Forum Discussion
gbunting
Nimbostratus
NimbostratusDiscovery failure: invalid certificate when trying to update the Big3d
I was able to run the f5mpgui.exe -DD command from a command prompt opened with the run as administrator. The pathing was correct. I should have left a space between management and pack.
Any idea why I'm able to run the command locally but not through SCOM?
Also, I noticed that when I ran the discovery wizard, the checkbox to authorize Big3d Update was not visible until I clicked on show powershell script.
Unfortunately I'm now getting an error about an invalid certificate when I run the discovery and it is trying to update the Big3d.
Failed to discover device at address: 192.168.165.18
Network-related failure has occurred: The request failed with HTTP status 401: F5 Authorization Required.
The account I'm using has full access to the console and web interface of the F5.
So I guess i have 2 questions.
1. Why can I not run the discovery from the SCOM interface?
2. Why am I getting that certificate error and what do I need to do to corrrectly discover the F5 devices so they can be monitored from SCOM?
Thanks,
Glen
16 Replies
- So I will answer 2 first. Right now we only support using the 'admin' account for discovery. In the future we plan to support different users with the appropriate authorization roles, but for now you must use the admin account.
For 1 there could be a couple of reasons.
First question: Are you trying to run this console command from a management server other than the one you installed onto? Currently we don't support running our management pack suite on anything but a standalone RMS. Our next release will support this, but for now it only works on the RMS.
Second question: Is the user you are logged in as permitted to run console tasks through Ops Manager?
Third question: What version of SCOM are you using?
Hopefully this will fix your discovery issue, but I will look into the "file not found" issue once I hear back.
Thanks,
Dave 
gbuntingI was running the scom console from my desktop. Running the scom console from the rms is able to find the executable and run it. I ran the discovery with the admin account and received the same invalid certificate error. It appears that it is failing when it tries to uploads the big3d file.
The user I'm logged in as is a member of the Operations Manager Administrators.
I am running SCOM version 6.0.6278.0(Select)
Thanks,
Glen- Currently we only support running the tasks from the computer they were installed on. The issue you were having before may have been caused by running discovery from the web console or a management server other than the RMS. Remote Desktop and Terminal Services should work just fine for discovery, however.
Do you have IPv6 installed? And if so, if you are not using it, try uninstalling it completely and trying discovery again. We've noticed some compatibility issues with IPv6 and certificates.
If that is not the issue, you can enable verbose logging by following the instructions here: Click here. Once you have this turned on, you should restart the "F5 Monitoring Service" and then try to discover again. If it is still failing at this point, if you can attach the trace.log file from C:\Program Files\F5 Networks\Management Pack\Logs we can read through it and figure out what is causing the invalid certificate error.
Thanks,
`Dave - gbuntingSince the SCOM server is windows 2008, IPv6 is installed by default. The uninstall is greyed out when I log in as domain admin. Attached is the trace.log.
Thanks,
Glen - gbuntingAny updates on this?
Thanks,
Glen - I would log into the admin account on the BigIP web configuration page (use the IP address). If you can log in without any problems, these credentials should get cached. Then try discovery again and use the cached credentials after entering the device IP. We're still looking into other Windows 2008 issues, which might be related, so we'll keep you updated as we find out more.
- gbuntingI logged into the F5 from a web browser on the SCOM server. I don't think it has anything to do with this but I did receive a message about the ssl cert being invalid because it was a self signed cert. I still received the invalid cert error.
Glen - Hi Glen, here are some more things to try:
1) Back up and remove the files from C:\Windows\System32\F5MP, then try the discovery again.
2) If that does not fix the problem, it would help if you could send a couple log files from the BigIp that you are attempting to discover:
/var/log/ltm
/var/log/httpd/ssl_access_log
If you want to just post the last few entries that would be fine using the comment "tail /var/log/ltm"
3) Since the problem is with uploading the new big3d agent, a workaround is to manually upload the agent. This may also help in diagnosing the issue.
Download PSCP (secure copy) to the RMS: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Log into the BigIP and run these commands:
cd /usr/sbin
big3d -v (this will show you your current big3d version)
bigstart stop big3d
rm -f big3d
Now copy the agent from the RMS using this command:
pscp -pw password "C:\Program Files\F5 Networks\Management Pack\Agent\big3d" root@192.168.165.17:/usr/sbin
Next, run these commands on the BigIp (from /usr/sbin)
chmod a+x big3d
big3d -v (should show the updated big3d version)
bigstart start big3d
Thanks,
Joel Hendrickson - gbuntingI removed the files and tried the discovery again with the same results. /var/log/ltm had nothing in it. /var/log/httpd/ssl_access_log had:
[gbunting@SJ1F501:Active] log tail httpd/ssl_access_log
May 15 14:02:22 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 2:22 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 437
May 15 14:02:52 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 2:52 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 437
May 15 14:02:52 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 2:52 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 670
May 15 14:02:52 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 2:52 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 437
May 15 14:03:22 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 3:22 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 437
May 15 14:03:22 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 3:22 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 670
May 15 14:03:22 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 3:22 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 437
May 15 14:03:52 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 3:52 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 437
May 15 14:03:52 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 3:52 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 670
May 15 14:03:53 SJ1F501 logger: [ssl_acc] 172.21.10.11 - admin [15/May/2009:14:0 3:53 -0700] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 437
I was able to install the agent manually and it was able to finish the discovery process.
Is there any other information I can give you to help determine why it is not able to update the agent on its own?
Thanks,
Glen - Glen,
First off, thanks for your help investigating this!
As part of the authorization process, the certificate from C:\windows\system32\F5MP\F50.cer is supposed to be uploaded to the BigIp and added to the certificates in /config/big3d/client.crt.
If you could verify whether or not that happened it would help.
As a result of this support issue we are adding some additional checks and logging to the new build that will be released next friday.
Thanks,
Joel
