Jump to content

rev.dennis

Moderators
 View Profile  See their activity

  • Posts

    1,400

  • Joined

  • Last visited

  • Days Won

    3

 Content Type 

Blog Entries posted by rev.dennis

  1. rev.dennis
    We are here today to celebrate the miracle of love. Andrew Wald and Kirsten Perry have found that miracle in each other and now desire to share their love all the days of their lives.
    Are both of you willing to give your hand to the one whose heart you hold? 
    (Both answer): Yes, we are. 
    Andrew do you have the ring for Kirsten?
    Please repeat after me
    Kirsten, this ring is a token of my love. / and a sign of my commitment. / I marry you with this ring, / with all that I have and all that I am. 
    Kirsten do you have the ring for Andrew?
    Please repeat after me
    Andrew, this ring is a token of my love. / and a sign of my commitment. / I marry you with this ring, / with all that I have and all that I am. 
    May the road rise to meet you. May the wind be always at your back. May the sun shine warm upon your face, the rains fall soft upon the fields. May the light of friendship guide your paths together. May the laughter of children grace the halls of your home. May your lives be blessed with an everlasting love. May God grant you a new beginning as He opens the door to life's deepest and richest experiences. May the life you build together be a lasting testimony that a second chance is for those who never give up believing in the power of faith, hope, and love.
    Andrew and Kirsten, You have committed and proclaimed your love for each other and to your children. By the giving and receiving of rings and these gifts, I now pronounce you husband & wife, and family. 
     (The Officiant shall say): Andrew, you may kiss your Bride. (Bride and Groom kiss).
    (The Officiant shall say): Ladies and Gentlemen, it is my privilege to introduce to you for the very first time, (Mr and Mrs.) Wald and family.
    ohc_Andrew-Kirsten_Wedding.pdf
  2. rev.dennis
    Here are some commands you can use to troubleshoot connections on your F5 
    With the following command it will help you see how many Active connections to the F5 total and break it out by Client and Server.
    tmsh show sys performance connections Sys::Performance Connections --------------------------------------------------------------------------- Active Connections Current Average Max(since 03/02/14 08:13:41) --------------------------------------------------------------------------- Connections 11.9K 12.4K 15.0K --------------------------------------------------------------------------- Total New Connections(/sec) Current Average Max(since 03/02/14 08:13:41) --------------------------------------------------------------------------- Client Connections 648 617 770 Server Connections 599 570 729 --------------------------------------------------------------------------- HTTP Requests(/sec) Current Average Max(since 03/02/14 08:13:41) --------------------------------------------------------------------------- HTTP Requests 156 633 1.4K  
    Below are some more helpful commands
    MAX Connections per VS: 
    tmsh show sys connection | egrep -v ‘T|S’ | awk ‘{print $2}’ | sort -n | uniq -c | sort -n  MAX Connections per VIP: 
    tmsh show sys connection | egrep -v ‘T|S’ | awk ‘{print $2}’ | cut -d: -f 1 |sort -n | uniq -c | sort -n   
    If you run the following command you get a large list of connections
    tmsh show sys connection Really display 1000 connections? (y/n) y Sys::Connections 10.47.194.102:41570 10.47.44.6:8 10.47.194.102:41570 10.47.44.6:8 icmp 201 (slot/tmm: 1/2) none none 10.47.197.70:33222 10.47.37.138:8 10.47.197.70:33222 10.47.37.138:8 icmp 11 (slot/tmm: 1/2) none none 10.46.129.142:13725 10.47.32.217:443 10.47.34.22:49598 10.46.129.142:7020 tcp 3 (slot/tmm: 1/2) none none
    So what does each column represent
    [cs-client-addr:cs-client-port] [cs-server-addr:cs-server-port] [ss-client-addr:ss-client-port] [ss-server-addr:[ss-server-port] [Protocol [Age] [Slot/TMM] [PVA Acceleration] cs-client-addr:cs-client-port | cs-server-addr:cs-server-port | ss-client-addr:ss-client-port | ss-server-addr:ss-server-port Computer IP & PORT            | Virtual Server IP & PORT      | SNAT IP & PORT                | Server IP & PORT Client Side
    cs-client-addr:cs-client-port  Computer IP:Computer Port
    cs-server-addr:cs-server-port  F5 VirtualIP:F5 VirtualPort
    Server Side
    ss-client-addr:ss-client-port  F5 SNATip:F5 SNATport
    ss-server-addr:ss-server-port  F5 POOLmember:F5 POOLmemberPORT
     
    Show connections from User (10.34.168.176) to Virtual Server (10.47.196.154) 
    tmsh show sys connection cs-server-addr 10.47.196.154 cs-server-port 80 | grep 10.34.168.176  Delete Connections on Virtual Server (10.47.196.154) 
    tmsh delete sys conn cs-server-addr 10.47.196.154  
    This is what I use if I want to find the addresses that are using a certain SNAT IP address because I can’t count on how many times we get a call from our help desk that say, we need have an issue and it shows the source IP is the F5 and they provide us an IP address from the SNAT Pool. 
    EXAMPLE: They provide us SNAT address 10.46.66.57 so I will run 
    tmsh show sys connection ss-client-addr 10.46.66.57   
    You can also try and do a tcpdump but it doesn’t seem to ever work 
    tcpdump -nni 0.0 host 10.46.66.57  
     
  3. rev.dennis
    Here are some useful commands I use to troubleshoot the Viprion chassis
    Check the state of all the vCMP Guests
    [root@txsat1slbcov02-ch:/S1-green-P::Active:Standalone] config # tmsh show /vcmp health prompt ------------------------------------------------- Vcmp::Guest Prompt Name           Slot ID                     Prompt ------------------------------------------------- txsat1slbco02        1       /S1-green-P::Standby txsat1slbco12        3    /S3-yellow-P::avrd DOWN txsat1slbco14        4     /S4-red-P::INOPERATIVE txsat1slbco16        2     /S2-red-P::INOPERATIVE txsat1slbco22        3  /S3-yellow-P::INOPERATIVE txsat1slbco24        4     /S4-green-P::avrd DOWN txsat1slbco26        2  /S2-yellow-P::INOPERATIVE txsat1slbco32        3  /S3-yellow-P::INOPERATIVE txsat1slbco34        4  /S4-yellow-P::INOPERATIVE txsat1slbco36        4     /S4-red-P::INOPERATIVE txsat1slbdv04        1       /S1-green-P::Standby When you need to bring down all the vCMP Guests (helpful when you need to upgrade the Viprion chassis)
    tmsh modify vcmp guest all state configured And when the Viprion chassis is restored and you want to bring all vCMP Guests back online you can run
    tmsh modify vcmp guest all state deployed You can do individual vCMP Guests in the event you don’t want all of your Guests
    tmsh modify /vcmp guest txsat1slbco11 state configured tmsh modify /vcmp guest txsat1slbco11 state deployed  
    At times, you may need to reboot the slots
    tmsh reboot slot all more aggessive way to reboot the chassis and slots
    clsh shutdown -r now if you need to just reboot one slot you can run the following to identify what slot you are on
    bladectl -g slot Then to reboot individual slots/blades you run the following to reboot blade 1
    bladectl -b 1 -r  REF: https://devcentral.f5.com/questions/right-procedure-to-shutdown-a-viprion-system-with-vcmp
     
    Identify large files on the Viprion by running this command
    find /var/log -xdev -type f -exec du {} \; | sort -rn | head -10  
    To release files you need to restart services
    tmsh stop /sys service avrd monpd tmsh start /sys service avrd monpd tmsh start /sys service vcmpd  
    And to verify everything is back up and running
    [root@txsat1slbcov02-ch:/S1-green-P::Active:Standalone] config # tmsh show sys cluster ----------------------------------------- Sys::Cluster: default ----------------------------------------- Address                 10.46.136.190/23 Alt-Address             :: Availability            available State                   enabled Reason                  Cluster Enabled Primary Slot ID         1 Primary Selection Time  03/04/21 20:58:51   -------------------------------------------------------------------------------------------   | Sys::Cluster Members   | ID  Address        Alt-Address  Availability  State    Licensed  HA      Clusterd  Reason   -------------------------------------------------------------------------------------------   | 1   10.46.136.191  ::           available     enabled  true      active  running   Run   | 2   10.46.136.192  ::           available     enabled  true      active  running   Run   | 3   10.46.136.193  ::           available     enabled  true      active  running   Run   | 4   10.46.136.194  ::           available     enabled  true      active  running   Run  
    more to come
  4. rev.dennis
    Training Material captured throughout time learning about the LTM's, GTM's and Viprion chassis for F5's version 11.
    Chapter 1 - Setting Up the BIG-IP System
    Introducing the BIG-IP System
    Initially Setting Up the BIG-IP System Configuring the Management Interface Activating the Software License Provisioning Modules and Resources Importing a Device Certificate Specifying BIG-IP Platform Properties Configuring the Network Configuring Network Time Protocol (NTP) Servers Configuring Domain Name System (DNS) Settings Configuring High Availability Options BIG-IP v11 Chptr 01.pdf
     
    Chapter 2 - Traffic Processing Building Blocks
    Identifying BIG-IP Traffic Processing Objects Network Packet Flow Configuring Virtual Servers and Pools Load Balancing Concepts Viewing Statistics and Logs BIG-IP v11 Chptr 02.pdf
     
     
    Chapter 3 - Using NATs and SNATs
    Address Translation on the BIG-IP System NAT Concepts Solving Routing Issues with SNATs Configuring SNAT Auto Map on a Virtual Server Monitoring for and Mitigating Port Exhaustion BIG-IP v11 Chptr 03.pdf
     
     
    Chapter 4 - Using the Traffic Management Shell (tmsh)
    Traffic Management Shell (tmsh) Introduction to tmsh Accessing the Command Line and tmsh Understanding the tmsh Hierarchical Structure Navigating the tmsh Hierarchy Command Completion tmsh Command History Feature tmsh on DevCentral BIG-IP Configuration State and Files BIG-IP System Configuration State Loading and Saving the System Configuration Shutting Down and Restarting the BIG-IP System Saving and Replicating Configuration Data (UCS and SCF) Viewing the BIG-IP Connection Table BIG-IP-v11 Chptr 04.pdf
     
     
    Chapter 5 - Monitoring Application Health
    Introducing Monitors Types of Monitors Monitor Interval and Timeout Settings Configuring Monitors Assigning Monitors to Resources Managing Pool, Pool Member, and Node Status Using the Network Map missing chptr 05 PDF
    https://player.vimeo.com/video/170942130
     
    Chapter 6
     
    Chapter 7
     
     
    Chapter 8
     
     
    Chapter 9
     
     
    Chapter 10
     
     
     
  5. rev.dennis
    So when a change is done on an F5 that is part of a device group (making it HA) the box will display Changes Pending until sync'd

    You can use tmsh to show the most recent changes to a device group by running the following command. You can identify the device-group by simply typing tmsh show /cm sync-status
    tmsh show cm device-group <device_group> these are the two entries to pay attention to
    CID Time (UTC)                   2019-Mar-27 10:07:21    LSS Time (UTC)                   2019-Mar-27 09:30:41 You can check logs for what changes may have been made.  Using the output from the previous procedure, search the log file for changes that occurred between 09:30:41 and 10:07:21 on March 27 2019. If the device is a standalone and not part of a pair and you know the time of the last approved change, then use that time.
    cat /var/log/audit | sed -n -e '/Mar 27 10:01:02/,$p'  
  6. rev.dennis
    I am migrating from an End Of Life hardware to a new vCMP Guest and with the migration I am deploying all the applications using JSON and AS3 (through BIGiQ).
    So we would like all the applications to be staged on the F5 in a disabled state and as we migrate each application with the team on the phone for verification, I just want to make the change in JSON and push to the F5 and disable the Virtual Server on the legacy EoL box and BOOM, live traffic on new box.
    Why disabled state?  I don't want any traffic to go to new hardware until we are ready to migrate the application.
    So in JSON format all I can figure out looking through the AS3 schema is possibly changing this one setting from true to false.  What it does is create everything but the virtual server if you go to the F5 itself.  So the partition is created (tenant) and you'll find the pool but you won't see any virtual server.

    The goal is actually to have the virtual server deployed to the F5 using JSON but it be visible and disabled.

    I "thought" if the virtual server was in a disabled state then it would not be responsive but this actually isn't true as I will demonstrate below
    So I first remove the virtual server so we start with a clean slate

    Now let's go to the command prompt on the F5 and ping the IP address of the Virtual Server (in this case its 192.168.199.22)
    [root@usfnt2slbco02:/S2-green-P::Active:In Sync] config # ping 192.168.199.22 PING 192.168.199.22 (192.168.199.22) 56(84) bytes of data. ^C --- 192.168.199.22 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4000ms From above ping nothing is responding to that IP address.
     
    Now let's deploy the Virtual Server in enabled state as shown above

    Now we get a ping response as we should
    [root@usfnt2slbco02:/S2-green-P::Active:In Sync] config # ping 192.168.199.22 PING 192.168.199.22 (192.168.199.22) 56(84) bytes of data. 64 bytes from 192.168.199.22: icmp_seq=1 ttl=255 time=0.109 ms 64 bytes from 192.168.199.22: icmp_seq=2 ttl=255 time=0.226 ms 64 bytes from 192.168.199.22: icmp_seq=3 ttl=255 time=0.311 ms ^C --- 192.168.199.22 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.109/0.215/0.311/0.083 ms Now click on the checkbox to the left and click disable so the screen looks like this

    So most people's thought is if its disabled then it shouldn't be responding, but it does
    [root@usfnt2slbco02:/S2-green-P::Active:In Sync] config # ping 192.168.199.22 PING 192.168.199.22 (192.168.199.22) 56(84) bytes of data. 64 bytes from 192.168.199.22: icmp_seq=1 ttl=255 time=0.201 ms 64 bytes from 192.168.199.22: icmp_seq=2 ttl=255 time=0.242 ms 64 bytes from 192.168.199.22: icmp_seq=3 ttl=255 time=0.232 ms 64 bytes from 192.168.199.22: icmp_seq=4 ttl=255 time=0.259 ms ^C --- 192.168.199.22 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2998ms rtt min/avg/max/mdev = 0.201/0.233/0.259/0.026 ms The solution is to change that setting in the AS3 from
    "enable": true, to
    "enable": false, Then save and deploy and your virtual server will be gone and its no longer pingable
     
  7. rev.dennis
    If you are leveraging the BIG-IQ tool (version 7.x or newer) to import devices using a CSV there are a few things you should know.
    It would probably help to know the columns needed (note you do not include the column headers in the csv)

    So when you Save your CSV it MUST NOT be in UTF-8 mode or it will fail when you try and import it with incorrect Management IP Address which is the first column since the CSV import can not read a CSV saved in UTF-8 mode.
    Anyhow, your CSV should look something like this when your done

    When you click begin you will see a very boring box while it tries to import the devices

  8. rev.dennis
    After upgrade to 8.0 I am unable to get any stats which means Applications tab doesn't work and just kicks out an error and same thing for most everything under the Monitoring tab.
    What did I try?
    I removed the BIG-IP device and readded it with same results I removed DCD and readded it back in which took about an hour each because it would hang on ES_ service What worked?
    These steps will only affect the configuration between the Big-IQ and the DCDs, none of the Big-IP data should be affected:
    From bash on the CM:  reset-data-collection-cluster From bash on each of the DCDs:  reset-data-collection-cluster -es Re-add the DCD devices It is important that we use the -es flag on the DCDs and NOT on the CM.  This is because we want the DCDs to control the data that the CM knows about, rather than having the CM determine what data it remembers.  After completing steps 1 and 2, try adding the DCDs back to the CM.  If this doesn't resolve the issue, isn't anything more we can do to preserve the previous data and we'll need to go through these same steps without the -es flag on the DCDs.  If there is no value in retaining the historic data, we can remove the -es flag from the second step the first time.
     
  9. rev.dennis
    With the F5 BIG-IQ tool you can update the admin and root passwords for all your devices you manage or just a select few and its fast and very easy to do.
    When you manage BIG-IP device from BIG-IQ Centralized Management, it is good practice to change the default admin and root passwords on a regular basis. From BIG-IQ, you can change the passwords for several BIG-IP devices at one time.

    Note: You can change the passwords for several BIG-IP devices simultaneously only if they have the same password.     Important: The passwords for the BIG-IP devices you select must all be identical.
    On the top of the BIG-IQ GUI, click Devices tab. On the left, click PASSWORD MANAGEMENT > Change Device Passwords . Near the top of the screen, click the Create button. In the Name and Descriptions fields, type a name and optional description to help you identify this task. From the Available list, select devices and move them to the Selected list. Select an option for the Change Password setting. Provide the old and new passwords, as required. Click the Run button at the bottom of the screen.     BIG-IQ will apply the new password to all of the selected BIG-IP devices. You can view the status of this task from the Change Device Passwords screen.

    REFERENCE: https://support.f5.com/csp/article/K25546160
  11. rev.dennis

    Software Upload Error

    By rev.dennis,

    Trying to upload a file that got aborted previously either because of a loss of connection or navigating away from the page while uploading (it happens).
    So when you try and upload again you get an error message like this
    What is the answer?  What can you do?
    Well just ssh to the BIG-IQ CM device and navigate to /shared/images/tmp
    There you will, more than likely, find the partial image that was trying to upload. Just delete it and go back to the GUI and try again.
    AND if that doesn’t work, no worries..  just manually upload the .iso file to /shared/images and check in the GUI later to see if it shows up.
  12. rev.dennis
    So you are in BIG-IQ and for some reason or another BIG-IQ is asking for you to remove the device and add it back in to re-establish trust but wait..  you can’t because Applications are linked to that device.  Here are some steps to follow to remove an application.
    So say you are trying to remove the LTM service from a device and its saying you can’t remove the device because this application is linked to it
    t_10.47.32.9_openpagescc-dev.int.thezah.com._app So you need to find the configSetName so you can search on BIG-IQ
    restcurl /cm/global/config-sets | jq '.items[] | {configSetName,selfLink}' Once you find the ConfigSetName you can force remove it by running the following command
    restcurl /cm/global/tasks/force-delete -X POST -d '{"configSetName":"t_10.47.32.9_openpagescc-dev.int.thezah.com._app"}' Now if you have multiple to do you can cheat a little bit but its still a pain in the ass…
    setname=t_10.47.32.9_openpagescc-dev.int.thezah.com._app restcurl /cm/global/tasks/force-delete -X POST -d "{"configSetName":"${setname}"}" So when it completes and you get the next one that has an issue you just update setname=t_103841_dev1_abms_pdev3_int_thezah_com_https_app and up arrow to run the following again: restcurl /cm/global/tasks/force-delete -X POST -d “{“configSetName”:”${setname}”}”
    Did you know that every F5 has a unique code which can be found when you run the following
    cat f5-rest-device-id Sometimes its helpful to know what the UUID is for the F5 device
  13. rev.dennis
    Need to identify a way to send logs from BIG-IQ to Splunk so we can see failures when BIG-IQ is trying to send signature updates to the DMZ F5’s running AWAF.
    First, setting up logging was pretty easy to do
    System Tab – Audit Log Syslog Servers
    Enter NAME and IP address of syslog servers and TCP 514.
    NOTE: I tried the newer rfc5424 and got nothing in Splunk so have to leave the old school rfc3164
    Next, Found some interesting articles
    https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-security-5-4-0/22.html
     
  14. rev.dennis
    We upgraded to 15.1.2.1 and now we seem to have a bunch of issues authenticating using either AD or TACACS.  It requires multiple tries and then it eventually works.
    Our first attempt is to fix the F5 devices that are using AD only
    vi /etc/openldap/ldap.conf
    You have to add a new line
    Then you need to run
    tmsh list auth ldap system-auth referrals auth ldap system-auth {     referrals yes } If its yes, then change it to no by running
    tmsh modify auth ldap system-auth referrals no And confirm its set by doing another list command like the one above
    tmsh list auth ldap system-auth referrals auth ldap system-auth {     referrals no } And finally before you start testing, save the configuration
    tmsh save sys config Saving running configuration...   /config/bigip.conf   /config/bigip_base.conf   /config/bigip_script.conf   /config/bigip_user.conf   /config/partitions/Citrix/bigip.conf   /config/partitions/DNS/bigip.conf   /config/partitions/Disaster.Recovery/bigip.conf   /config/partitions/Integration/bigip.conf   /config/partitions/Messaging/bigip.conf Now do some testing of your user account that utilizes AD to see if it works.
     
  15. rev.dennis
    I got this request that stated
    Increase the tcp timeout client  to 7 mins.
    This is out of the norm for requests so I figured I would share my findings in the event anyone else might run into this same thing.
    So if you don't do anything and just apply the standard tcp protocol profile the timeout is 5 minutes.  Do I trust that the user knows that they need exactly 7 minutes for a timeout?  No so I utilize an existing tcp protocol profile called tcp.15.minutes which just increases the timeout to 900 seconds (or 15min)

    Now you apply it to your Virtual Server..  if its not standard you probably won't be able to apply the profile

    Set persistence timeout to slightly higher than the tcp timeout (if tcp timeout = 15 min, set LB persistence timeout to 20 minutes). This will ensure that user requests are pinned to the same app server for the duration of the session.
  16. rev.dennis
    It's quite difficult to troubleshoot traffic issues when a SNAT is assigned from a pool since its random and changes every time a new connection is established.
    Below are some hints on how to IDENTIFY what SNAT is assigned to the traffic using tmsh show sys connection
    SNAT stands for Source Network Address Translation.
    IDENTIFY what SNAT is assigned to the traffic from user source IP 74.32.5.21 (typically you don't want to specify source port since its random generated)
    tmsh show sys connection cs-client-addr 74.32.5.21 IDENTIFY what SNAT is assigned to the traffic on virtual server 10.47.196.154 on port 80
    tmsh show sys connection cs-server-addr 10.47.196.154 cs-server-port 80 IDENTIFY what SNAT is assigned to traffic destined for pool member 10.40.144.18 over port 443
    tmsh show sys connection ss-server-addr 10.40.144.18 ss-server-port 443 Explaination of columns when running tmsh show sys connection
    cs-client-addr:cs-client-port | cs-server-addr:cs-server-port | ss-client-addr:ss-client-port | ss-server-addr:ss-server-port Computer IP & PORT            | Virtual Server IP & PORT      | SNAT IP & PORT                | Server IP & PORT
     
  17. rev.dennis
    Solarwinds is Windows based.  The need is to leverage F5 to load balance Solarwinds across two different data centers and this topic is to discuss how we could do this with either GTM using a WideIP or LTM or both.
    We have a main polling/web engine and have 2 additional Web Engines.  We are currently balancing over the 2 additional Web Engines with F5 BigIP-DNS (aka: GTM).  The GTM WideIP has a single pool containing the two additional Web Engines as its pool members.  Note that I don’t include the main poller/web engine in the webGui pool but leave it with as many resources as possible for its polling.
    We use the Static Persist LB method on the pool to ensure users maintain the same resolved IP address and do not resolve the other pool member.  This is necessary if you want to avoid having to re-login mid session because you ‘landed’ on the alternate pool member.  The Web Engines are not clustered and are unique entities so there is no persistence across the Web Engines.
    The Static Persist LB method means that when a DNS server resolves an IP, that same IP will be resolved indefinitely when requested by that same DNS server.
    Since the majority of our users utilize the same DNS server, we have found that we don’t get much of a balance and one of our Web Engines sits mostly idle.  We have learned that 25 concurrent sessions is suggested max for connections to any particular Web Engine.  That does not mean 25 users but 25 open tabs/sessions (at least that was my interpretation).  With better LB methodology, this will increase to 50 concurrent connections balanced over the 2 Web Engines.
    Our solution will be to create an LTM Virtual Server that listens on a vIP and proxies, via round-robin LB method, the client browsers to the Web Engines and gives a better balance as the LB would be per client (LTM method) and not per DNS server (GTM method).  The LTM method would use cookie persistence to ensure any particular session is sticky/persisted to the same Web Engine.
    With either method (GTM or LTM LB), if clients new the true IP/hostname of the Web Engines, they could still pick a specific one to connect to and would (obviously) persist to the one they choose.  Of course, your corporate FW would have to allow traffic to the Web Engines and not limit to only the LTM vIP.
    The NetScalar can be setup in a similar fashion to the LTM method.  A vIP on the NetScalar could balance client browsers with cookie persistence across any number of Web Engine hosts.
  18. rev.dennis

    Health Monitors

    By rev.dennis,

    So Health Monitors are a big deal to ensure your pool members are up and working.  Obviously a health monitor tells whether a pool member is up or down and when its down the pool won’t send any traffic to that pool member.
    Now you can assign health monitors two different ways.  The right way and the wrong way but sometimes the wrong way is the right way but not the majority of the time…  its more of a custom thing.  Let me explain further
    Example of a pool health monitor
    ltm pool /Integration/pool.cs-inspire-batch-cap.int.thezahcom.ssh {     load-balancing-mode least-connections-member     members {         /Integration/10.45.89.242:22 {             address 10.45.89.242             session monitor-enabled             state up         }         /Integration/10.45.89.243:22 {             address 10.45.89.243             session monitor-enabled             state up         }     }     monitor monitor_22     partition Integration } Here is an example of the “custom” or incorrect way
    ltm pool /Integration/pool.iwarranty-iwnacap.int.thezah.com.22 {     members {         /Integration/sat1svmap140:22 {             address 10.45.88.103             monitor tcp             session monitor-enabled             state down         }         /Integration/sat1svmap141:22 {             address 10.45.88.106             monitor tcp             session monitor-enabled             state down         }         /Integration/sat1svmap142:22 {             address 10.45.88.109             monitor tcp             session monitor-enabled             state down         }         /Integration/sat1svmap143:22 {             address 10.45.88.112             monitor tcp             session monitor-enabled             state down         }     }     monitor monitor_22     partition Integration }  Can you see the difference?  Unlike the first one, this has a monitor set at the pool level and then they trump that pool monitor with a health monitor set on each pool member.  In this case you never ever want a tcp health monitor on ssh box…  it will cause lots and lots of errors.
    So to remove those monitors assigned to each pool member you would run a command like this
    tmsh modify ltm pool /Integration/pool.iwarranty-iwnacap.int.thezah.com.22 members modify { /Integration/sat1svmap140:22 /Integration/sat1svmap141:22 /Integration/sat1svmap142:22 /Integration/sat1svmap143:22 { monitor default } }
  19. rev.dennis
    So we have a bunch of GTM (or BIGIP-DNS) log data in Splunk and most don't know what the heck all of these different fields mean.
    QID: Host (GMT): src: dest reply_code reply_code_id query answer answer_count message_type query_type record_type. I suppose I will take a crack at it and see if I can find explanations of each field.
    QID (query ID)
    You can trace a query and response based on the QID#
     
  20. rev.dennis
    this will be the description of the different modes
     
     
    Topology Load Balancing Mode
    Topology is a proximity based load balancing mode that allows you to direct traffic by defining topology records and selecting the Topology load-balancing mode for the wide IP or pool. The Topology mode bases the distribution of requests on the topology records and the weighted scores configured for each record. The topology records direct DNS queries to the closest virtual server, based on geographical information. The BIG-IP DNS system is designed to support an unlimited number of topology records. The only limit is the amount of memory available to the gtmd process.
    When planning topology load balancing, you should consider the following factor:
    The BIG-IP DNS system looks up topology records in the order they appear in the Configuration utility and the configuration file. As a result, you should place more-specific topology records toward the top of the topology statement and less-specific records toward the end of the topology statement. You can change the order of existing topology records by clicking Change Order on the Topology Records page. Topology record format
    Topology records are stored in the bigip_gtm.conf file on the BIG-IP DNS system and are used to match a Local Domain Name System (LDNS) request with a specific destination object. A topology record has the following fields: an LDNS request source statement, a destination statement, an operator, and a weight.
    LDNS Request Source.
    The LDNS request source statement defines the origin of a name resolution request. For example, the topology statement can be defined to direct an LDNS request from a particular source to a desired destination. The LDNS source can be any of the following elements: Continent Country ISP IP subnet (CIDR format) Region (user-defined) State Geolocation ISP (12.0.0 and later) Destination
    A destination statement defines the resource to which the BIG-IP DNS system directs the incoming DNS request. For example, the topology statement can be defined to direct an LDNS request that originates from a particular source to any of the following destination elements: Continent Country Data center * ISP IP subnet (CDIR format) Pool of virtual servers Region (User-defined) State Geolocation ISP (12.0.0 and later) Operator
    An operator statement indicates whether the name resolution request matches the statement. You can select an operator for both a request source and a destination statement. For example, an operator statement can be one of the following:
    is is not Weight (score)
    The weight specifies the score that will be given to a destination object which matches the topology record. In the event that a name resolution request matches more than one topology record, the BIG-IP DNS system uses the destination object with the highest weight to determine which statement it uses to load balance the request.
    Understanding topology records matching modes and the importance of order
    The BIG-IP DNS system orders topology records based on how the records are created and whether Longest Match is enabled. Topology records are passed through in order looking for the first matching record for each possible destination. Each matching record is then evaluated to determine which destination has the highest weight. This means that if a pool contains four pool members there may be up to four matching records (one for each possible destination), at which point the weight of each is evaluated to determine which record to use.
    Longest Match (enabled)
    The Longest Match option, which is enabled by default, instructs the BIG-IP DNS system to use the topology statement that most completely matches the source IP address of the name resolution request.
    The Longest Match option ensures that the BIG-IP DNS system processes topology records as fast as possible. The system achieves this by automatically sorting the topology records so that the records that more specifically match the LDNS IP appear first in the topology list. When the Longest Match option is enabled, the BIG-IP DNS system evaluates all records in the topology statement and uses the record that most completely matches the source IP address of the name resolution request. In the event that a name resolution request matches more than one topology record, the BIG-IP DNS system uses the destination object with the highest weight (score) to determine which statement it uses to load balance the request.
    Longest Match (disabled)
    If the Longest Match option is not selected, the topology records can be manually ordered, but the method used to evaluate the topology records when choosing a match does not change.
     
     
  21. rev.dennis
    In the environment I work in we have Infobox being the master, serving all records and is the owner of the domains but we have a secondary server(s) which are F5 GTMs or F5 BIG DNS, that hold a copy of the records but you must create the domain on the GTM manually using a command like this
    tmsh create ltm dns zone dev.hosangit.com dns-express-server dns-server-0 dns-express-notify-tsig-verify no Now you can verify it got created by running the command
    tmsh list ltm dns zone dev.hosangit.com It's also a good idea to check the status of the new zone to see its Availability, State and Reason by running the show command like this
    tmsh show ltm dns zone dev.hosangit.com Of course if you determine that creating the zone was a mistake you can always delete it
    tmsh delete ltm dns zone dev.hosangit.com Now if you made a mistake and queried the entry and then you are trying to fix it but it just keeps responding with the mistake then more than likely its cached and you'll need to delete the cache by running
    tmsh delete ltm dns cache records rrset cache non-wideip-transparent-cache  
  24. rev.dennis

    Baha’i Faith

    By rev.dennis,

    Unlike the other traditions, the Baha’i Faith is relatively young but still has much to offer to the environmental discussion. As Peter Adriance and Arthur Dahl tell us in the overview essay, “the Bahá’í appreciation for nature goes far beyond its utilitarian value, to see it as a significant source of knowledge at the spiritual level.” But the spiritual is intimately and essentially interconnected with pressing, practical concerns, as “from a Bahá’í Faith perspective, the problems of ecology and the environment cannot be separated from all the other problems facing the world today, and require a holistic integrated approach, both scientific and spiritual.” Thus, any Baha’i Faith discussion of the environment is essentially cross-disciplinary and also addresses issues ofgovernance, economy and inequity, and material sustainability, all at both local and global levels.
×
×
  • Create New...

Important Information

Privacy Policy

  I accept