For this to work you need to decrypt the traffic as it comes in. Its too late if you did a capture and all the traffic is encrypted. So this entry is for those of you that would like to do some work ahead of time on the F5 and then have the user do some application testing while you are running a tcpdump. In many cases for me, I have only needed to do this on our DMZ LTM which is where the our F5 works as an SSL Bridge
SETUP
Put the source IPs in a txt file. I'm calling mine /var/t
You can use the ssldump utility to examine, decrypt, and decode SSL-encrypted packet streams managed by the BIG-IP system. The ssldump utility can act on packet streams real-time as they traverse the system, or on a packet capture file saved in the libpcap format, such as that produced by the tcpdump utility. Although it is possible for the ssldump utility to decode and display live traffic real-time as it traverses the BIG-IP system, it is rarely the most effective method to examine the volumin
When migrating you want to make sure you don't miss anything so here are a few commands that I run to help me make sure what was on the old is on the new.
CONFIGURATION PHASE
Virtual Servers
First objective is to check to make sure all the Virtual Servers are present. If you aren't changing IP addresses then all I grab is the destination field since in many cases the name and/or partition may change. For example we are moving to deploying all our Virtual Servers using JSON forma
Here is a very helpful script that can be used to export
Virtual Server
Profile
Certificate
Ciphers
I personally create a file called: show-vs-cpfl-cert-ciphers.sh
Then I make it executable: chmod 755 show-vs-cpfl-cert-ciphers.sh
Now copy the code below and paste it in the new file
#!/bin/bash
# Search /config and sub directories (partitions) for bigip.conf files
LIST=`find /config -name bigip.conf | xargs awk '$2 == "virtual" {print $3}' 2>
Trying to migrate an LTM from old school to doing to via JSON and this particular LTM has AWAF Resource Provisioned so its what makes it difficult AND we are running version 15.x which only supports exporting policies into XML. In newer versions (16.x and 17.x) the AWAF policies can be exported into JSON format.
We exported the policies and imported them and now when you go to a child policy and you want to update it, the settings are grayed out like shown here
But it use to loo
I am migrating from an End Of Life hardware to a new vCMP Guest and with the migration I am deploying all the applications using JSON and AS3 (through BIGiQ).
So we would like all the applications to be staged on the F5 in a disabled state and as we migrate each application with the team on the phone for verification, I just want to make the change in JSON and push to the F5 and disable the Virtual Server on the legacy EoL box and BOOM, live traffic on new box.
Why disabled state? I d
REQUIREMENTS:
For the BIG-IP DNS synchronization group members to properly synchronize their configuration settings, verify that the following requirements are in place:
BIG-IP DNS synchronization group members must be running the same software version
A BIG-IP DNS device should be running the same software version as other members in the synchronization group. BIG-IP DNS devices that are running different software versions will not be able to communicate and properly synchro
Ran into an issue last night where I had to redirect
https://example.thezah.com/
to
https://example.thezah.com/?idp_id=two
Attempted a few different way of redirecting the URI in the Policy and they all didn't work. Ran into a few issues...
When creating the Redirect_URI policy under the do the following: Replace - HTTP URI - path with value /?idp_id=two at request time
What would happen is when you enter the value /?idp_id=two and save F5 would change it to
If you have BIG-IQ in your environment to help manage/monitor your applications then let me help understand how to use some cool features of BIG-IQ.
Many times you have several F5's in your environment and trying to identify what F5 has the application you need to troubleshoot is kind of a pain in the butt unless you have BIG-IQ.
First thing I do is if someone says they have an issue with their application is I ask for the FQDN or the URL that is having issues.
Next thing I do is
Need to identify a way to send logs from BIG-IQ to Splunk so we can see failures when BIG-IQ is trying to send signature updates to the DMZ F5’s running AWAF.
First, setting up logging was pretty easy to do
System Tab – Audit Log Syslog Servers
Enter NAME and IP address of syslog servers and TCP 514.
NOTE: I tried the newer rfc5424 and got nothing in Splunk so have to leave the old school rfc3164
Next, Found some interesting articles
https://techdocs.f5.com/kb/en-us
So you are in BIG-IQ and for some reason or another BIG-IQ is asking for you to remove the device and add it back in to re-establish trust but wait.. you can’t because Applications are linked to that device. Here are some steps to follow to remove an application.
So say you are trying to remove the LTM service from a device and its saying you can’t remove the device because this application is linked to it
t_10.47.32.9_openpagescc-dev.int.thezah.com._app
So you need to find the conf
Trying to upload a file that got aborted previously either because of a loss of connection or navigating away from the page while uploading (it happens).
So when you try and upload again you get an error message like this
What is the answer? What can you do?
Well just ssh to the BIG-IQ CM device and navigate to /shared/images/tmp
There you will, more than likely, find the partial image that was trying to upload. Just delete it and go back to the GUI and try again.
AND
Here are some commands you can use to troubleshoot connections on your F5
With the following command it will help you see how many Active connections to the F5 total and break it out by Client and Server.
tmsh show sys performance connections
Sys::Performance Connections
---------------------------------------------------------------------------
Active Connections Current Average Max(since 03/02/14 08:13:41)
-------------------------------------------------------------------
So Health Monitors are a big deal to ensure your pool members are up and working. Obviously a health monitor tells whether a pool member is up or down and when its down the pool won’t send any traffic to that pool member.
Now you can assign health monitors two different ways. The right way and the wrong way but sometimes the wrong way is the right way but not the majority of the time… its more of a custom thing. Let me explain further
Example of a pool health monitor
ltm pool /I
Here are some useful commands I use to troubleshoot the Viprion chassis
Check the state of all the vCMP Guests
[root@txsat1slbcov02-ch:/S1-green-P::Active:Standalone] config # tmsh show /vcmp health prompt
-------------------------------------------------
Vcmp::Guest Prompt
Name Slot ID Prompt
-------------------------------------------------
txsat1slbco02 1 /S1-green-P::Standby
txsat1slbco12 3 /S3-yellow-P::avrd DOWN
txsat1slbco14
Solarwinds is Windows based. The need is to leverage F5 to load balance Solarwinds across two different data centers and this topic is to discuss how we could do this with either GTM using a WideIP or LTM or both.
We have a main polling/web engine and have 2 additional Web Engines. We are currently balancing over the 2 additional Web Engines with F5 BigIP-DNS (aka: GTM). The GTM WideIP has a single pool containing the two additional Web Engines as its pool members. Note that I don’t inc
In the environment I work in we have Infobox being the master, serving all records and is the owner of the domains but we have a secondary server(s) which are F5 GTMs or F5 BIG DNS, that hold a copy of the records but you must create the domain on the GTM manually using a command like this
tmsh create ltm dns zone dev.hosangit.com dns-express-server dns-server-0 dns-express-notify-tsig-verify no
Now you can verify it got created by running the command
tmsh list ltm dns zone dev.hosangit
It's quite difficult to troubleshoot traffic issues when a SNAT is assigned from a pool since its random and changes every time a new connection is established.
Below are some hints on how to IDENTIFY what SNAT is assigned to the traffic using tmsh show sys connection
SNAT stands for Source Network Address Translation.
IDENTIFY what SNAT is assigned to the traffic from user source IP 74.32.5.21 (typically you don't want to specify source port since its random generated)
tmsh sh
I got this request that stated
Increase the tcp timeout client to 7 mins.
This is out of the norm for requests so I figured I would share my findings in the event anyone else might run into this same thing.
So if you don't do anything and just apply the standard tcp protocol profile the timeout is 5 minutes. Do I trust that the user knows that they need exactly 7 minutes for a timeout? No so I utilize an existing tcp protocol profile called tcp.15.minutes which just increases t
So when a change is done on an F5 that is part of a device group (making it HA) the box will display Changes Pending until sync'd
You can use tmsh to show the most recent changes to a device group by running the following command. You can identify the device-group by simply typing tmsh show /cm sync-status
tmsh show cm device-group <device_group>
these are the two entries to pay attention to
CID Time (UTC) 2019-Mar-27 10:07:21
LSS Time (UTC)
With the F5 BIG-IQ tool you can update the admin and root passwords for all your devices you manage or just a select few and its fast and very easy to do.
When you manage BIG-IP device from BIG-IQ Centralized Management, it is good practice to change the default admin and root passwords on a regular basis. From BIG-IQ, you can change the passwords for several BIG-IP devices at one time.
Note: You can change the passwords for several BIG-IP devices simultaneously only if they have the s
this will be the description of the different modes
Topology Load Balancing Mode
Topology is a proximity based load balancing mode that allows you to direct traffic by defining topology records and selecting the Topology load-balancing mode for the wide IP or pool. The Topology mode bases the distribution of requests on the topology records and the weighted scores configured for each record. The topology records direct DNS queries to the closest virtual server, based on g
After upgrade to 8.0 I am unable to get any stats which means Applications tab doesn't work and just kicks out an error and same thing for most everything under the Monitoring tab.
What did I try?
I removed the BIG-IP device and readded it with same results
I removed DCD and readded it back in which took about an hour each because it would hang on ES_ service
What worked?
These steps will only affect the configuration between the Big-IQ and the DCDs, none of the B
20
9
2
1
