Failing over of a Virtual F5 configuration to another location using Zerto restore process
We are preparing a process for disaster recovery to use Zerto to copy a server had has our virtual F5 configuration to another server at another facility. What needs to be completed by means of moving license keys and changing MAC to recognize the F5 configuration.
BigIQ integration with Cisco ACS (TACACS+)
I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best. I'm getting an error, "User has no roles or groups associations. Trying to compare what we set our LTMs to authenticate using remote roles that are defined in ACS (below) to what I have on our BigIQ. On our LTMs: 1. No users defined local 2. Authentication - Remote - TACACS+ 3. Remote Role Groups a. Group Name = TAC-Auth b. Line Order 20 (Relative to our env.) c. Attribute String = F5-LTM-User-Info-1=TAC-Auth d. Remote Acccess = Enabled e. Assigned Role = Other = %F5-LTM-User-Role f. Partition Access = Other = %F5-LTM-Partition g. Terminal Access = Other = %F5-LTM-User-Console On ACS (Only giving one example) Shell Profiles 1. F5-Device-TACAuth-Admin 2. Custom Attributes a. F5-LTM-User-Info-1 = TAC-Auth b. F5-LTM-User-Console = enable c. F5-LTM-User-Role = Administrator d. F5-LTM-Partition = All BigIQ 1. Auth Providers = a. Name = NA_ACS b. Type = TACACS+ 2. User Groups a. F5_Admin c. Authorization Attributes F5-BigIQ-User-Info = F5_Admin %F5-BigIQ-User-Role = Administrator ACS - Note: My understanding is that since BigIQ doesn't use partitions or the Terminal/Console role it might not be needed. 2. Custom Attributes a. F5-LTM-User-Info-1 = F5_Admin b. F5-LTM-User-Role = Administrator Thank you in advance for any insight! /jeff
How to config BGP peering for F5 in HA-pair?
Hi I've setup F5 BGP peering with router and have problem due to we can't use floating IP as IP BGP neighbor address https://support.f5.com/csp/article/K62454350 . So we need to use self IP as IP BGP neighbor address. Problem is It's make router can't decide which path is correct when they send response traffic to F5. F5 active unit or standby unit. Router can't know status on F5. I try to add prepend on BGP which is standby unit and it's fine. but when standby unit takeover . it's failed again. Is there a way to deploy BGP with F5 HA-pair? Thank you
IPBlacklist check with iRules
I have list of IP addresses in Data group called "BlackListIP" and it defined as "String" type instead of "Address" like "name": "1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5, 6.6.6.6" And I have iRule that use for lookup the Client IP address and need to be block if it matched IP address list above when CLIENT_ACCEPTED { if { [class match [IP::client_addr] contains BlackListIP ] } { reject } } Let say, right now my client_addr equal to 1.1.1.1, Logically it should work, but after test it out this particular iRule doesn't work as expect. Anything I missed here. Please shed some light. Thanks,
Kubernetes integration stopped working
Hello, I'm doing Kubernetes intergation. I had a working solution, but it stopped working. I'm out of ideas, maybe someone can help how to debug it. In restjavad-audit.0.log I see something like this: [I][130][29 Mar 2018 10:55:10 UTC][ForwarderPassThroughWorker] {"user":"local/admin","method":"POST","uri":"http://localhost:8100/mgmt/shared/authn/login","status":200,"from":"192.168.100.94"} I used to see a lot of other entries here plus I've seen entries about creationg of pools, nodes in audit log. When I create an Igress I see that one of the nodes is trying to communicate to F5: 13:01:11.718375 IP 192.168.100.94.56322 > 192.168.2.109.https: Flags [R.], seq 1686613753, ack 3495393884, win 851, options [nop,nop,TS val 0 ecr 5336149], length 0 13:01:11.718408 IP 192.168.2.109.https > 192.168.100.94.56322: Flags [.], ack 0, win 365, options [nop,nop,TS val 5361881 ecr 5739246], length 0 13:01:11.718836 IP 192.168.100.94.56322 > 192.168.2.109.https: Flags [R], seq 1686613753, win 0, length 0 13:01:11.718904 IP 192.168.100.94.56330 > 192.168.2.109.https: Flags [S], seq 1179852131, win 26720, options [mss 1336,sackOK,TS val 5764938 ecr 0,nop,wscale 7], length 0 13:01:11.718929 IP 192.168.2.109.https > 192.168.100.94.56330: Flags [S.], seq 307718409, ack 1179852132, win 14480, options [mss 1460,sackOK,TS val 5361882 ecr 5764938,nop,wscale 7], length 0 I'm using version 1.4.2 and pod looks just fine: [root@kuberm ~] kubectl describe pods k8s-bigip-ctlr-deployment-f4b469d69-z9f5m -n kube-system Name: k8s-bigip-ctlr-deployment-f4b469d69-z9f5m Namespace: kube-system Node: kubern2/192.168.100.94 Start Time: Thu, 29 Mar 2018 12:55:08 +0200 Labels: app=k8s-bigip-ctlr pod-template-hash=906025825 Annotations: Status: Running IP: 10.32.0.5 Controlled By: ReplicaSet/k8s-bigip-ctlr-deployment-f4b469d69 Containers: k8s-bigip-ctlr: Container ID: docker://f8d33b328d4a3703fb6ea4b5e0bf23342fd1f714022ac172fdd7bae4ccdab220 Image: f5networks/k8s-bigip-ctlr:1.4.2 Image ID: docker-pullable://docker.io/f5networks/k8s-bigip-ctlr@sha256:bd0d7cb4ae54a92d5d3eec9c2e705665a8452e69423eb5ff091e23e669ed072c Port: Host Port: Command: /app/bin/k8s-bigip-ctlr Args: --bigip-username=$(BIGIP_USERNAME) --bigip-password=$(BIGIP_PASSWORD) --bigip-url=192.168.2.109 --bigip-partition=kubernetes --use-secrets=true --resolve-ingress-names=LOOKUP State: Running Started: Thu, 29 Mar 2018 12:55:10 +0200 Ready: True Restart Count: 0 Environment: BIGIP_USERNAME: Optional: false BIGIP_PASSWORD: Optional: false Mounts: /var/run/secrets/kubernetes.io/serviceaccount from bigip-ctlr-serviceaccount-token-qtlqc (ro) Conditions: Type Status Initialized True Ready True PodScheduled True Volumes: bigip-ctlr-serviceaccount-token-qtlqc: Type: Secret (a volume populated by a Secret) SecretName: bigip-ctlr-serviceaccount-token-qtlqc Optional: false QoS Class: BestEffort Node-Selectors: Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 8m default-scheduler Successfully assigned k8s-bigip-ctlr-deployment-f4b469d69-z9f5m to kubern2 Normal SuccessfulMountVolume 8m kubelet, kubern2 MountVolume.SetUp succeeded for volume "bigip-ctlr-serviceaccount-token-qtlqc" Normal Pulled 8m kubelet, kubern2 Container image "f5networks/k8s-bigip-ctlr:1.4.2" already present on machine Normal Created 8m kubelet, kubern2 Created container Normal Started 8m kubelet, kubern2 Started container My Ingress looks like this: apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress namespace: kube-system annotations: virtual-server.f5.com/ip: "192.168.220.242" virtual-server.f5.com/partition: "kubernetes" kubernetes.io/ingress.class: "f5" spec: backend: serviceName: nginx servicePort: 80 I've also tried it on other box 13.1 no success, my box is in 12.1.3.1. Do you have any idea how to debug it futher? Regards, PiotrRapid failover/failback problem in AWS
We experienced a network-based failover on our F5 pair in AWS. Both are running 12.1.3.5. The logs from secondary show it detected a connectivity problem to primary and took over: Jul 19 16:26:49 f5bigip-2 notice sod[6127]: 010c007e:5: Not receiving status updates from peer device /Common/f5bigip-1.mydomain.com (10.1.2.39) (Disconnected). When this occurred, the primary released its traffic group and AWS moved the floating IP to secondary. Almost immediately, the primary was detected to be healthy again: Jul 19 16:26:49 f5bigip-2 notice sod[6127]: 010c007f:5: Receiving status updates from peer device /Common/f5bigip-1.mydomain.com (10.1.2.39) (Online) This triggered a failback to primary. However, the floating IP stayed on the secondary. I theorize the sudden failover/failback caused a problem for the "ec2:assignprivateipaddresses" API call to AWS EC2 that is responsible for shifting the floating IP between AWS instances. I have opened case with F5 & AWS for troubleshooting, but just curious if anyone has run in to this before.