Wide IP’s are down due to Device Certificate expiration on F5 Link Controller:

Issue:

Wideip’s will go down due to F5 device internal device certificate expiration.

Alerts:

DeviceA alert gtmd[13073]: 011ae0f3:1: SNMP_TRAP: big3d SSL cert EXPIRED at IP 10.1.1.1
Device A err gtmd[13073]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (336134278)
Device A alert gtmd[13073]: 011ae0f3:1: SNMP_TRAP: big3d SSL cert EXPIRED at IP 192.168.1.1

Cause:

Internal F5 device certificates are expired

Solution:

A.

  1. Login to the standby F5 device
  2. Go to System  ››  Device Certificates : Device Certificate
  3. Click on Renew
  4. Update valid for 3650 days (according to your requirement)
  5. Click Finished

Perform steps from 1 to 5 on active device.

B. Now login into the active device through CLI and perform the below steps.

bigip_add < peer IP>

bigip_add script uses the SSH protocol to exchange iQuery SSL certificates with the remote BIG-IP system

The bigip_add script appends the local BIG-IP DNS system’s SSL certificate to the remote BIG-IP system’s list of authorized certificates.

C.

Now login into the sandby device through CLI and perform the below steps.

bigip_add < peer IP>

Once internal device certificates are exchanged, wideip’s will come to available status.

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s