To ensure that your SSL Orchestrator HA deployment succeeds, it is critical that each deployment step, as well as the assumptions and dependencies, are closely followed for both boxes. In addition, adhere to all prerequisites, noting that if the systems in the device group are not configured consistently, the deployment synchronization process may fail.
It is also critical to test the deployment after configuration as some failures may not be reported in the UI.
Make sure you have the latest version of SSL Orchestrator. This will establish the version that will later appear on your other BIG-IP® HA peer device. After downloading the latest version of the SSL Orchestrator zip file from downloads.F5.com, return to your SSL Orchestrator configuration utility. See the section Update the SSL Orchestrator version for more detailed installation instructions.
Later, after a successful SSL Orchestrator HA deployment, you should verify that the same version appears on the BIG-IP HA peer device.
On the Active device, specify the settings for VLAN HA and self IP addresses. If needed, configure all devices involved in the high availability group for HA.
Before creating the device group, you should configure the configuration synchronization (ConfigSync) and Failover IP addresses for each BIG-IP® system in the device group. The ConfigSync address is the IP address that the system uses when synchronizing configuration with peer devices, and the Failover address is the IP address that the system uses for network failover.
Any BIG-IP® devices that you intend to add to a device group must first be members of the same local trust domain. When a BIG-IP device joins the local trust domain, it establishes a trust relationship with peer BIG-IP devices that are members of the same trust domain. For example, if you are creating a device group with two members, you must log in to one of the devices and join the other device to that system's local trust domain. The devices can then exchange their device properties and device connectivity information.
This task establishes failover capability between two or more BIG-IP® devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.
This task synchronizes the BIG-IP® configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only.
You have now completed your SSL Orchestrator high availability deployment. Next, setup a basic configuration for deployment on your Active device.
Refer to the "Setting Up a Basic Configuration" section for detailed instructions on completing the basic configuration on your Active device.
After deploying your configuration on the Active device, the configuration is automatically synchronized with all of the other devices in the device group. Since some errors may not be apparent, it is critical that you thoroughly test and diagnose the success or failure of the deployment. The following steps can be taken to test the system.
Even though the potential for SSL Orchestrator HA deployment is low, thorough verification is recommended. If your HA deployment fails, attempt:
Verify that all expected and required virtuals, profiles, and BIG-IP® LTM and network objects (route-domains, VLANs, self IPs) have been created on each device in the HA device group. These will be items beginning with the name given to the application (for example, if the application was named SSLO, verify that all of the items named | Summary SSL Orchestrator 13.0.0 | 9 SSLO_* are the same on all boxes). Ensure that the .rpm files are in sync, verify deployment with or without services, and review the following logs for failures:
After a successful SSL Orchestrator HA deployment, verify that the latest version of the SSL Orchestrator zip file is installed on both devices.
If the versions are not identical, you must install an updated .rpm file and verify that both boxes are identically configured.