Last Modified: Mar 21, 2019
See more info
Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 12.1.4
Opened: Jan 27, 2014
Related AskF5 Article: K32528500
When the sync-failover device group is set to manual sync, the remote synchronization of the device_trust_group can fail if the local operations are not executed and manually synced appropriately.
Failed device trust group syncs on remote devices where the the config changes were not initiated.
Here is an example of the issue: -- TG1 is a traffic group configured to use HA_ORDER as failover mechanism. TG1's HA_ORDER list includes DEV1, DEV2, and DEV3. -- You want to remove DEV3 from the sync-failover group from device DEV1. -- Validation running on the DEV1 prevents you from removing doing so until you remove DEV3 from the TG1 HA_ORDER list. -- Here is the conflict: Removing a device from a sync-failover group is part of the device_trust_group, which always syncs automatically. However, when manual sync is configured for the sync-failover group, the traffic-group operation (removing DEV3 from TG1's HA_ORDER) is synced as part of a manual sync operation. -- After removing DEV3 from TG1's HA_ORDER, the configurations don't match: DEV1's TG1 HA_ORDER list does not contain DEV3, but the other trust-group members do. If you don't manually sync now, before trying to remove DEV3 from DEV1's sync-failover group, remote trust-group sync will fail (because of the automatic sync that is part of device-trust configuration changes). Note: Any similar operation in which the operation that is required to allow a modification of membership of the trust elements is executed and not synced will cause device_trust_group sync failure.
To prevent this issue, remove the device from the HA_ORDER list in the traffic group and immediately do a manual sync. Then remove the device from the sync-failover group. Note: It is recommended to not use manual sync-failover groups, but if you do, make sure you immediately sync when configurations have dependencies.
A confirmation prompt has been added to the device group delete device operation when the HA system is not in sync.