How to manage AS3 BIG-IQ deployments and shared objects
Hi, I have a question around how to utilize AS3 and BIG-IQ. Currently I am deploying AS3 via BIG-IQ to get the application statistics in BIG-IQ. However, I cannot use resources created in BIG-IQ within the AS3 declarations. For example, I do not want to store my ssl/tls certificates within the AS3 json that will be in public (-ish) revision control. Likewise, I want the iRules created as on BIG-IQ that can be shared between virtual servers/applications and not squashed on an unreadable line in the AS3 json. However, it appears BIG-IQ will only sync these objects to BIG-IP when you create a virtual server within BIG-IQ (outside of AS3). This leads to the AS3 declaration failing as AS3 can't find these /Common/ objects on the BIG-IP at deployment time. Also, it is unclear how to create applications (again AS3 via BIG-IQ) and pin them to different traffic-groups for an active-active BIG-IP setup. It seems all AS3 deployments are stuck the traffic-group-1. How are people currently managing referencing "shared" things such as iRules/certificates/policies and pushing them with BIG-IQ in a AS3-only world? Does anyone have any good overviews of this level of managing things? Documentation I've seen seems specific to just using AS3 or just using BIG-IQ deployments, etc.
Managing DataGroups from BIG-IQ
A customer today asked me about managing DataGroups from within BIG-IQ as they want to start using it for all configuration work. However they were unable to find where DataGroups could be managed from within BIG-IQ. I've also had a look and haven't been able to find anything relating to this on the GUI or by searching for documentation. Any clues gratefully received.
BIG-IQ DCD tokumx.log files filling up
I am running BIG-IQ, trying to get it running is more accurate. Version 6.1.0 I have tokumx.log files being created on my DCD, so many that it is quickly filling up /var I am not having much luck finding anything regarding what I am seeing. Has anyone else experienced this behavior?
Local users account are not working in Big-iq.
I have created local users account with administrator role and permissions in F5 Big-iq to run some tests. When I logout and login again with the user that I created, big-iq was giving me authentication failure message in both gui and cli. I used the correct password, verified audit logs just says authentication failed with no explanation. Is this some bug or is it normal behavior of big-iq not to allow any local account other than admin.Is there Limitation of irule "virtual".. can we do it like this?
Hi We have BIG-IQ and BIG-IP AWAF. I see that BIG-IQ application dashboard is show only 1 application per virtual server. But in BIG-IP AWAF.. we config it as 1 virtual server 100 application (multi domain vip+use irule to check host header and send it to specific pool and choose specific waf policy) So we can't see each application metric in BIG-IQ.... This is our issue. I understand we need to config each vip for each application so BIG-IQ can retrive data from each vip per application but we can't use that many public ip. So I found that we have irule "virtual" which can send traffic to another virtual server. Can we do it like this? Instead of when HTTP_REQUEST { if {[HTTP::host] equals "abc.example.com"} { ASM::enable /Common/abc.example.com >>>> choose pool and waf policy by host header pool /External/Pool_abc.example.com } ------------------------------------ Change to when HTTP_REQUEST { if {[HTTP::host] equals "abc.example.com"} { virtual VS_abc.example.com >>> send it to private ip virtual server by host header which craete a new. } and in virtual server VS_abc.example.com we use private ip and assign pool and waf policy normally so we can add VS_abc.example.com in BIG-IQ application dashboard and see metric per application. But is there any limitation on how to use irule "virtual" like this? Is this practical?Specify node based on Client IP, but what if that node is down?
I been trying to figure this out and unable to find an exact answer. I have multiple unknown clients connecting to a virtual address. I also have 2 known clients connecting to the same address. I want them all to round robin as normal, but I always want these two known users to connect to specific nodes. I have persistence configured so when they connect they will stay on which ever node they connect to, this is for everyone. I think I have the iRule figured out.... but what if one of the specified nodes goes down, how do I get that known user to just hit a random node until it gets back up? This is what I am trying. The rule will check the first Known User's IP then send it to node 1, see the second known user and send to node 2, everyone else will hit the pool and round robin as normal. The last part is if node 1 goes down and doesn't respond, it will just hit the pool and round robin to what is available. Is this right, or am I missing something? when CLIENT_ACCEPTED { if {IP::addr [IP::client_addr] equals 172.1.1.1] } { node 1.1.1.1 60006 } elseif {IP::addr [IP::client_addr] equals 172.1.1.2] } { node 2.2.2.2.] 60006 } else { pool servers_60006_pool } } when LB_FAILED { servers_60006_pool }
