Discovery Problem

Question

Hoping someone can help.&nbsp;
We have 6 Big-IPs, 3 of which SCOM discovers without issue.  The 3 Big-IPs that SCOM cannot successfully discover are on the other side of a firewall.  Before we go off at a tangent and blame the firewall I must say that the firewall administrator is saying they he can see no drops and, as is proven also by a tcpdump on the Big-IPs in question, the SCOM server is able to communicate with the Big-IPs on ports 443/TCP and 4353/TCP.&nbsp;
The SCOM server seems to connect to the devices then stop and after a wait report a failure to discover the devices.&nbsp;
Here is the error that SCOM reports (I'm really hoping this is one someone has seen before):&nbsp;
Execute device discovery:Failure Failure Message: F5Networks.Protocols.iControl.iControlException: The underlying connection was closed: An unexpected error occurred on a receive. at F5Networks.Protocols.iControl.Utilities._HandleWebException(WebException webException) at F5Networks.Protocols.iControl.Utilities.WrapNetworkErrors[ReturnType](GenericVoidHandler`1 soapCall) at F5Networks.ManagementPack.Discovery.Networking.iControlDiscovery._MakeSoapCall[ReturnType](GenericVoidHandler`1 soapAsyncBegin, GenericTypeHandler`2 soapAsyncComplete) at F5Networks.ManagementPack.Discovery.Networking.iControlDiscovery.CoreGetSystemLocalTime() at F5Networks.ManagementPack.Discovery.Networking.iControlDiscoveryBase.c__DisplayClass1.b__0() at F5Networks.ProgressTracking.Tracer.c__DisplayClass1.b__0() at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally[TReturnResult](GenericVoidHandler`1 activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode, VoidVoidDelegate postCodeSuccess, VoidGenericHandler`1 postCodeFailure) at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally(VoidVoidDelegate activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode, VoidVoidDelegate postCodeSuccess, VoidGenericHandler`1 postCodeFailure) at F5Networks.ProgressTracking.Tracer.TraceCall(VoidVoidDelegate activeCode, String action, String area, String category, Int32 id) at F5Networks.ManagementPack.Discovery.Networking.iControlDiscoveryBase.get_SystemLocalTime() at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice._ConnectToDeviceAndPushCertificate(Credentials deviceCredentials, ManagementPackIQueryConnection deviceConnection) at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice._ConnectToDevice(Credentials deviceCredentials) at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice._Execute(DiscoveryInfo discoveryInfo) at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice.c__DisplayClassc.b__a() at F5Networks.ProgressTracking.ProgressEventSourceBase`1.c__DisplayClass6.b__5() at F5Networks.ProgressTracking.ProgressEventSourceBase`1.c__DisplayClassb`1.b__8() at F5Networks.ProgressTracking.Tracer.DoActionWithTryFinally[TReturnResult](GenericVoidHandler`1 activeCode, VoidVoidDelegate preCode, VoidGenericHandler`1 postCode, VoidVoidDelegate postCodeSuccess, VoidGenericHandler`1 postCodeFailure) at F5Networks.ProgressTracking.ProgressEventSourceBase`1.DoActionWithProgressNotification[TReturnResult](GenericVoidHandler`1 activeCode, String action) at F5Networks.ProgressTracking.ProgressEventSourceBase`1.DoActionWithProgressNotification(VoidVoidDelegate activeCode, String action) at F5Networks.ManagementPack.Discovery.DiscoveryManager.DiscoverDevice.Execute(DiscoveryInfo discoveryInfo) at F5Networks.ManagementPack.Discovery.DiscoveryManager._SyncFinishDiscovery(DiscoverDeviceHandler discoveryHandler, DiscoveryInfo info) at F5Networks.ManagementPack.Discovery.DiscoveryManager._AsyncFinishDiscovery(AsyncDiscoveryInfo asyncInfo) Attempt to connect to the iControl device socket:Success Attempt to connect to the iControl device socket:Success&nbsp;

fergusone_29406 · Answer

OK we have made a breakthrough but I am still looking for some help on this... 
&nbsp;  
&nbsp; We turned on verbose logging on the SCOM server and were able to see that although we are being prompted for a username and password when we commence the discovery and we entered an appropriate account that exists on the Big-IP, the SCOM server appears to be using the credentials of the logged on user on the SCOM server to try and connect. 
&nbsp;  
&nbsp; Has anybody seen this before? &nbsp;

julian_balog_34 · Answer

Hi Ewan, 
&nbsp;  
&nbsp; The credentials you are being prompted with, when you run the F5 Management Pack discovery wizard, are specific to the F5 device, and are used for the SSL communication with the device (certificate, encryption key exchange, etc). The F5 MP discovery wizard is using the logged-on user account (which is impersonated by the F5 Monitoring Service) to allow communication between the SCOM health service and the F5 Monitoring Service. So this happens on a different tier. There is also a secure token based mapping between the logged-on user account and the F5 device credentials, in the F5 Monitoring Service, but this is transparent for the user (running the F5 discovery wizard). So, the things you are concerned about are by design. 
&nbsp;  
&nbsp; Now, coming back to your problem, regarding the communication with the F5 device through the firewall, did you actually get this working? Even if you have the ports 443 (HTTPS) and 4353 (iQuery) enabled through the firewall, for outbound communication with the F5 device, still the firewall could block inbound iControl/iQuery traffic from the device to the dynamic port opened by the F5 Monitoring Service for iControl requests or iQuery stats / callback notifications (i.e. device config updates, etc).  Basically, the way this works is, the F5 Monitoring Service opens up a dynamic port locally (on the SCOM server) for sending iControl/iQuery requests, this request goes out to port 443/4353 on the F5 device, and then through the same communication channel the F5 device responds with an iControl/iQuery packet. Those packets are apparently blocked. I'm not a firewall expert, but there has to be some symmetrical communication policy that would have to be enabled. 
&nbsp;  
&nbsp; Let me know your thoughts, and hopefully we can work this out, together. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Julian

fergusone_29406 · Answer

One thing I have been thinking about... 
&nbsp;  
&nbsp; Does the user on the Big-IP that is used by SCOM/F5 Management Pack require to have a specific role and a particular level of Terminal Access? 
&nbsp;  
&nbsp; Regards, 
&nbsp;  
&nbsp; Ewan

julian_balog_34 · Answer

Ewan, 
&nbsp;  
&nbsp; The role required for the BIG-IP user account performing the device discovery has to have admin privileges, as it is used for iControl connectivity and management, and push the big3d agent/update on the BIG-IP if necessary. There's no particular terminal / shell access level needed. 
&nbsp;  
&nbsp; Julian

pramod_73248 · Answer

Hi Julian, &nbsp;
&nbsp;I have F5 MP installed on my RMS (SCOM R2). when i try discovering device it shows me "Attempt to connect to the iControl device socket: Success" with blue icon on extreme left with 'i' in it. I have attached the discovery screen shot for reference.
&nbsp;i am assuming that i have sucessfully discovered a device but it is not showing on SCOM console. &nbsp;&nbsp;Please help me know what i an doing wrong and add how to add this device to SCOM console?&nbsp;&nbsp;Regards, 
&nbsp;Pramod

Forum Discussion

Discovery Problem

Recent Discussions

SNI Sites not taking correct certificate.

How to Renew F5 Device Certificate

irule to enable http/2 acceleration

Service discovery is not happening in AS3

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

Related Content

Out of the Shadows: API Discovery and Security

Service Discovery in F5 Distributed Cloud - Architecture Options

Service discovery and registration with BIG-IP

How to use F5 Distributed Cloud for API Discovery

API Discovery and Auto Generation of Swagger Schema

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS