Forum Discussion

Julian_Balog_34's avatar
Julian_Balog_34
Historic F5 Account
Dec 29, 2010

Discovery problem (incomplete discovery)

Hi Julian,

 

 

I have F5 MP installed on my RMS (SCOM R2). when i try discovering device it shows me "Attempt to connect to the iControl device socket: Success" with blue icon on extreme left with 'i' in it. I have attached the discovery screen shot for reference.

 

i am assuming that i have sucessfully discovered a device but it is not showing on SCOM console.

 

 

Please help me know what i an doing wrong and add how to add this device to SCOM console?

 

 

Regards,

 

Pramod
  • Julian_Balog_34's avatar
    Julian_Balog_34
    Historic F5 Account
    Hi Pramod,

     

     

    Please enable the verbose trace logs for the F5 Monitoring Service. See the "Verbose Logging Support" section in this article:

     

    http://devcentral.f5.com/wiki/default.aspx/MgmtPack/GeneralTroubleshooting.html

     

     

    Restart the F5 Monitoring Service and attempt a new discovery for the F5 device in question. Wait for a couple of minutes (I assume the discovery would just hang and not finish, in the state you mentioned), and then pack the trace.log file (in Program Files\F5 Networks\Management Pack\log folder) and the 'F5 Monitoring Log' event log and send them to us to managementpack(at)f5(dot)com.

     

     

    Based on your brief description of the problem, I believe the F5 device discovery hangs in the state of performing the SSL certificate exchange with the F5 device, which immediately follows after successfully connecting to the iControl interface on the F5 device. You can also check a few things to make sure you have a clear shot for discovery. The following F5 Dev Central article would give you the details: http://devcentral.f5.com/wiki/default.aspx/MgmtPack/F5DeviceUserRoleSecurity.html

     

     

    Mostly firewall and credential related stuff, but make sure at least these prerequisites are in place. We can probably tell more once we get a look at the trace logs.

     

     

    Also, please provide the following information:

     

     

    - F5 Management Pack version

     

    - BIG-IP platform version

     

    - big3d version (by running the following command in the shell: iqsh localhost)

     

     

    Thank you.

     

    Julian

     

  • Hi Julian,

     

     

    Thanks for the response.

     

     

    Please find below the details:

     

     

    - F5 Management Pack version : 2.1.4.389

     

    - BIG-IP platform version : 10.2.0 (Build 1707.0 final)

     

    - big3d version (by running the following command in the shell: iqsh localhost) : 10.2.0.1707

     

     

    Some More Info:

     

     

    1. We have firewall in between our RMS server and F5 device and we have only port 443 & 4353 only bi-directional.

     

    2. we have initially installed the f5 MP ver.2.1.3.217 and later upgraded to the latest, but none of them worked uptill now.

     

    3. we did wait for 20-30 minutes with no luck but this time we get some failure too in the log, please check and guide us to rectify the issue.

     

    4. We are using root user to run the discovery.

     

     

     

    Not sure if this is relevent but FYI:

     

     

    On my RMS server (where we have installed the F5 MP and monitoring service) we don't have direct internet connection and use some proxy. If i remove the proxy settings (in internet explorer) discovery fails with:

     

     

    'Unable to authenticate with F5 device'..... 'F5 Authorization required'....

     

     

    But if i add the proxy settings, discovery never fails nor device get added to the SCOM console.

     

     

    Regards,

     

    Pramod
  • Julian_Balog_34's avatar
    Julian_Balog_34
    Historic F5 Account
    Pramod,

     

     

    Thank you for the detailed feedback. I would try to troubleshoot this problem first without the proxy. I believe that you still have the same error condition with the proxy active, but somehow with the proxy you lose some transparency in the response you're getting from the F5 device.

     

     

    The HTTP 401 Authorization Required error that you're getting without the proxy, makes me believe that you're not able to connect to the iControl interface on the F5 device. From a web browser (on your SCOM management server) try to connect to https://device-ip/iControl/iControlPortal.cgi. This should take you to the iControl web-service (WSDL) interface on the F5 device, and you should be prompted with basic authentication credentials. Pass in the exact credentials that you plan to use with discovery. Are you able to get to the iControl WSDL interface?

     

     

    If you're not able to browse the iControl web-service interface (and you still get the HTTP authorization error), you'll have to make sure basic authentication is allowed with the F5 device. If you get through with connecting to the iControl web-service interface, the next step would be to check if you can telnet into the device's port 4353 (from the management server where you try to discover from). This would tell you if at least the firewall settings are OK for device inbound connections.

     

     

    Let's try to make the discovery work first without the proxy. Let me know the results for the steps suggested above and we'll take it from here.

     

     

    Thank you for your patience.

     

    Julian
  • Hi Julian,

     

     

    Thanks for the valuable information. below are my observations:

     

     

    1. If I remove the proxy settings, i can browse (iip >) to the device interface without any issue but if i add the proxy settings, i am unable to reach to the device web-interface.

     

     

    2. We are using the root user while discovery but we don't have the password of this user and always ask the device admin to put the password while doing the discovery. Security team has denied to give us the root password of the device. while connecting to the device over web-interface we are using some read-only user and able to browse through the interface.

     

     

    Is it necessary to test the web-interface with root user only?

     

     

    3. I can sucessfully telnet to the device on port 443 & 4353 with or without proxy settings.

     

     

    regards,

     

    Pramod

     

  • Hi Julian,

     

     

    Thanks alot for your help. I am able to discover the F5 devices. the issue was with the ROOT user as it didn't had the permission to use the Web interface of the devices.

     

     

    when i asked my device admin to connect to the web UI with the user ROOT he said that root doesn't have permission on the UI. then i asked him to type the credentials (while discovery) which has the admin permission on the UI. he typed the credential and discovery happened sucessfully.

     

     

    once again, thanks alot for your help.

     

     

    Do you have any doc which will help me to understand the post discovery task for F5 MP? if yes, appreciate if you could share the doc or any link for the same.

     

     

    regards,

     

    Pramod
  • Julian_Balog_34's avatar
    Julian_Balog_34
    Historic F5 Account
    Hey Pramod! Sorry for the slow response. We had an extended weekend / timeoff for the year end. I'm glad the discovery worked in the end for you. In regards with the post-discovery tasks available in the F5 Management Pack unfortunately we don't have an all-encompassing document describing them. Most of these tasks are very straightforward and perform what their actual name is suggesting (enable/disable pool member, force pool member offline, etc.) and some of these tasks are featured within blog posts and videos published on F5 Dev Central / Vimeo by our team.

     

     

    I can point you to some of them, but I'm sure you'll find more, if you browse our F5 Management Pack wiki and blog space.

     

     

    Here are some links and videos you can take a look at, to see various F5 Management Pack tasks in action:

     

     

    Data orchestration examples (add/remove resources, maintenance mode, fail-over):

     

    http://devcentral.f5.com/wiki/Default.aspx/MgmtPack.HomePage

     

     

    Integrated PowerShell support (Joel Hendrickson's blog):

     

    http://devcentral.f5.com/weblogs/jhendrickson/archive/2009/08/19/f5-management-pack-v1.3.0.715-featuring-integrated-powershell-support-is-now.aspx

     

     

    Turning on maintenance mode (from David Ruddell's blog on maintenance mode rules: http://devcentral.f5.com/weblogs/druddell/archive/2010/03/05/maintenance-mode-rules-for-the-f5-networks-management-pack.aspx):

     

    http://vimeo.com/9950832

     

     

    Authoring an F5 Management Pack task (Julian Balog's blog):

     

    http://devcentral.f5.com/weblogs/jbalog/archive/2009/10/29/authoring-an-f5-management-pack-powershell-server-task-in-scom.aspx

     

     

    Please let us know if you have more specific questions / concerns regarding the F5 Management Pack tasks, and we'll try to answer them the best we can.

     

     

    Julian

     

  • Hi Julian,

     

     

    Thanks for all your help and for the valuable information too!!!

     

     

    Well, by post imlementation task i was referring if we have any best practice to monitor F5 devices. I know that it defer as per the environment and requirements, but do we have some best practice that we should enable so and so rules as an standard?

     

     

    I am not expert in F5 devices as I am SCOM admin. I asked my F5 device admin, what he would like to monitor in it, but he says that we should enable rules/monitors as per the best practices. Now, I have forwarded all rules/monitors list to him so that he will tell us what we should enable.

     

     

    regards,

     

    Pramod
  • Hi Pramod, Julian,

     

    I have the same problem in the customer environment, but we have got the Viprion appliances. I insert the admin credentials (or an user with admin right) during the discovery, but we it shown this error:

     

     

    Failed to discover device at address: x.x.x.x

     

     

    F5Networks.ManagementPack.Discovery.DiscoveryException: Big 3d update from version 10.0.1.402.0.0 to version 10.2.2.1.0.0 was not authorized

     

    at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice.<>c__DisplayClass21.<_UpdateDeviceBasedOnIQueryConnection>b__18()

     

    at F5Networks.ProgressTracking.ProgressEventSourceBase`1.<>c__DisplayClass6.b__5()

     

    at F5Networks.ProgressTracking.ProgressEventSourceBase`1.<>c__DisplayClassb`1.b__8()

     

    at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally[TReturnResult](GenericVoidHandler`1 activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode, VoidVoidDelegate postCodeSuccess, VoidGenericHandler`1 postCodeFailure)

     

    at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally[TReturnResult](GenericVoidHandler`1 activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode)

     

    at F5Networks.ProgressTracking.ProgressEventSourceBase`1.DoActionWithProgressNotification[TReturnResult](GenericVoidHandler`1 activeCode, String action)

     

    at F5Networks.ProgressTracking.ProgressEventSourceBase`1.DoActionWithProgressNotification(VoidVoidDelegate activeCode, String action)

     

    at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice._UpdateDeviceBasedOnIQueryConnection(DiscoveryInfo discoveryInfo)

     

    at F5Networks.ProgressTracking.Tracer.<>c__DisplayClass1.b__0()

     

    at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally[TReturnResult](GenericVoidHandler`1 activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode, VoidVoidDelegate postCodeSuccess, VoidGenericHandler`1 postCodeFailure)

     

    at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally(VoidVoidDelegate activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode, VoidVoidDelegate postCodeSuccess, VoidGenericHandler`1 postCodeFailure)

     

    at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally(VoidVoidDelegate activeCode, VoidVoidDelegate preCode, VoidVoidDelegate postCodeSuccess, VoidGenericHandler`1 postCodeFailure)

     

    at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice._Execute(DiscoveryInfo discoveryInfo)

     

    at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice.<>c__DisplayClassc.b__a()

     

    at F5Networks.ProgressTracking.ProgressEventSourceBase`1.<>c__DisplayClass6.b__5()

     

    at F5Networks.ProgressTracking.ProgressEventSourceBase`1.<>c__DisplayClassb`1.b__8()

     

    at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally[TReturnResult](GenericVoidHandler`1 activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode, VoidVoidDelegate postCodeSuccess, VoidGenericHandler`1 postCodeFailure)

     

    at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally[TReturnResult](GenericVoidHandler`1 activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode)

     

    at F5Networks.ProgressTracking.ProgressEventSourceBase`1.DoActionWithProgressNotification[TReturnResult](GenericVoidHandler`1 activeCode, String action)

     

    at F5Networks.ProgressTracking.ProgressEventSourceBase`1.DoActionWithProgressNotification(VoidVoidDelegate activeCode, String action)

     

    at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice.Execute(DiscoveryInfo discoveryInfo)

     

    at F5Networks.ManagementPack.Discovery.DiscoveryManager._SyncFinishDiscovery(DiscoverDeviceHandler discoveryHandler, DiscoveryInfo info)

     

    at F5Networks.ManagementPack.Discovery.DiscoveryManager._AsyncFinishDiscovery(AsyncDiscoveryInfo asyncInfo)

     

     

    In this case we perform the discovery on the virtual chassis IP address, I don't know if this way is correct.

     

    Could you help me, please?

     

     

    Thanks a lot

     

    Best Regards

     

    Fabrizio.
  • Julian_Balog_34's avatar
    Julian_Balog_34
    Historic F5 Account
    Hi Fabrizio,

     

     

    I think that you should be fine discovering the F5 device on the virtual management address. Just make sure you check the 'Authorize big3d update' checkbox in the F5 discovery wizard in the SCOM Management Console. The error you're getting is related to the fact that the F5 Management Pack requires the latest version of the big3d agent on the F5 Device. Your current big3d appears to be on v10.0.1.402, while the agent shipped with the F5 MP is v10.2.2.1. The big3d upgrade should only be affecting the GTM functionality for a brief second, during the restart of the big3d daemon.

     

     

    Let us know how it goes.

     

     

    Thanks!

     

    Julian