"stuck" mac address
I'm troubleshooting NTP communication which gets processed by a wildcard, Forwarding (IP) VS. The source is in the internal LTM (10.2.0) VLAN, and the NTP server is in the external. I run a trace on the internal vlan and when the request comes in, the source has the right mac address. However when the LTM sends the response back out the internal VLAN, the LTM inserts the wrong dest mac address. The mac that it has used to be assigned to the node, but it's not used any longer. So it appears like the old mac address is "stuck" in the arp table. However I can't find any reference to the bad mac anywhere - all i can find is the correct mac. There are no static arp entries, and I tried removing the phantom entry from the arp table which had no effect. The rest of the traffic to and from this node works just fine. Can you think of any way I can remove this "stuck" mac, or think of anywhere else to check that might be hanging onto this mac?
Zero Downtime IIS Code Deployment
We have a production pool with 4 nodes. Our code deployment process is to: Enable source address affinity persistence on the production VS. Set node 1 to "Forced Offline". Poll node 1 periodically for active connections, waiting until connections=0 before continuing. Stop IIS on node 1. Copy new code to node 1. Start IIS on node 1. Set node 1 to "Enabled" in the pool. Repeat steps 2 - 7 for nodes 2, 3, and 4. Disable persistence. This works pretty well, except we run into an issue on step 3. Let's say step 3 is currently operating on the final node 4. At this point, nodes 1 - 3 have the new code, while node 4 still has the old code. We have HTTP keep-alive configured on IIS with a 120 second timeout, so these outstanding active connections may take up to two minutes to drain. The problem is that web browsers typically spin up multiple connections in parallel to maximize performance. This means that an existing active connection may hit old code on node 4, while any other newly spooled up connections from the same client will hit newly deployed code on nodes 1 - 3. If there are incompatibilities between code versions (say with dependencies between .JS and .CSS files) our application may present strange side effects to the end-user for a few moments before the keep-alive connection to node 4 expires. One thing I tried is to set the node to "Disabled (Only persistent or active connections allowed)" but the problem with that is we have highly active connections that will pass traffic continuously all day long, resulting in a node whose connections will never fully drain. Is there something with my process / BIG-IP configuration I'm missing? I can't see a way around this problem because no matter how you approach it, at some point you have to force one or more nodes offline to deploy new code, and those clients will for a few moments hit old code and new code simultaneously, resulting in compatibility issues. Any ideas?Attack Signatures are still the same after importing UCS (v10.2.4)
After upgrading our box to the 11.3.0 version (coming from 10.2.4) we wanted to upload the ucs file onto the box. According to sol8217 we should have the attack signatures of the old 10.2.4 version but this is not the case. All new attack signatures have been added and immediately placed in blocking mode. fragment from sol8217 Attack signatures are also saved in user configuration set (UCS) archives. When a UCS archive is created, the current cumulative signature set is saved in the archive. When a UCS archive is restored, the attack signatures in the archive fully replace existing signatures. If the UCS archive is old, the attack signatures may be out-of-date and need to be updated separately. We would like to perform the upgrade so that the attack signatures are still the same as on our old version. When the upgrade is complete we will manually upgrade our attack signatures which will be placed in learning/staging for the first few weeks. This is crucial for our own inhouse applications that are available through the ASM. Has anybody else had this 'issue' before?
can I create a Wide IP as a "slave" to another Wide IP? (flip between pools when the master Wide IP flips)
Two sites in different geo locations. One GTM deployed at each site. One pool per site. There's a Wide IP currently, which is flipped between one site and the other, based on the availability of each pool. I've created another pool on each site, and I need to create a new Wide IP pointing at these new pools. But - I want this new Wide IP to flip between sites based on the status of the old Wide IP. If the old Wide IP points at site A, then the new Wide IP should do the same, regardless of the status of its own pools. Is that doable somehow?
AAM cacheing old content
Hello friends, I have applied AAM cofiguration to one of the web application. Is there any other process to exclude few pages from cacheing like *html pages? Is there any other method where AAM automatically detects the change of content and displays a new modified html page instead of old cached one ? Thanks in Advance, -SAM