Removing AAM/WAM for a successful upgrade
If you are wanting to upgrade to version 16 or 17 of BIG-IP, one thing that can cause your config not to load, is any element of AAM/WAM/WOM. As I discovered via a customer of mine, even removing all AAM/WAM items from traffic objects is not enough. While I know how to identify things in the conf files and can see them in iHealth, that doesn't help Admins in the field assess if this is an issue for them, and if it is, how to document what needs to be changed for the necessary approvals. With some help, I wrote this knowledge article to meet these needs as well as provide a way to quickly make the changes - https://my.f5.com/manage/s/article/K000149084 I am sharing this in the forum to not only advertise this, but explain some of the commands and help the community understand how they might be used for other tasks. From spending time running a few BIG-IPs myself in a prior life and working with hundreds of customers, I knew that my solution needed to address partitions and even iApps. My coworker Fernando C provided me the syntax to crawl every partition and I quickly found ways to morph that into this document. Lets take a look at the syntax that can read the lan TCP profiles in the Common partition and then see the changes needed to read all partitions. In order to filter the results a bit better we run these from bash so that we have access to a number of tools like grep, awk, sed, etc. # Return all virtual server names in Common that use a TCP Profile from wam or wom (aka AAM) # grep to find the profile prefixes and then piping that to AWK to grab the third word in the output of each line tmsh list ltm virtual one-line | grep -E "(profiles.*(w(a|o)m-tcp-lan*))" | awk '{print $3}' This simply returns the virtual server name without the partition name. Now to read all partitions, the tmsh portion of the command has to change. Specifically, we pass the -c option to tmsh to tell it to run multiple commands. When you enter tmsh, by default you are in the Common partition, so we have to back out to the root. Because we are in the root directory, we need to add the recursive option to read all subfolders which in this case are the partitions. #Read all partitions and filter for virtual servers that use the wam/wom TCP profiles on the lan or server side tmsh -c 'cd /; list ltm virtual recursive one-line' | grep -E "(profiles.*(w(a|o)m-tcp-lan*))" | awk '{print $3}' Now the output is the partition name and virtual server name, or if iApps are involved, the appservice name as well. You can take the output from the first command and pass it to xarg to use your output as a variable in a command to execute. CAUTION, the following command will attempt to make changes to your config. #Read all partitions and filter for virtual servers that use the wam/wom TCP profiles on the lan or server side then insert new profiles and delete the original profile #This will cause an error tmsh -c 'cd /; list ltm virtual recursive one-line' | grep -E "(profiles.*(w(a|o)m-tcp-lan*))" | awk '{print $3}' | xargs -t -I vsName tmsh modify ltm virtual vsName profiles add { f5-tcp-lan { context serverside } } profiles delete { wam-tcp-lan-optimized } If you run this command, it will error out, because without the proper syntax, tmsh assumes you are referencing objects in the /Common partition and as a result it will help you by implicitly adding that to the beginning of every object in your xarg command. I added the -t option to xarg to output the command that it will execute. To correct the syntax error, in the awk command, you add a forward slash and now tmsh will treat your command as if you have explicitly declared the partition name for every object. Caution - This will make changes to your configuration, very fast... #Read all partitions and filter for virtual servers that use the wam/wom TCP profiles on the lan or server side then insert new profiles and delete the original profile #CAUTION - This will make changes to your system. tmsh -c 'cd /; list ltm virtual recursive one-line' | grep -E "(profiles.*(w(a|o)m-tcp-lan*))" | awk '{print "/" $3}' | xargs -t -I vsName tmsh modify ltm virtual vsName profiles add { f5-tcp-lan { context serverside } } profiles delete { wam-tcp-lan-optimized } When I first hit the wall with xarg beyond the /Common partition, I did not realize what the fix was. However my OCD wanted to see a slash in front of the partition name and I had modified the awk to add it, but had given up on the xarg to modify things outside of /Common. It wasn't until I went to show the error to a peer, Chad T., that I discovered I stumbled upon the proper syntax, and realized I could simplify the instructions quite a bit. Where I would love some help from the community would be on ways to crawl the iApps to quickly disable Strict Updates. The xarg commands to modify/delete objects associated with an iApp will fail if the default setting of "Strict Updates" is enabled. Hope this helps, Carl
Not able to cache any pages using WebAcceleration (AAM)
Hi, I have been struggeling a while with the WebAcceleration module to cache pages. I have not been able to retrieve a single object from the cache. I have tried both defining the web acceleration policy manually, and using the iApp to create one for me. But I get the same result. As an example, I want to cache static content as such CSS files. When I request a CSS file through the VS, I get the X-WA-INFO header value: [V2.S10206.A62284.P100017.N13694.RN0.U0].[OT/all.OG/includes].[P/0.0].[O/0.1] This is the output from wainfodecode V2: X-WA-Info Format Version S10206: Response was served from the origin web server, because the content was uncacheable. A62284: Application: /Common/aam_testapp.app/aam_testapp_aam P100017: Local-policy: /Common/Generic Policy - Enhanced N13694: Request Policy Node: Includes RN0: Response match did not supersede request match UCI hash: 0 Object type: all Object group: includes Request served from TMM: 0.0 Request owned by TMM: 0.1 Entity hit count (local/remote): 0/0 Document hit count (local/remote): 0/0 Document not cacheable (negative cache entry). Reason: Response cache control prevents caching. Bypass: Content received is not cachable. Parking: Not parked. As you can see, it says it cannot cache the content because of response cache control. I assume this is from the originating web server to the AAM/LTM module. Here is what the originating web server are sending back to BigIP: Request headers: GET some.css HTTP/1.1 Host: www.example.com Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/45.0.2454.101 Chrome/45.0.2454.101 Safari/537.36 Accept-Language: en-US,en;q=0.8 Cookie: JSESSIONID=; TS017a82e1=; F5_ST=; TIN=894000; LastMRH_Session=7f2d31be; MRHSession=; TS0133f518=; adfs-persist=180879370.39455.0000; TS01a3abd7= If-Modified-Since: Sat, 12 Dec 2015 00:50:43 GMT X-Forwarded-For: 10.0.0.4 X-Client: WA Response Headers: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-ASEN: SEN-6157603 X-Confluence-Request-Time: 1449883792235 Expires: Sun, 11 Dec 2016 01:29:52 GMT Cache-Control: max-age=31536000 Cache-Control: public Last-Modified: Sat, 12 Dec 2015 00:50:43 GMT ETag: "1449881443000" Content-Type: text/css;charset=UTF-8 Transfer-Encoding: chunked Date: Sat, 12 Dec 2015 01:29:52 GMT If I understand the headers correctly, there should not be any cache-control saying that the content is uncacheable. What I have tried so far: Same setup against a wordpress/apache site. Configured the Expire and Cache-Control in htaccess - still not able to cache any files Tried both iApp and manually WebAcceleration settings. Tried an WA Application Profile that should cache anything. Any suggestions on how to move forward is much appreciated! -E
Viewing ramcache from an iApp web acceleration profile
If I run tmsh show ltm profile web-acceleration it will only show the non iApp profiles. I have recently learned I can run this instead to see all of them: tmsh show ltm profile web-acceleration recursive . Now that I can see the the profiles (like ) I want to be able to display and delete the contents of the BIG-IP HTTP cache from the command line using the tmsh ramcache command (K13255). but if I type tmsh show /ltm profile ramcache www.example.com.app/www.example.com_optimized-acceleration it says Invalid Profile Name. Thanks for your help!
Respond with cached content after timeout
As commented in the explanation for the "after" command (https://devcentral.f5.com/wiki/iRules.after.ashx) we can make some actions with the http request. It's possible to respond with cached content if web acceleration application is also configured with stand-in period codes? Something like that: when RULE_INIT { set static::response_timeout 15000 } when HTTP_REQUEST { set monitor_id [\ after $static::response_timeout { Respond with cached content }\ ] } when HTTP_RESPONSE { log local0. "Received server response. " if {[info exists monitor_id]} { log local0. "Canceling after script with id $monitor_id" after cancel $monitor_id } Thanks in advance.irule to select pool in time and bwc
Hi I need to do an irule to select specific pool to load balancing to have internet, and irule to do a bandwidth controller; I try to join 2 irules in one and do the next irule. But the client loss internet connection. My scenario is I have 2 service providers and do load balancing to navigate in internet, but the other thing that they want to do is doing a bandwidth control management, but when I do that not work. Please your help. when CLIENT_ACCEPTED{ Get the current time in seconds since the Unix epoch of 0-0-1970 set now [clock seconds] set start [clock scan "5:00 pm"] set end [clock scan "11:59:59 pm"] set start1 [clock scan "12:00 am"] set end1 [clock scan "2:00:00 am"] set mycookie [IP::remote_addr]:[TCP::remote_port] Check if the current time is between the start and end times if {$now > $start and $now < $end} { pool pool_navegacion BWC::policy attach bwc_nocturno $mycookie log local0. " pool navegacion" log local0. " bwc rule" } if {$now > $start1 and $now < $end1} { pool pool_navegacion log local0. " pool navegacion segundo if" }Chrome err_connection_reset
Hi, We just create a new iApp with the wizard. All the health monitors looks fine so the pool is up and evrything appears that is working fine, but when we try to ingress to the new website we received en err_connection_reset. We ran an capture and we see that the VS is sending and RST. This happen with both plaintext and ssl offload. Do you, what could be the issue? Thanks in advance.
Zero downtime deployment with f5 GTM+LTM ?.
Hello, We have a GTM+LTM set up for our application which is running on 12 servers. This servers are separated in 4 LTMs with 3 servers each with monitoring set to a static page and "Action on service down" set to "None". We want to have a zero downtime deployment set up and currently we do it like this: Mark half of the servers as down (results in 2 LTM having only down servers) but keep them running for as long as we can detect running requests Deploy to this half and mark them as up Mark the second half as down and deploy Even after all of this some of our users are complaining about dropped requests when we deploy. From the logs https://krogerfeedback.nl https://talktosonic.onl https://talktowendys.vip https://whataburgersurvey.onl i see that the requests are being dropped immediately after we mark the servers as down even though they are still running and" Action on service down" is set to None. So my question is might this be related with GTM marking the whole LTM pool as down and dropping all the running requests? thanks jackyjoy
