Jump to content

F5 Blog

  • entries
    32
  • comments
    3
  • views
    23

Contributors to this blog

About this blog

Entries in this blog

How to Decrypt SSL Traffic on LTM

For this to work you need to decrypt the traffic as it comes in.  Its too late if you did a capture and all the traffic is encrypted.  So this entry is for those of you that would like to do some work ahead of time on the F5 and then have the user do some application testing while you are running a tcpdump.  In many cases for me, I have only needed to do this on our DMZ LTM which is where the our F5 works as an SSL Bridge SETUP Put the source IPs in a txt file.  I'm calling mine /var/t

Cowboy Denny

Cowboy Denny

Using ssldump on F5

You can use the ssldump utility to examine, decrypt, and decode SSL-encrypted packet streams managed by the BIG-IP system. The ssldump utility can act on packet streams real-time as they traverse the system, or on a packet capture file saved in the libpcap format, such as that produced by the tcpdump utility. Although it is possible for the ssldump utility to decode and display live traffic real-time as it traverses the BIG-IP system, it is rarely the most effective method to examine the volumin

Cowboy Denny

Cowboy Denny

LTM Migration compare OLD to NEW

When migrating you want to make sure you don't miss anything so here are a few commands that I run to help me make sure what was on the old is on the new. CONFIGURATION PHASE Virtual Servers First objective is to check to make sure all the Virtual Servers are present.  If you aren't changing IP addresses then all I grab is the destination field since in many cases the name and/or partition may change.  For example we are moving to deploying all our Virtual Servers using JSON forma

guru

guru

Bash Script to export VS-CPFL-CRT-CIPHERs

Here is a very helpful script that can be used to export Virtual Server Profile Certificate Ciphers I personally create a file called: show-vs-cpfl-cert-ciphers.sh Then I make it executable: chmod 755 show-vs-cpfl-cert-ciphers.sh Now copy the code below and paste it in the new file #!/bin/bash # Search /config and sub directories (partitions) for bigip.conf files LIST=`find /config -name bigip.conf | xargs awk '$2 == "virtual" {print $3}' 2>

guru

guru

AWAF Policies

Trying to migrate an LTM from old school to doing to via JSON and this particular LTM has AWAF Resource Provisioned so its what makes it difficult AND we are running version 15.x which only supports exporting policies into XML.  In newer versions (16.x and 17.x) the AWAF policies can be exported into JSON format. We exported the policies and imported them and now when you go to a child policy and you want to update it, the settings are grayed out like shown here But it use to loo

guru

guru

Deploy unavailable Virtual Server via AS3 JSON

I am migrating from an End Of Life hardware to a new vCMP Guest and with the migration I am deploying all the applications using JSON and AS3 (through BIGiQ). So we would like all the applications to be staged on the F5 in a disabled state and as we migrate each application with the team on the phone for verification, I just want to make the change in JSON and push to the F5 and disable the Virtual Server on the legacy EoL box and BOOM, live traffic on new box. Why disabled state?  I d

rev.dennis

rev.dennis

iQuery issues troubleshooting

REQUIREMENTS: For the BIG-IP DNS synchronization group members to properly synchronize their configuration settings, verify that the following requirements are in place: BIG-IP DNS synchronization group members must be running the same software version A BIG-IP DNS device should be running the same software version as other members in the synchronization group. BIG-IP DNS devices that are running different software versions will not be able to communicate and properly synchro

guru

guru

Unable to Redirect using Policy

Ran into an issue last night where I had to redirect https://example.thezah.com/ to https://example.thezah.com/?idp_id=two   Attempted a few different way of redirecting the URI in the Policy and they all didn't work.  Ran into a few issues... When creating the Redirect_URI policy under the do the following: Replace - HTTP URI - path with value /?idp_id=two at request time What would happen is when you enter the value /?idp_id=two and save F5 would change it to

guru

guru

Using BIG-IQ to troubleshoot

If you have BIG-IQ in your environment to help manage/monitor your applications then let me help understand how to use some cool features of BIG-IQ. Many times you have several F5's in your environment and trying to identify what F5 has the application you need to troubleshoot is kind of a pain in the butt unless you have BIG-IQ. First thing I do is if someone says they have an issue with their application is I ask for the FQDN or the URL that is having issues. Next thing I do is

guru

guru

Send BIG-IQ logs to Splunk

Need to identify a way to send logs from BIG-IQ to Splunk so we can see failures when BIG-IQ is trying to send signature updates to the DMZ F5’s running AWAF. First, setting up logging was pretty easy to do System Tab – Audit Log Syslog Servers Enter NAME and IP address of syslog servers and TCP 514. NOTE: I tried the newer rfc5424 and got nothing in Splunk so have to leave the old school rfc3164 Next, Found some interesting articles https://techdocs.f5.com/kb/en-us

rev.dennis

rev.dennis

Unable to remove device due to linked applications

So you are in BIG-IQ and for some reason or another BIG-IQ is asking for you to remove the device and add it back in to re-establish trust but wait..  you can’t because Applications are linked to that device.  Here are some steps to follow to remove an application. So say you are trying to remove the LTM service from a device and its saying you can’t remove the device because this application is linked to it t_10.47.32.9_openpagescc-dev.int.thezah.com._app So you need to find the conf

rev.dennis

rev.dennis

Software Upload Error

Trying to upload a file that got aborted previously either because of a loss of connection or navigating away from the page while uploading (it happens). So when you try and upload again you get an error message like this What is the answer?  What can you do? Well just ssh to the BIG-IQ CM device and navigate to /shared/images/tmp There you will, more than likely, find the partial image that was trying to upload. Just delete it and go back to the GUI and try again. AND

rev.dennis

rev.dennis

Show Connections on F5

Here are some commands you can use to troubleshoot connections on your F5  With the following command it will help you see how many Active connections to the F5 total and break it out by Client and Server. tmsh show sys performance connections Sys::Performance Connections --------------------------------------------------------------------------- Active Connections Current Average Max(since 03/02/14 08:13:41) -------------------------------------------------------------------

rev.dennis

rev.dennis

Health Monitors

So Health Monitors are a big deal to ensure your pool members are up and working.  Obviously a health monitor tells whether a pool member is up or down and when its down the pool won’t send any traffic to that pool member. Now you can assign health monitors two different ways.  The right way and the wrong way but sometimes the wrong way is the right way but not the majority of the time…  its more of a custom thing.  Let me explain further Example of a pool health monitor ltm pool /I

rev.dennis

rev.dennis

Viprion troubleshooting commands

Here are some useful commands I use to troubleshoot the Viprion chassis Check the state of all the vCMP Guests [root@txsat1slbcov02-ch:/S1-green-P::Active:Standalone] config # tmsh show /vcmp health prompt ------------------------------------------------- Vcmp::Guest Prompt Name           Slot ID                     Prompt ------------------------------------------------- txsat1slbco02        1       /S1-green-P::Standby txsat1slbco12        3    /S3-yellow-P::avrd DOWN txsat1slbco14  

rev.dennis

rev.dennis

Balance Solarwinds Traffic with F5

Solarwinds is Windows based.  The need is to leverage F5 to load balance Solarwinds across two different data centers and this topic is to discuss how we could do this with either GTM using a WideIP or LTM or both. We have a main polling/web engine and have 2 additional Web Engines.  We are currently balancing over the 2 additional Web Engines with F5 BigIP-DNS (aka: GTM).  The GTM WideIP has a single pool containing the two additional Web Engines as its pool members.  Note that I don’t inc

rev.dennis

rev.dennis

Create DNS domain on External GTM

In the environment I work in we have Infobox being the master, serving all records and is the owner of the domains but we have a secondary server(s) which are F5 GTMs or F5 BIG DNS, that hold a copy of the records but you must create the domain on the GTM manually using a command like this tmsh create ltm dns zone dev.hosangit.com dns-express-server dns-server-0 dns-express-notify-tsig-verify no Now you can verify it got created by running the command tmsh list ltm dns zone dev.hosangit

rev.dennis

rev.dennis

What SNAT address assigned to traffic?

It's quite difficult to troubleshoot traffic issues when a SNAT is assigned from a pool since its random and changes every time a new connection is established. Below are some hints on how to IDENTIFY what SNAT is assigned to the traffic using tmsh show sys connection SNAT stands for Source Network Address Translation. IDENTIFY what SNAT is assigned to the traffic from user source IP 74.32.5.21 (typically you don't want to specify source port since its random generated) tmsh sh

rev.dennis

rev.dennis

F5 LTM and tcp timeouts

I got this request that stated Increase the tcp timeout client  to 7 mins. This is out of the norm for requests so I figured I would share my findings in the event anyone else might run into this same thing. So if you don't do anything and just apply the standard tcp protocol profile the timeout is 5 minutes.  Do I trust that the user knows that they need exactly 7 minutes for a timeout?  No so I utilize an existing tcp protocol profile called tcp.15.minutes which just increases t

rev.dennis

rev.dennis

F5 Identify what Changes are Pending

So when a change is done on an F5 that is part of a device group (making it HA) the box will display Changes Pending until sync'd You can use tmsh to show the most recent changes to a device group by running the following command. You can identify the device-group by simply typing tmsh show /cm sync-status tmsh show cm device-group <device_group> these are the two entries to pay attention to CID Time (UTC)                   2019-Mar-27 10:07:21    LSS Time (UTC)        

rev.dennis

rev.dennis

Utilize BIG-IQ to update admin & root passwords on all F5 Devices

With the F5 BIG-IQ tool you can update the admin and root passwords for all your devices you manage or just a select few and its fast and very easy to do. When you manage BIG-IP device from BIG-IQ Centralized Management, it is good practice to change the default admin and root passwords on a regular basis. From BIG-IQ, you can change the passwords for several BIG-IP devices at one time. Note: You can change the passwords for several BIG-IP devices simultaneously only if they have the s

rev.dennis

rev.dennis

F5 GTM/DNS Load Balancing Modes

this will be the description of the different modes     Topology Load Balancing Mode Topology is a proximity based load balancing mode that allows you to direct traffic by defining topology records and selecting the Topology load-balancing mode for the wide IP or pool. The Topology mode bases the distribution of requests on the topology records and the weighted scores configured for each record. The topology records direct DNS queries to the closest virtual server, based on g

rev.dennis

rev.dennis

No Statistics on BIG-IQ from BIG-IPs

After upgrade to 8.0 I am unable to get any stats which means Applications tab doesn't work and just kicks out an error and same thing for most everything under the Monitoring tab. What did I try? I removed the BIG-IP device and readded it with same results I removed DCD and readded it back in which took about an hour each because it would hang on ES_ service What worked? These steps will only affect the configuration between the Big-IQ and the DCDs, none of the B

rev.dennis

rev.dennis

  • Who's Online   0 Members, 0 Anonymous, 5 Guests (See full list)

    • There are no registered users currently online

Announcements



×
×
  • Create New...

Important Information

Privacy Policy