BigIP Report Old

Thanks  ...I'll try those and see if it helps any.

Hi,

I am seeing an issue with version 5.4.0 and LTM v14.1.2. Several of the configured devices have stopped returning results, but some devices still do respond. In the log I see several of these errors:

2020-07-14 13:30:05 ERROR Receive-Job <device_name_redacted>

i am able to access the device from the server running bigip-report and there do not appear to be any trust issues with the certificate it is using. I can also log with the configured username and password, so the credentials are valid. I have TLS1.2 enabled.

I tried to run version 5.3.1 to see if it is perhaps an issue with the beta script, but it generated the following error:

Get-PSSnapin : The term 'Get-PSSnapin' is not recognized as the name of a cmdlet

, function, script file, or operable program.

Check the spelling of the name, or if a path was included, verify that the path

is correct and try again.

At C:\inetpub\bigipreport\bigipreport-5.3.1.ps1:616 char:4

+ if(Get-PSSnapin -Registered | Where-Object { $_.Description.contains( ...

+   ~~~~~~~~~~~~

+ CategoryInfo         : ObjectNotFound: (Get-PSSnapin:String) [], ParentContai

nsErrorRecordException

+ FullyQualifiedErrorId : CommandNotFoundException

Powershell on the server is version 5.1 (Windows 2012 R2). The user has auditor role on the devices.

5.3.1 wants the old Powershell with the snapin. 5.4+ wants PowerShell 6+ and does not use the snapin.

You might try debugging the error by adding the load balancer to the command line with 5.4+ so:

> bigipreport-5.4.1.ps1 myconfig.xml a-load-balancer-in-the-xml.example.com

Specify and IP if you use IPs, and a hostname if you use those. Whatever is in the xml.

Receive-Job is where the parent process is expecting json from a forked child and what it got is not valid json. Unfortunately, I've not figure out a good way to capture the errors and return them to the parent process.

  Thanks for replying. I debugged the script as you suggested and there are several "401 Authorization failed" errors in the output. Below is a sample:

{"datetime":"2020-07-16 09:52:06","severity":"SUCCESS","message":"Successfully loaded the config file: bigipreportconfig.xml"}

{"datetime":"2020-07-16 09:52:06","severity":"VERBOSE","message":"Starting: PSCommandPath=C:\\inetpub\\bigipreport\\bigipreport.ps1 ConfigurationFile=bigipreportconfig.xml PollLoadBalancer=<device_name_redacted> Location= PSScriptRoot=C:\\inetpub\\bigipreport"}

{"datetime":"2020-07-16 09:52:06","severity":"VERBOSE","message":"Pre-execution checks"}

{"datetime":"2020-07-16 09:52:06","severity":"SUCCESS","message":"Pre execution checks were successful"}

{"datetime":"2020-07-16 09:52:06","severity":"VERBOSE","message":"Enabling TLS1.2"}

{"datetime":"2020-07-16 09:52:06","severity":"VERBOSE","message":"Getting data from <device_name_redacted>"}

Invoke-RestMethod : {"code":401,"message":"Authorization failed: user=https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/3a0d0d04-e904-37f6-9117-726f51919714 resource=/mgmt/tm/sys/global-settings verb=GET uri:http://localhost:8100/mgmt/tm/sys/global-settings referrer:10.4.16.20 sender:10.4.16.20","referer":"10.4.16.20","restOperationId":2944442,"kind":":resterrorresponse"}

At C:\inetpub\bigipreport\bigipreport.ps1:1622 char:17

+ ... $Response = Invoke-RestMethod -SkipCertificateCheck -Headers $Headers ...

+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo         : InvalidOperation: (Method: GET, Reques\u2026PowerShell/6.2.3

}:HttpRequestMessage) [Invoke-RestMethod], HttpResponseException

+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

The property 'hostname' cannot be found on this object. Verify that the property exists.

At C:\inetpub\bigipreport\bigipreport.ps1:1623 char:5

+    $BigIPHostname = $Response.hostname

+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo         : NotSpecified: (:) [], PropertyNotFoundException

+ FullyQualifiedErrorId : PropertyNotFoundStrict

Are you using ldap accounts? BIG-IP 14+ has ldap timeout issues for me. You might try adjusting your ldap timeouts as explained here:

https://support.f5.com/csp/article/K72830550

tmsh list auth ldap system-auth idle-timeout
tmsh modify auth ldap system-auth idle-timeout 295

Also check that the account has proper access. Guest on all partitions should be fine without ASM. With ASM it will at least want Auditor on all partitions. You might temporarily grant Administrator on all partitions and work down from there. In my opinion, Auditor should be enough, but I think there are some ASM and certificate things Auditor cannot read.

Yes, we are using LDAP but all devices are 14.1.2.3 or higher. We'll look in the log to make sure we are not seeing timeouts.

We are not using ASM, but the account has auditor on all partitions.

After upgrading to 15.1.0.4 v5.3..1 would no longer connect. I upgraded to the 5.4 beta (Powershell v7.0,3) which is working much better but I've run into 1 issue. One of my LTMs won't gather info. It's in a failover pair and partner unit reads just fine. Sanitized error below.

2020-07-20 19:57:53 xx.xx.xx.xx:Error getting auth token from xx.xx.xx.xx : {"code":400,"message":"loginProviderName is invalid.","originalRequestBody":"{\"username\":\"ZZZZZZZZZ\",\"loginProviderName\":\"tmos\",\"generation\":0,\"lastUpdateMicros\":0}","referer":"yy.yy.yy.yy","restOperationId":38464847,"kind":":resterrorresponse"}

I've tested using the root credentials as well, doesn't work.

We aren't seeing any errors in /var/log/secure. I installed biipreport to a newer server (Windows 2019 with Powershell 6.2.6) and it gives the same errors. We are able to manually curl https://<device name>/mgmt/tm/sys/global-settings and receive what appears to be valid JSON back. We can also curl https://<device name>/mgmt/tm/sys/hardware and receive JSON as well.

@TimRiker I think we have found the issue in our case. It appears the script is using the username and password to retrieve an auth token 'X-F5-Auth-Token" and then sends that as a header in the REST call. When we manually make the REST call using that token we receive a 401 authorization failure error message. We modified the script to use username and password instead of the auth token and now are able to receive JSON from one of the nodes reporting the error. I don't know how long that auth token is valid, so it is possible it could be expiring in the time it takes to make the REST call.

I've added a patched version of 5.3.1 that no longer fails against v15.x but it does not correctly pull statistics. It looks like something needs to be fixed in the snapin and it's no longer supported. It might be the SOAP interface in v15.x that is the issue. I don't know.

https://github.com/epacke/BigIPReport/raw/fixes/bigipreport.ps1

The current beta release, 5.4.1 should work with BIG-IP v15.x releases. Be sure to use the ldap timeout work around if you are using ldap accounts like we are.

https://support.f5.com/csp/article/K72830550