Forum Discussion
How one can see relation between virtual server and lease pool in the cli configuration while configuring APM for the ssl vpn ?
- Jan 02, 2019
Hello Sanjay,
It is generally best to make configuration changes in the GUI instead of the CLI when it comes to APM. In my experience running APM configuration straight from the CLI usually results in one mistake or another, as settings are forgotten or misconfigured.
That being said, it is pretty simple to view your APM configuration using 'list.' Here are some basic commands to figure out how your leasepools, VPNs, and servers are related, and to prove how they have been configured. Run:
tmsh list apm resource leasepool
to view information about all your leasepools, and
tmsh list apm resource network-access
to view configuration information about your VPNs.
This should give you some very basic information about their configuration, all of which can also be viewed from the GUI. Since leasepools and VPNs are assigned to an Access Policy/Profile, which is then attached to a virtual server, viewing the server and your policy individually would likely be the best way to show a relationship between the two.
To view information about your virtual server, use
tmsh list ltm virtual
In the output for that command, there will be a profiles section. You will see your Access Profile listed there. And to view your specific Access Policy and Access Profile, use:
tmsh list apm policy access-policy
and
tmsh list apm profile access
With all of these together, you can prove that your VPN and lease pool have been assigned to your Access Profile, and that your Access Profile has been assigned to your virtual server.
I hope this helps you figure out the relationship between your VPN and your Virtual Server. Feel free to ask if you have any follow-up questions,
Austin
Hello Sanjay,
It is generally best to make configuration changes in the GUI instead of the CLI when it comes to APM. In my experience running APM configuration straight from the CLI usually results in one mistake or another, as settings are forgotten or misconfigured.
That being said, it is pretty simple to view your APM configuration using 'list.' Here are some basic commands to figure out how your leasepools, VPNs, and servers are related, and to prove how they have been configured. Run:
tmsh list apm resource leasepool
to view information about all your leasepools, and
tmsh list apm resource network-access
to view configuration information about your VPNs.
This should give you some very basic information about their configuration, all of which can also be viewed from the GUI. Since leasepools and VPNs are assigned to an Access Policy/Profile, which is then attached to a virtual server, viewing the server and your policy individually would likely be the best way to show a relationship between the two.
To view information about your virtual server, use
tmsh list ltm virtual
In the output for that command, there will be a profiles section. You will see your Access Profile listed there. And to view your specific Access Policy and Access Profile, use:
tmsh list apm policy access-policy
and
tmsh list apm profile access
With all of these together, you can prove that your VPN and lease pool have been assigned to your Access Profile, and that your Access Profile has been assigned to your virtual server.
I hope this helps you figure out the relationship between your VPN and your Virtual Server. Feel free to ask if you have any follow-up questions,
Austin
- F5_guy_380365Jan 03, 2019Nimbostratus
Austin, Thank you for taking time and replying with such a great details. However, I am still not 100% sure about what configuration lines in the output shows virtual server and lease pool are connected. I am attaching out put for the profile New as below and I'd appreciate any inputs. I can see resource pool is under virtual server but how can I see such relation between lease pool and virtual server?
Here is he configuration output from given commands. [admin@localhost:Active:Standalone] ~ tmsh list apm profile access New apm profile access New { accept-languages { en } access-policy New app-service none default-language en generation 1 generation-action noop log-settings { default-log-setting } modified-since-last-policy-sync true type all user-identity-method http } [admin@localhost:Active:Standalone] ~ tmsh list apm policy access-policy New apm policy access-policy New { caption general default-ending New_end_deny items { New_act_av_software_check { priority 1 } New_act_logon_page { priority 2 } New_act_radius { priority 3 } New_act_resource_assign { priority 4 } New_end_allow { priority 6 } New_end_deny { priority 5 } New_ent_in { } } start-item New_ent_in } [admin@localhost:Active:Standalone] ~ tmsh list ltm virtual New_vs ltm virtual New_vs { destination 193.193.193.197:https fallback-persistence source_addr ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } pool pool1 profiles { New { } New_cp { context clientside } clientssl { context clientside } http { } ppp { } rba { } tcp { } websso { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 52 } [admin@localhost:Active:Standalone] ~ tmsh list apm resource network-access New_na_res apm resource network-access New_na_res { customization-group New_na_res_resource_network_access_customization dns-primary 10.10.10.1 dns-suffix localhost leasepool-name New_lp } [admin@localhost:Active:Standalone] ~ tmsh list apm resource leasepool New_lp apm resource leasepool New_lp { members { 172.16.1.1-172.16.1.2 { } } }
- AMiles_377865Jan 04, 2019Cirrocumulus
I've been going through tmsh commands, and it looks like you can't see a direct correlation between where the network access resource is assigned to the profile. We can prove that the lease pool is assigned to the network access resource, we can prove that the access policy is assigned to the access profile, and we can prove the access profile is assigned to the virtual server.
The missing link is proving that the network access resource is assigned to the access policy. It seems the closest we can get from the command line is seeing that the Access Policy is assigning resources; but we can't tell what resources it is assigning.
New_act_resource_assign { priority 4 }
- F5_guy_380365Jan 07, 2019Nimbostratus
Thank you Austin. I was thinking the same and really appreciate your inputs.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com