ConfigSync and FailoverUnicast provisioning is incorrect for 1NIC deployments

[jgruber]

DO validation will produce the mcpd error: "The configsync and management IP addresses cannot be the same.", which is simply not true for 1NIC deployments. ConfigSync declaration is required to use device groups for config sync and trusts (not failover cluster which is not supported in 1NIC).

In order to set the ConfigSync and FailoverUnicast addresses to the management IP within your DO declaration, you must:

1. set the db variable provision.1nicautoconfig to disable
2. set the db variable provision.1nic to forced_enable
3. set the https ssl-port to 8443 (tmsh modify sys httpd ssl-port 8443)
4. set the self IP sevice allow to include tcp:8443 (tmsh modify net self-allow defaults add { tcp:8443 })
5. create the internal VLAN (tmsh create net vlan internal mtu 1450 interfaces replace-all-with { 1.0 } tag 4094)
6. discover the mgmt IP CIDR (ip addr show mgmt)
7. discover the mgmt default gw (route -n)
8. disable mgmt DHCP (tmsh modify sys global-settings mgmt-dhcp disabled)
9. create the mgmt configuration statically (tmsh create sys management-ip [mgmt CIDR])
10. create the mgmt gw statically (tmsh create sys management-route default gateway [mgmt gw])
11. use the discovered mgmt IP CIDR to create the self_1nic SelfIP (tmsh create net self self_1nic { address [mgmt CIDR] allow-service default vlan internal })
12. use the discovered mgmt default route to add a default TMM route (tmsh create net route default network default gw [mgm default route gw])

This is the TMOS supported way to allow this configuration. All of which can be done via iControl REST, so once 1NIC is discovered, these steps can be handles totally within DO.

Once these steps are properly provisioned, you can proceed to handle your DO declaration.

These steps are not 'bootstrapping' as the bootstrapping for 1NIC was done via DHCP for TMOS and are only required to make a perfectly valid TMOS configuration possible using a DO declaration.

Alternatively, we can just say DO doesn't support 1NIC with config sync'ing, but that would basically knock DO from being used for all of our major WAF 1NIC deployments (NFV WAF service tier).

[jgruber]

This has nothing to do with mgmt port and the license activation process..

This is mcpd error saying ConfigSync IP address can not be the same as the mgmt IP address.. when it can be. I listed the multistep work around to make this work.

[focrensh]

AT-454 for tracking

[seattlevine]

We're getting conflicts between our internal bug tracking system and GitHub. Our internal system also has an issue 42 which relates to the targetPort and when licensing from BIG-IQ license pools.

[snowblind-]

+1 - Hit this trying to cluster a couple 14.1 1-nic devices. Need to re-architect to work around. Not sure customer's appetite for non-1nic solution.

[dstokesf5]

This was resolved in the 1.11.0 release.