTM synchronization and iQuery connections.
Unknown Device Availability Blue

The BIG-IQ device must collect data from each device in a sync group to be able to determine if the overall sync group is healthy. If BIG-IQ cannot reach one of the devices, then it cannot detect changes that make the overall group unhealthy.

If a device cannot be reached, then the group is marked as unhealthy because there is no other way to know the health of the group.
Determine and fix loss of device availability.

Related Solutions:

SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons.
Unreachable Devices Red

The BIG-IQ device must collect data from each device in a sync group to be able to determine if the overall sync group is healthy. If BIG-IQ cannot reach one of the devices, then it cannot detect changes that make the overall group unhealthy.

If a device cannot be reached, then the group is marked as unhealthy because there is no other way to know the health of the group.
Determine and fix loss of device availability.

Related Solutions:

SOL13690: Troubleshooting BIG-IP DNS synchronization and iQuery connections Troubleshooting daemons.

How do I set up an alert for DNS sync group issues?

You can configure a BIG-IQ® SMTP alert to send email notifications when specific DNS sync group issues occur.

The following issues can trigger an alert:

  • A new health status is generated for a DNS sync group. For instance, you might have just discovered a new sync group.
  • The overall health status changes. For example, a device group that was healthy becomes unhealthy.
  • The primary indicator (the most significant reason for the group's current health status) changed. (For example, the group is still unhealthy, but the reason is different than before.)

You enable or disable DNS alerts from the System Management > Alerts screen. For detailed instructions on creating an SMTP alert, refer to How do I set up BIG-IQ to work with SMTP? in the F5 BIG-IQ Centralized Management: Licensing and Initial Setup guide on support.F5.com.