rev.dennis

I am migrating from an End Of Life hardware to a new vCMP Guest and with the migration I am deploying all the applications using JSON and AS3 (through BIGiQ). So we would like all the applications to be staged on the F5 in a disabled state and as we migrate each application with the team on the phone for verification, I just want to make the change in JSON and push to the F5 and disable the Virtual Server on the legacy EoL box and BOOM, live traffic on new box. Why disabled state? I don't want any traffic to go to new hardware until we are ready to migrate the application. So in JSON format all I can figure out looking through the AS3 schema is possibly changing this one setting from true to false. What it does is create everything but the virtual server if you go to the F5 itself. So the partition is created (tenant) and you'll find the pool but you won't see any virtual server. The goal is actually to have the virtual server deployed to the F5 using JSON but it be visible and disabled. I "thought" if the virtual server was in a disabled state then it would not be responsive but this actually isn't true as I will demonstrate below So I first remove the virtual server so we start with a clean slate Now let's go to the command prompt on the F5 and ping the IP address of the Virtual Server (in this case its 192.168.199.22) [root@usfnt2slbco02:/S2-green-P::Active:In Sync] config # ping 192.168.199.22 PING 192.168.199.22 (192.168.199.22) 56(84) bytes of data. ^C --- 192.168.199.22 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4000ms From above ping nothing is responding to that IP address. Now let's deploy the Virtual Server in enabled state as shown above Now we get a ping response as we should [root@usfnt2slbco02:/S2-green-P::Active:In Sync] config # ping 192.168.199.22 PING 192.168.199.22 (192.168.199.22) 56(84) bytes of data. 64 bytes from 192.168.199.22: icmp_seq=1 ttl=255 time=0.109 ms 64 bytes from 192.168.199.22: icmp_seq=2 ttl=255 time=0.226 ms 64 bytes from 192.168.199.22: icmp_seq=3 ttl=255 time=0.311 ms ^C --- 192.168.199.22 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.109/0.215/0.311/0.083 ms Now click on the checkbox to the left and click disable so the screen looks like this So most people's thought is if its disabled then it shouldn't be responding, but it does [root@usfnt2slbco02:/S2-green-P::Active:In Sync] config # ping 192.168.199.22 PING 192.168.199.22 (192.168.199.22) 56(84) bytes of data. 64 bytes from 192.168.199.22: icmp_seq=1 ttl=255 time=0.201 ms 64 bytes from 192.168.199.22: icmp_seq=2 ttl=255 time=0.242 ms 64 bytes from 192.168.199.22: icmp_seq=3 ttl=255 time=0.232 ms 64 bytes from 192.168.199.22: icmp_seq=4 ttl=255 time=0.259 ms ^C --- 192.168.199.22 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2998ms rtt min/avg/max/mdev = 0.201/0.233/0.259/0.026 ms The solution is to change that setting in the AS3 from "enable": true, to "enable": false, Then save and deploy and your virtual server will be gone and its no longer pingable

This is a great article on the F5 Community site explaining SSL and how its used on the F5 for applications https://community.f5.com/t5/technical-articles/client-ssl-authentication-on-big-ip-as-in-depth-as-it-can-go/ta-p/281020 Client SSL Authentication on BIG-IP in-depth_portrait.pdf

Yesterday Deb Dickson was like everyone else, doing the laundry, making dinner and went to bed thinking of what needs to be done the next day to keep her family going. During the night Deb got a brain aneurysm which is a bulge or ballooning in a blood vessel in the brain which ruptured and the doctors declared her brain dead. BELOW, reply and share a fond memory you have to spread what a wonderful person she was to those that may not have known your relationship with her.

Need to identify a way to send logs from BIG-IQ to Splunk so we can see failures when BIG-IQ is trying to send signature updates to the DMZ F5’s running AWAF. First, setting up logging was pretty easy to do System Tab – Audit Log Syslog Servers Enter NAME and IP address of syslog servers and TCP 514. NOTE: I tried the newer rfc5424 and got nothing in Splunk so have to leave the old school rfc3164 Next, Found some interesting articles https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-security-5-4-0/22.html

So you are in BIG-IQ and for some reason or another BIG-IQ is asking for you to remove the device and add it back in to re-establish trust but wait.. you can’t because Applications are linked to that device. Here are some steps to follow to remove an application. So say you are trying to remove the LTM service from a device and its saying you can’t remove the device because this application is linked to it t_10.47.32.9_openpagescc-dev.int.thezah.com._app So you need to find the configSetName so you can search on BIG-IQ restcurl /cm/global/config-sets | jq '.items[] | {configSetName,selfLink}' Once you find the ConfigSetName you can force remove it by running the following command restcurl /cm/global/tasks/force-delete -X POST -d '{"configSetName":"t_10.47.32.9_openpagescc-dev.int.thezah.com._app"}' Now if you have multiple to do you can cheat a little bit but its still a pain in the ass… setname=t_10.47.32.9_openpagescc-dev.int.thezah.com._app restcurl /cm/global/tasks/force-delete -X POST -d "{"configSetName":"${setname}"}" So when it completes and you get the next one that has an issue you just update setname=t_103841_dev1_abms_pdev3_int_thezah_com_https_app and up arrow to run the following again: restcurl /cm/global/tasks/force-delete -X POST -d “{“configSetName”:”${setname}”}” Did you know that every F5 has a unique code which can be found when you run the following cat f5-rest-device-id Sometimes its helpful to know what the UUID is for the F5 device

Trying to upload a file that got aborted previously either because of a loss of connection or navigating away from the page while uploading (it happens). So when you try and upload again you get an error message like this What is the answer? What can you do? Well just ssh to the BIG-IQ CM device and navigate to /shared/images/tmp There you will, more than likely, find the partial image that was trying to upload. Just delete it and go back to the GUI and try again. AND if that doesn’t work, no worries.. just manually upload the .iso file to /shared/images and check in the GUI later to see if it shows up.

Here are some commands you can use to troubleshoot connections on your F5 With the following command it will help you see how many Active connections to the F5 total and break it out by Client and Server. tmsh show sys performance connections Sys::Performance Connections --------------------------------------------------------------------------- Active Connections Current Average Max(since 03/02/14 08:13:41) --------------------------------------------------------------------------- Connections 11.9K 12.4K 15.0K --------------------------------------------------------------------------- Total New Connections(/sec) Current Average Max(since 03/02/14 08:13:41) --------------------------------------------------------------------------- Client Connections 648 617 770 Server Connections 599 570 729 --------------------------------------------------------------------------- HTTP Requests(/sec) Current Average Max(since 03/02/14 08:13:41) --------------------------------------------------------------------------- HTTP Requests 156 633 1.4K Below are some more helpful commands MAX Connections per VS: tmsh show sys connection | egrep -v ‘T|S’ | awk ‘{print $2}’ | sort -n | uniq -c | sort -n MAX Connections per VIP: tmsh show sys connection | egrep -v ‘T|S’ | awk ‘{print $2}’ | cut -d: -f 1 |sort -n | uniq -c | sort -n If you run the following command you get a large list of connections tmsh show sys connection Really display 1000 connections? (y/n) y Sys::Connections 10.47.194.102:41570 10.47.44.6:8 10.47.194.102:41570 10.47.44.6:8 icmp 201 (slot/tmm: 1/2) none none 10.47.197.70:33222 10.47.37.138:8 10.47.197.70:33222 10.47.37.138:8 icmp 11 (slot/tmm: 1/2) none none 10.46.129.142:13725 10.47.32.217:443 10.47.34.22:49598 10.46.129.142:7020 tcp 3 (slot/tmm: 1/2) none none So what does each column represent [cs-client-addr:cs-client-port] [cs-server-addr:cs-server-port] [ss-client-addr:ss-client-port] [ss-server-addr:[ss-server-port] [Protocol [Age] [Slot/TMM] [PVA Acceleration] cs-client-addr:cs-client-port | cs-server-addr:cs-server-port | ss-client-addr:ss-client-port | ss-server-addr:ss-server-port Computer IP & PORT | Virtual Server IP & PORT | SNAT IP & PORT | Server IP & PORT Client Side cs-client-addr:cs-client-port Computer IP:Computer Port cs-server-addr:cs-server-port F5 VirtualIP:F5 VirtualPort Server Side ss-client-addr:ss-client-port F5 SNATip:F5 SNATport ss-server-addr:ss-server-port F5 POOLmember:F5 POOLmemberPORT Show connections from User (10.34.168.176) to Virtual Server (10.47.196.154) tmsh show sys connection cs-server-addr 10.47.196.154 cs-server-port 80 | grep 10.34.168.176 Delete Connections on Virtual Server (10.47.196.154) tmsh delete sys conn cs-server-addr 10.47.196.154 This is what I use if I want to find the addresses that are using a certain SNAT IP address because I can’t count on how many times we get a call from our help desk that say, we need have an issue and it shows the source IP is the F5 and they provide us an IP address from the SNAT Pool. EXAMPLE: They provide us SNAT address 10.46.66.57 so I will run tmsh show sys connection ss-client-addr 10.46.66.57 You can also try and do a tcpdump but it doesn’t seem to ever work tcpdump -nni 0.0 host 10.46.66.57

So Health Monitors are a big deal to ensure your pool members are up and working. Obviously a health monitor tells whether a pool member is up or down and when its down the pool won’t send any traffic to that pool member. Now you can assign health monitors two different ways. The right way and the wrong way but sometimes the wrong way is the right way but not the majority of the time… its more of a custom thing. Let me explain further Example of a pool health monitor ltm pool /Integration/pool.cs-inspire-batch-cap.int.thezahcom.ssh { load-balancing-mode least-connections-member members { /Integration/10.45.89.242:22 { address 10.45.89.242 session monitor-enabled state up } /Integration/10.45.89.243:22 { address 10.45.89.243 session monitor-enabled state up } } monitor monitor_22 partition Integration } Here is an example of the “custom” or incorrect way ltm pool /Integration/pool.iwarranty-iwnacap.int.thezah.com.22 { members { /Integration/sat1svmap140:22 { address 10.45.88.103 monitor tcp session monitor-enabled state down } /Integration/sat1svmap141:22 { address 10.45.88.106 monitor tcp session monitor-enabled state down } /Integration/sat1svmap142:22 { address 10.45.88.109 monitor tcp session monitor-enabled state down } /Integration/sat1svmap143:22 { address 10.45.88.112 monitor tcp session monitor-enabled state down } } monitor monitor_22 partition Integration } Can you see the difference? Unlike the first one, this has a monitor set at the pool level and then they trump that pool monitor with a health monitor set on each pool member. In this case you never ever want a tcp health monitor on ssh box… it will cause lots and lots of errors. So to remove those monitors assigned to each pool member you would run a command like this tmsh modify ltm pool /Integration/pool.iwarranty-iwnacap.int.thezah.com.22 members modify { /Integration/sat1svmap140:22 /Integration/sat1svmap141:22 /Integration/sat1svmap142:22 /Integration/sat1svmap143:22 { monitor default } }

Here are some useful commands I use to troubleshoot the Viprion chassis Check the state of all the vCMP Guests [root@txsat1slbcov02-ch:/S1-green-P::Active:Standalone] config # tmsh show /vcmp health prompt ------------------------------------------------- Vcmp::Guest Prompt Name Slot ID Prompt ------------------------------------------------- txsat1slbco02 1 /S1-green-P::Standby txsat1slbco12 3 /S3-yellow-P::avrd DOWN txsat1slbco14 4 /S4-red-P::INOPERATIVE txsat1slbco16 2 /S2-red-P::INOPERATIVE txsat1slbco22 3 /S3-yellow-P::INOPERATIVE txsat1slbco24 4 /S4-green-P::avrd DOWN txsat1slbco26 2 /S2-yellow-P::INOPERATIVE txsat1slbco32 3 /S3-yellow-P::INOPERATIVE txsat1slbco34 4 /S4-yellow-P::INOPERATIVE txsat1slbco36 4 /S4-red-P::INOPERATIVE txsat1slbdv04 1 /S1-green-P::Standby When you need to bring down all the vCMP Guests (helpful when you need to upgrade the Viprion chassis) tmsh modify vcmp guest all state configured And when the Viprion chassis is restored and you want to bring all vCMP Guests back online you can run tmsh modify vcmp guest all state deployed You can do individual vCMP Guests in the event you don’t want all of your Guests tmsh modify /vcmp guest txsat1slbco11 state configured tmsh modify /vcmp guest txsat1slbco11 state deployed At times, you may need to reboot the slots tmsh reboot slot all more aggessive way to reboot the chassis and slots clsh shutdown -r now if you need to just reboot one slot you can run the following to identify what slot you are on bladectl -g slot Then to reboot individual slots/blades you run the following to reboot blade 1 bladectl -b 1 -r REF: https://devcentral.f5.com/questions/right-procedure-to-shutdown-a-viprion-system-with-vcmp Identify large files on the Viprion by running this command find /var/log -xdev -type f -exec du {} \; | sort -rn | head -10 To release files you need to restart services tmsh stop /sys service avrd monpd tmsh start /sys service avrd monpd tmsh start /sys service vcmpd And to verify everything is back up and running [root@txsat1slbcov02-ch:/S1-green-P::Active:Standalone] config # tmsh show sys cluster ----------------------------------------- Sys::Cluster: default ----------------------------------------- Address 10.46.136.190/23 Alt-Address :: Availability available State enabled Reason Cluster Enabled Primary Slot ID 1 Primary Selection Time 03/04/21 20:58:51 ------------------------------------------------------------------------------------------- | Sys::Cluster Members | ID Address Alt-Address Availability State Licensed HA Clusterd Reason ------------------------------------------------------------------------------------------- | 1 10.46.136.191 :: available enabled true active running Run | 2 10.46.136.192 :: available enabled true active running Run | 3 10.46.136.193 :: available enabled true active running Run | 4 10.46.136.194 :: available enabled true active running Run more to come

Solarwinds is Windows based. The need is to leverage F5 to load balance Solarwinds across two different data centers and this topic is to discuss how we could do this with either GTM using a WideIP or LTM or both. We have a main polling/web engine and have 2 additional Web Engines. We are currently balancing over the 2 additional Web Engines with F5 BigIP-DNS (aka: GTM). The GTM WideIP has a single pool containing the two additional Web Engines as its pool members. Note that I don’t include the main poller/web engine in the webGui pool but leave it with as many resources as possible for its polling. We use the Static Persist LB method on the pool to ensure users maintain the same resolved IP address and do not resolve the other pool member. This is necessary if you want to avoid having to re-login mid session because you ‘landed’ on the alternate pool member. The Web Engines are not clustered and are unique entities so there is no persistence across the Web Engines. The Static Persist LB method means that when a DNS server resolves an IP, that same IP will be resolved indefinitely when requested by that same DNS server. Since the majority of our users utilize the same DNS server, we have found that we don’t get much of a balance and one of our Web Engines sits mostly idle. We have learned that 25 concurrent sessions is suggested max for connections to any particular Web Engine. That does not mean 25 users but 25 open tabs/sessions (at least that was my interpretation). With better LB methodology, this will increase to 50 concurrent connections balanced over the 2 Web Engines. Our solution will be to create an LTM Virtual Server that listens on a vIP and proxies, via round-robin LB method, the client browsers to the Web Engines and gives a better balance as the LB would be per client (LTM method) and not per DNS server (GTM method). The LTM method would use cookie persistence to ensure any particular session is sticky/persisted to the same Web Engine. With either method (GTM or LTM LB), if clients new the true IP/hostname of the Web Engines, they could still pick a specific one to connect to and would (obviously) persist to the one they choose. Of course, your corporate FW would have to allow traffic to the Web Engines and not limit to only the LTM vIP. The NetScalar can be setup in a similar fashion to the LTM method. A vIP on the NetScalar could balance client browsers with cookie persistence across any number of Web Engine hosts.

In the environment I work in we have Infobox being the master, serving all records and is the owner of the domains but we have a secondary server(s) which are F5 GTMs or F5 BIG DNS, that hold a copy of the records but you must create the domain on the GTM manually using a command like this tmsh create ltm dns zone dev.hosangit.com dns-express-server dns-server-0 dns-express-notify-tsig-verify no Now you can verify it got created by running the command tmsh list ltm dns zone dev.hosangit.com It's also a good idea to check the status of the new zone to see its Availability, State and Reason by running the show command like this tmsh show ltm dns zone dev.hosangit.com Of course if you determine that creating the zone was a mistake you can always delete it tmsh delete ltm dns zone dev.hosangit.com Now if you made a mistake and queried the entry and then you are trying to fix it but it just keeps responding with the mistake then more than likely its cached and you'll need to delete the cache by running tmsh delete ltm dns cache records rrset cache non-wideip-transparent-cache

It's quite difficult to troubleshoot traffic issues when a SNAT is assigned from a pool since its random and changes every time a new connection is established. Below are some hints on how to IDENTIFY what SNAT is assigned to the traffic using tmsh show sys connection SNAT stands for Source Network Address Translation. IDENTIFY what SNAT is assigned to the traffic from user source IP 74.32.5.21 (typically you don't want to specify source port since its random generated) tmsh show sys connection cs-client-addr 74.32.5.21 IDENTIFY what SNAT is assigned to the traffic on virtual server 10.47.196.154 on port 80 tmsh show sys connection cs-server-addr 10.47.196.154 cs-server-port 80 IDENTIFY what SNAT is assigned to traffic destined for pool member 10.40.144.18 over port 443 tmsh show sys connection ss-server-addr 10.40.144.18 ss-server-port 443 Explaination of columns when running tmsh show sys connection cs-client-addr:cs-client-port | cs-server-addr:cs-server-port | ss-client-addr:ss-client-port | ss-server-addr:ss-server-port Computer IP & PORT | Virtual Server IP & PORT | SNAT IP & PORT | Server IP & PORT

I got this request that stated Increase the tcp timeout client to 7 mins. This is out of the norm for requests so I figured I would share my findings in the event anyone else might run into this same thing. So if you don't do anything and just apply the standard tcp protocol profile the timeout is 5 minutes. Do I trust that the user knows that they need exactly 7 minutes for a timeout? No so I utilize an existing tcp protocol profile called tcp.15.minutes which just increases the timeout to 900 seconds (or 15min) Now you apply it to your Virtual Server.. if its not standard you probably won't be able to apply the profile Set persistence timeout to slightly higher than the tcp timeout (if tcp timeout = 15 min, set LB persistence timeout to 20 minutes). This will ensure that user requests are pinned to the same app server for the duration of the session.

Here is a great intro video on how to use BIG-IQ to run bash scripts on F5 devices that BIG-IQ manages

This short article is helping explain how User Management works for the EventGuyZ system used for Mid-America Festivals. MAIN SITE is this site (https://eventguyz.com) which is where users should all be registered. Once the EventGuyZ staff is made aware of the new MAF user, they get added to a group on this website called MAF_Staff or MAF_Managers What's the difference? MAF_Staff will allow access to the Mid-America Festivals Staff Service/Group that provides visibility into how to perform certain functions from a Count Room and/or Box Office stand point. MAF_Managers are typically from headquarters and/or Manager of Box Office or Count Room. So they needs access to Mid-America Festivals Mgmt Service/Group which helps them with there duties. Now that you have all the users registered on https://EventGuyZ.com and you informed EventGuyZ staff there role with MAF so the staff knows how to properly assign them to the necessary Service/Group. They are ready for the next step of authentication. EventGuyZ is broken up into two main type of websites Main Website that handles all the users in one place as well as provides helpful information to do the job at a general level Child Websites that are assigned to each show/festival. They utilize the authentication from the main website which means that the password and email you have configured on the main website is what you use on the child sites. BaRF (https://barf.eventguyz.com) KCRF (https://kcrf.eventguyz.com) MiRF (https://mirf.eventguyz.com) MnRF (https://mnrf.eventguyz.com) StRF (https://strf.eventguyz.com) When someone from the Main Website logs into a Child Website, a EvenGuyZ staff will need to log into that website and approve the user (just the first time) and assign them access to the area they need which below are the Groups you will find on every one of Mid-Americas Child Websites MAF_BO_mgr (this is where you put your Box Office Managers and Assistant Managers that require elevated access to the Box Office system) MAF_CR_member (this is your money counters, they are processing the envelopes that are coming in to be entered into the Money Tracker app) MAF_CR_mgr (this is the Count Room manager that needs more access than a CR member since they will need to edit incorrectly entered transactions, run reports, etc) MAF_Managers (this is for Headquarters and people that travel to the shows like Ryan that could be coming into a show to back up a BO mgr or CR mgr so they need access to everything) MAF_Office (this is for office staff that needs the ability to add items into the Box Office system like Will Call or add tickets, discounts, coupons) So never do you need to create a user on the Child Websites.. it will happen automatically as long as they have an account on the main website (https://eventguyz.com)

So when a change is done on an F5 that is part of a device group (making it HA) the box will display Changes Pending until sync'd You can use tmsh to show the most recent changes to a device group by running the following command. You can identify the device-group by simply typing tmsh show /cm sync-status tmsh show cm device-group <device_group> these are the two entries to pay attention to CID Time (UTC) 2019-Mar-27 10:07:21 LSS Time (UTC) 2019-Mar-27 09:30:41 You can check logs for what changes may have been made. Using the output from the previous procedure, search the log file for changes that occurred between 09:30:41 and 10:07:21 on March 27 2019. If the device is a standalone and not part of a pair and you know the time of the last approved change, then use that time. cat /var/log/audit | sed -n -e '/Mar 27 10:01:02/,$p'

Here are some options if you loose internet Start a hotspot (your phone, iPad, tablet) Connect your laptop to the hotspot and verify you are on the internet by going to a website you haven't been to in awhile Plug the white network adapter into your laptop via the Thunderbolt port On your Mac, click Settings - Sharing - Internet Sharing (Share your connection from WiFi, To computers using Thunderbolt Ethernet) and make sure on the left Internet Sharing is checked. Unplug port 1 on the Netgear GS105 and plug a cable from your laptop to port 1 on the netgear GS105 NOW you will have to restart any credit card terminal (so they get an IP Address from your phone / laptop instead of the Comcast Router/modem) Note: Printer will also need to be rebooted before it begins working. Of course to switch back to comcast, you'll have to just reverse the process 1. unplug your laptop / phone from port 1 on the netgear gs105 2. plug the blue cable into port1 that comes from the office (probably the only loose (not connected) cable laying around) 3. restart credit card machines and printer Make sure you turn off the hotspot on your phone, ipad, tablet so you aren't getting charged FYI: The NetGear GS105 is used as the hub for all the connections PORT 1 = Count Room (Comcast Link) PORT 2 = Linksys WAP (EventGuyz-Box) PORT 3 = Connection to the TopLink TK-1008G switch all the credit card machines are plugged into PORT 4 = Brandon WiFi PORT 5 = OPEN

With the F5 BIG-IQ tool you can update the admin and root passwords for all your devices you manage or just a select few and its fast and very easy to do. When you manage BIG-IP device from BIG-IQ Centralized Management, it is good practice to change the default admin and root passwords on a regular basis. From BIG-IQ, you can change the passwords for several BIG-IP devices at one time. Note: You can change the passwords for several BIG-IP devices simultaneously only if they have the same password. Important: The passwords for the BIG-IP devices you select must all be identical. On the top of the BIG-IQ GUI, click Devices tab. On the left, click PASSWORD MANAGEMENT > Change Device Passwords . Near the top of the screen, click the Create button. In the Name and Descriptions fields, type a name and optional description to help you identify this task. From the Available list, select devices and move them to the Selected list. Select an option for the Change Password setting. Provide the old and new passwords, as required. Click the Run button at the bottom of the screen. BIG-IQ will apply the new password to all of the selected BIG-IP devices. You can view the status of this task from the Change Device Passwords screen. REFERENCE: https://support.f5.com/csp/article/K25546160

this will be the description of the different modes Topology Load Balancing Mode Topology is a proximity based load balancing mode that allows you to direct traffic by defining topology records and selecting the Topology load-balancing mode for the wide IP or pool. The Topology mode bases the distribution of requests on the topology records and the weighted scores configured for each record. The topology records direct DNS queries to the closest virtual server, based on geographical information. The BIG-IP DNS system is designed to support an unlimited number of topology records. The only limit is the amount of memory available to the gtmd process. When planning topology load balancing, you should consider the following factor: The BIG-IP DNS system looks up topology records in the order they appear in the Configuration utility and the configuration file. As a result, you should place more-specific topology records toward the top of the topology statement and less-specific records toward the end of the topology statement. You can change the order of existing topology records by clicking Change Order on the Topology Records page. Topology record format Topology records are stored in the bigip_gtm.conf file on the BIG-IP DNS system and are used to match a Local Domain Name System (LDNS) request with a specific destination object. A topology record has the following fields: an LDNS request source statement, a destination statement, an operator, and a weight. LDNS Request Source. The LDNS request source statement defines the origin of a name resolution request. For example, the topology statement can be defined to direct an LDNS request from a particular source to a desired destination. The LDNS source can be any of the following elements: Continent Country ISP IP subnet (CIDR format) Region (user-defined) State Geolocation ISP (12.0.0 and later) Destination A destination statement defines the resource to which the BIG-IP DNS system directs the incoming DNS request. For example, the topology statement can be defined to direct an LDNS request that originates from a particular source to any of the following destination elements: Continent Country Data center * ISP IP subnet (CDIR format) Pool of virtual servers Region (User-defined) State Geolocation ISP (12.0.0 and later) Operator An operator statement indicates whether the name resolution request matches the statement. You can select an operator for both a request source and a destination statement. For example, an operator statement can be one of the following: is is not Weight (score) The weight specifies the score that will be given to a destination object which matches the topology record. In the event that a name resolution request matches more than one topology record, the BIG-IP DNS system uses the destination object with the highest weight to determine which statement it uses to load balance the request. Understanding topology records matching modes and the importance of order The BIG-IP DNS system orders topology records based on how the records are created and whether Longest Match is enabled. Topology records are passed through in order looking for the first matching record for each possible destination. Each matching record is then evaluated to determine which destination has the highest weight. This means that if a pool contains four pool members there may be up to four matching records (one for each possible destination), at which point the weight of each is evaluated to determine which record to use. Longest Match (enabled) The Longest Match option, which is enabled by default, instructs the BIG-IP DNS system to use the topology statement that most completely matches the source IP address of the name resolution request. The Longest Match option ensures that the BIG-IP DNS system processes topology records as fast as possible. The system achieves this by automatically sorting the topology records so that the records that more specifically match the LDNS IP appear first in the topology list. When the Longest Match option is enabled, the BIG-IP DNS system evaluates all records in the topology statement and uses the record that most completely matches the source IP address of the name resolution request. In the event that a name resolution request matches more than one topology record, the BIG-IP DNS system uses the destination object with the highest weight (score) to determine which statement it uses to load balance the request. Longest Match (disabled) If the Longest Match option is not selected, the topology records can be manually ordered, but the method used to evaluate the topology records when choosing a match does not change.

The disadvantage of going with 8' panels (which have three 2x4's with around 17 dog ear boards) is they are set for a completely even ground and many landscapes aren't exactly even.

Our friends need help to build a privacy fence since they are getting crazy high quotes of tens of thousands of dollars to build a simple privacy fence. Here are the basics on how I attack building a privacy fence Getting Started Preparation mark out where your fence is going call miss dig to make sure you aren't going to hit any under ground wiring get a building permit from your city measure the total area (length of each leg) to help price out material Gather tools and material To dig a post hole and set a post in concrete, you’ll need some tools: Post hole digger or power auger (the towable auger at home depot is roughly $124/day and can be operated by one person and saves your back) Cordless drill Screws (2" deck screws for a 5lb box around $30/box and the 1-1/4" deck screws for a 5lb box run around $30) Hammer Box Level Tape Measure Flat Shovel Bucket/wheel barrow to mix concrete in Heavy String (500ft is around $10) Quick-set concrete (an 80lb bag should cover 2-3 posts on avg and costs around $5/bag) Access to water Wooden Stakes (used to mark out the fence line, todays cost for a 12pack of 1 in. x 2 in. x 2 ft runs around $7) 4x4 8' pressure treated boards 2x4 8' pressure treated boards 6" x 6' Dog Ear fence boards Mark your fence run The first step to any fence project is marking the exact location of your fence run. To do this, drive stakes into the ground at the corners and ends of your fence run. Stretch heavy string between the stakes and pull tight. This string line will help you set your fence posts in a straight line. Mark your post hole locations Next, you’ll want to mark your post hole locations along the string line. Post hole spacing is dependent on the width of your fence panels and the method by which you are attaching them to the posts. Typical post spacing is 6-7 feet, but can vary depending on the width of the fence panel. I don't like going past 7' since you'll start noticing over time fence sagging. There are two main methods for attaching the fence panels to the posts – Face Mount or Between the Posts, for our fence we are going with Between the posts since it incorporates the 4x4 posts and makes the fence look good from either side. Start digging Now that we’ve marked our post locations, it’s time to start digging. In general, the post hole should be one third as deep as the fence is tall. So, if you’re installing a 6-foot tall fence, your 8' post hole should be at least two feet deep. You’ll also want to be sure the bottom of the post sits below the frost line. Hole is typically 6" wide by 2' deep. You can use a post hole digger or power auger to dig the hole. A post hole digger is a manual tool and will get the job done in average soil. If you have hard, rocky soil or a lot of roots – you may want to opt for a power auger. Many home improvement stores have them available for rent. Set posts in holes Set your post in the hole. Check for plumb and make sure the front of the post is just touching the string line. This will help you set your fence posts in a straight line. Having a friend help you will make this much easier. Pour the quick-setting concrete mix directly into the hole and pour water on top. Mix it up with a shovel in the hole, which will simultaneously remove air pockets. Once the concrete is thoroughly mixed, push some soil back on top of it. Re-check that your post is plum. NOTE: I will use a wheelbarrow to mix my concrete to a peanut butter consistency. With a hose I'll wet the bottom sides of the 4x4 that is in the hole and then start shoveling with my flat shovel the concrete from the wheel barrow into the hole using a stick or the handle end of the shovel to stab the concrete in attempt to remove any air pockets. Then once I verify the post is plum/level on the two sides, I'll pack the concrete by using my hand (with a glove) and then covering it with dirt. Pause for concrete to set Typically I like to wait for 12 hours after pouring concrete in the holes to let the concrete set and harden. Its no good to have done all that work to have your posts move on you while you are trying to install the dog ears. Mark 4x4's On each 4x4, from the ground up, measure 12" and mark. Measure 38" from bottom of 4x4 and mark. Measure 64" from bottom and mark. You'll want to see these marks on each of the inside of the 4x4's (the side that is facing the next 4x4) Install Rail Brackets Since we are going Between the posts for a cleaner look, we utilize Galvanized Rail Brackets that we attach to the inside of the 4x4's (bottom of rail bracket on the lines you marked at 12, 38 and 64" from the ground). Place rail bracket with bottom of bracket touching the marked line and put one screw in at the top of the rail bracket. Using a level measure vertically to make sure its straight up and down and run another 2" wood deck screw in the bottom of the rail bracket. Continue this until you have three rail brackets on each side of every 4x4. Again, you should be using 2" Wood Deck Galvanized Screws (they don't rust). Attach Pressure Treated 2x4s in Rail Brackets Measure length between 4x4 to 4x4 and cut three 2x4s to length and slide into Rail Brackets and fasten 2x4 to rail bracket using 1-1/4" Wood Deck Screws. Run Guide String 4x4 to 4x4 Using that heavy duty string. Run from top of 4x4 to top of 4x4 so you know how high your dog ear boards go (never higher and never lower). To attached string you can put a screw in the top of the 4x4 and wrap string around screw then tighten screw. Attach dog ear boards There are two major kinds of dog ear boards. The inexpensive pine at todays prices in Michigan is around $2.50 a board but typically when you see a privacy fence that looks dirty its typically the pine since it doesn't weather well but looks great for the first year. Another choice is to use the more expensive cedar at around $4/board here in Michigan at todays prices. Using your 1-1/4" Wood Deck Screws you attach the dog ear board to the 2x4's keeping a small gap between dog ear boards for expansion.

Having an issue with a user trying to authenticate with ssh to F5 LTM and failing but they can log into F5 LTM via GUI with no issues. Start with running a tcpdump (obviously replace <client ip address> with the IP address of the device attempting to login with SSH) tcpdump -s0 -ni eth0 host <client ip address> -w /var/tmp/sshdeny.pcap -v Then evaluate your capture.