Question regarding K22301343, extend /var/ folder after upgrade..
Hi all! We´ve been looking to extend the space of /var/ as it´s causing all types of problems for us when it´s gets full (which happens all the the time). So I´ve been reading and found this article, https://my.f5.com/manage/s/article/K22301343. We´re doing an upgrade at the same this so does anyone know if the /var/ needs to have been extended previously before doing this?? /Kim
F5 VE on Proxmox
Has anybody been successful running F5 BIG-IP VE on Proxmox? Proxmox: Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 5.0.18-1-pve Architecture: x86-64 F5 VE: virtual edition 14.1.2.2 from downloads.f5.com I tried both qcow2 and .ova(scsi) licensing with trial license obtained from F5 single NIC mode According to https://clouddocs.f5.com/cloud/public/v1/matrix.html, Debian should be supported distribution. Following instructions on https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-linux-kvm-13-0-0/1.html. Creating new VM in Proxmox: OS: guest OS Linux, 2.6 Kernel, no media for OS Hard Disk: bus SCSI, VirtIO SCSI, NFS storage, QEMU format (qcow2), 100GB CPU: 4 sockets Memory: 8GB Network: bridge vmbr0 openvswitch with appropriate vlan tag, VirtIO, no firewall VM is created replacing just created qcow2 on remote storage with downloaded F5 qcow2 image. VM is started I am able to get prompt in Proxmox console, log in with default root account. But then mcpd keeps on restarting - constantly every few seconds. Logs show errors caused by permission errors. For some reason F5 is complaining that it cannot create "/shared/.snapshots_d/" because of permission problem. However permissions of "/shared" are OK. When I create .snapshots_d folder manually as root, mcpd no longer restarts, no more console errors... I run config utility to setup management IP/mask/gateway. As expected in single NIC mode, https port is automatically configured to 8443. I am able to reach GUI configuration utility and login as admin. Up until now everything looks fine. When trying to license the VM, I am able to generate dossier, also receive the generated license file from F5. But when I apply the license to the VM and click next, it acts as if nothing has happened. GUI keeps showing VE is not yet licensed. LTM logs says: err mcpd: License file open fails, Permission denied. "/config/bigip.license" has read permission for all and write for tomcat. Those are expected permissions for the license file. Funny though, content of /config/bigip.license is now actually populated with the correct new license. But "Registration Key" in "tmsh show sys hardware" is empty. There are several other file system related warnings or errors in logs.. so I suspect that the whole issue is with how F5 VE is accessing file system on Proxmox. But I don't know what to check or fix further. Is it even possible to run F5 VE on Proxmox? (although F5 clearly states it should be.) thx.
How to config BGP peering for F5 in HA-pair?
Hi I've setup F5 BGP peering with router and have problem due to we can't use floating IP as IP BGP neighbor address https://support.f5.com/csp/article/K62454350 . So we need to use self IP as IP BGP neighbor address. Problem is It's make router can't decide which path is correct when they send response traffic to F5. F5 active unit or standby unit. Router can't know status on F5. I try to add prepend on BGP which is standby unit and it's fine. but when standby unit takeover . it's failed again. Is there a way to deploy BGP with F5 HA-pair? Thank you
tcpdump flooded with failover packets
Hi, I often have a problem with tcpdump on clustered devices. If I e.g. start a dump like this: 'tcpdump -ni 0.0:p host 192.168.1.1' the terminal is flooded with messages like these every few microseconds: 13:20:56.003601 IP 1.1.1.2.44098 > 1.1.1.1.cap: failover_packet { failover_packet_cluster_mgmt_ip ip_address 10.10.10.10 failover_packet_slot_id uword 0 failover_packet_state ulong 5 failover_packet_sub_state ulong 0 failover_packet_monitor_fault ulong 0 failover_packet_hop_cnt uword 2 failover_packet_peer_signal ulong 0 failover_packet_version ulong 2 failover_packet_msg_bits ulong 2 failover_packet_traffic_grp_score ulong 8386 failover_packet_device_load ulong 2 failover_packet_device_capacity ulong 0 failover_packet_traffic_group_load ulong 2 failover_packet_build_num ulong 3944176344 failover_packet_next_active ulong 1 failover_packet_traffic_grp string `/Common/traffic-group-1` failover_packet_previous_active ulong 1 failover_packet_active_reason ulong 0 failover_packet_left_active_reason ulong 8 } out slot1/tmm0 lis= It's a little annoying, since with the 0.0:p I want to see the packet on client and server side (which SNAT-IP it uses, which member) - so the only possibility to get rid of it is to constantly exclude with grep -v Am I doing something wrong about TCPdump? Or is there any flag that disables these messages? Or is this due to a wrong configuration of the F5 itself? Or is it intended behavior?
Priority Group Activation Failback with HTTP Cookie Insert
Hello All, Can someone help me the below issue? We have a pool with 3 members. 2 members have high priority (Round Robin) and 1 member has low priority. When both the primary members go down, the low priority member should take over the traffic. We have Cookie Insert persistence enabled on the virtual server. In Cookie persistence, "Expiration: Session Cookie" enabled. When both the primary members were made down, the low priority member took over the traffic. When both the primary members came back UP, the traffic continued to go to low priority backend member. When the browser tab is closed and tried to access the URL in new tab, the traffic went to low priority backend member. When the browser window is closed and tried to access the URL in new tab, the traffic still went to low priority backend member. When the browser cookies were deleted and tried to access the URL in new tab, the traffic was taken over by the high priority members. This behavior is not desired and we need to force the LB to use high priority backend members as soon as they come UP. When user tries the connection from new browser or new tab, the traffic should go to high priority pool members. Please let me know how i can achieve the desired behavior. Regards
LTM - IP Fowarder Performance issues (Stateless Router config)
Hi All, Wondering if anyone else has issues with using an IP Forwarder in the manner described in this article (Specifically - Emulating stateless IP routing with BIG-IP LTM forwarding virtual servers): https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html. Here's the scenario.... VLAN attached behind the BIG-IP, which has the web servers on. MSSQL servers sat on a VLAN reachable through the BIG-IP. The connections all work, just if SQL traffic isn't routed through the BIG-IP, it works fine. Otherwise, behind the BIG-IP, there is severe delays. I'd suggest it be a good idea not to route this through the BIG-IP, but I wondered what the F5 communities' take on this would be. In short....Simple IP Forwarder (Stateless) for mssql traffic... Good or bad idea? Thanks, JD
TMOS 11.5.4 Admin Remote Authentication with LDAP issue
Hi, I am configuring Remote AD authentication for BigIP administrators. I already done it for some other customers without issues. The system authentication configuration is: auth ldap system-auth { check-roles-group enabled login-attribute samaccountname search-base-dn DC=xxxxx,DC=local servers { 1.2.3.4 } user-template %s@xxxx.local } I tried by changing authentication to LDAP but the result is the same. When trying to authenticate, I can see the request and response with tcpdump : With ldapsearch I got the expected answer. But the administrator is never authenticated and the following message appears in log files: [root@bigip:Active:Standalone] config grep 24310 /var/log/audit May 9 14:00:55 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap initiating connection to non-SSL ldap server 1.2.3.4 on port 389. May 9 14:09:41 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap validating credentials for user 'admin_test' against non-SSL ldap server 1.2.3.4 on port 389. May 9 14:09:43 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap terminating connection to non-SSL ldap server 1.2.3.4 on port 389. May 9 14:09:43 bigip info sshd(pam_audit)[24310]: 01070417:6: AUDIT - user admin_test - RAW: sshd(pam_audit): User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May 9 14:00:52 2016" end="Mon May 9 14:09:43 2016"). [root@bigip:Active:Standalone] config grep 24310 /var/log/secure May 9 14:09:41 bigip err sshd[24310]: pam_ldap: ldap_search_s Can't contact LDAP server May 9 14:09:41 bigip notice sshd[24310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.1.1 user=admin_test May 9 14:09:43 bigip info sshd(pam_audit)[24310]: User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May 9 14:00:52 2016" end="Mon May 9 14:09:43 2016"). May 9 14:09:43 bigip info sshd(pam_audit)[24310]: 01070417:6: AUDIT - user admin_test - RAW: sshd(pam_audit): User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May 9 14:00:52 2016" end="Mon May 9 14:09:43 2016"). Am I missing something or is there a bug in 11.5.4 HF1 version? I am sure authentication from F5 to AD servers is working fine as the same AD servers are used by APM.
