Adding LTM as Server in GTM

[Cowboy Denny]

The ability to utilize WideIPs on the GTM you will need communication from the GTM to the LTM(s) over port 4353 which is used by iQuery to connect to the Interconnect IP (SelfIP).

As an example I want to add an F5 LTM with a SelfIP of 10.47.195.229

FIRST verify no FW is blocking iQuery port 4353

[cowboy@usfnt1slbgtm06:Active:Standalone] ~ # nc -v 10.47.195.229 4353
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 10.47.195.229:4353.

This confirms no Firewall would block iQuery connections so let's continue.

If you already have the LTM added as a server, let's check to see the iQuery status on the GTM for that LTM

tmsh show /gtm iquery all

--------------------------------------------------------
Gtm::IQuery: 10.47.195.229
--------------------------------------------------------
Server                       usfnt1slbdv27.hosangit.corp
Server Type                                      unknown
Data Center                                  San Antonio
Connection Time                                     None
State                                      not-connected
Connection ID                                          0
Reconnects                                           119
Backlogs                                               0
Bits In                                                0
Bits Out                                               0
Bytes Dropped                                       5.5K
Cert Expiration Date                   02/26/29 12:41:53
Configuration Time                                  None
Configuration Commit ID                                0
Configuration Commit Originator                      ---
Local TMOS version                                15.1.7
Remote TMOS version                                  ---
Local big3d version                         15.1.7.0.0.6
Remote big3d version                                 ---
Cipher Name                                          ---
Cipher Bits                                            0
Cipher Protocol                                      ---

It's not connected so let's dive deeper by reviewing logs

On the iGTM and tail the gtm log (tailf /var/log/gtm) you’ll get

May 4 07:10:31 txsat1slbgtm06 iqmgmt_ssl_connect: IP: 10.47.195.229 SSL error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

May 4 07:10:31 txsat1slbgtm06 iqmgmt_ssl_connect: IP: 10.47.195.230 SSL error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

To fix the cert was out of sync with whats on the LTM and whats on the GTM so you just need to resync by running

[root@usfnt1slbgtm06:Active:Standalone] config # tmsh
root@(usfnt1slbgtm06)(cfg-sync Standalone)(Active)(/Common)(tmos)# run gtm bigip_add 10.47.195.229
Retrieving remote and installing local BIG-IP's SSL certs ...
Enter root password for 10.47.195.229 if prompted
The authenticity of host '10.47.195.229 (10.47.195.229)' can't be established.
RSA key fingerprint is SHA256:3zjksJDFVYbwd4RWXPjpIlNKMC6zi4SMxDCJuCnF8GI.
RSA key fingerprint is MD5:06:2d:a6:e5:4f:b7:73:4c:db:70:72:60:4e:6a:8e:77.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.47.195.229' (RSA) to the list of known hosts.
Password:

==> Done <==

Now everything is connected