Apmd memory and swap grows over time
Hi folks. Do you ever meet problem with apmd memory and swap usage? I think i faced with bug Opened: Feb 23, 2022 but still no workaround presented on bug page. Maybe you fixed same problem somehow? Please share any workaround possible. https://cdn.f5.com/product/bugtracker/ID1083053.html "Apmd memory grows over time. It is not a memory leak. It is mainly due to memory fragmentation due to memory sharing among apmd threads." Sometimes oom kill cause node reboot and failover. Sometime it free 10% memory but then it grow again.
F5 APM irule to log the VPN session parameters
Hi Everyone, I would like to write an irule to log the user session parameters at different phases username/publicIP/leaseIP/bigip_edgeclient_version/client OS/hostname when the user attempts to connect. client side checks results (AV and file check), authentication results (RADIUS) and end policy result. For some reason if the VPN gets disconnected, need to log the reason why the client got disconnected I would like leverage HSL for the logging on to syslog. It will be really great if anyone can help me with this. Thanks, ReddyF5 Per-App AS3 Part 2 How to see if there are manual changes!
Code version: The code was tested on 17.1.5.3 AS3: 3.55 For more about AS3 and per-app AS3 see my previous code share Part 1 article: https://community.f5.com/kb/codeshare/f5-per-app-as3-part-1-how-share-tenant-specific-object/345072 First we will send Per-App AS3 declaration as shown below. { "id": "per-app-declarationn", "schemaVersion": "3.55.0", "controls": { "class": "Controls", "logLevel": "debug", "trace": true, "traceResponse": true }, "A2": { "class": "Application", "service": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.3.10" ], "pool": "web2_pool" }, "web2_pool": { "class": "Pool", "monitors": [ "http" ], "members": [{ "servicePort": 80, "serverAddresses": [ "192.7.21.10", "192.7.21.11" ] }] } } } Then we will change for example virtual server ip from 10.0.3.10 to 10.0.3.11 and we will send the same declaration but with "dryRun" set to true as this will cause AS3 to validate the config but not to execute it and with trace and traceResponse we will get the difference 😎 { "id": "per-app-declarationn", "schemaVersion": "3.55.0", "controls": { "class": "Controls", "logLevel": "debug", "trace": true, "dryRun": true, "traceResponse": true }, "A2": { "class": "Application", "service": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.3.10" ], "pool": "web2_pool" }, "web2_pool": { "class": "Pool", "monitors": [ "http" ], "members": [{ "servicePort": 80, "serverAddresses": [ "192.7.21.10", "192.7.21.11" ] }] } } } Now we see that the IP has been changed from 10.0.3.10 to 10.0.3.11 and here we go now we have the difference ! This can be added in CI/CD to always first do "dry-run" using the original declaration to see if there are changes before executing the new AS3 declaration that could be for example changing the IP address to 10.0.3.12 but using the official way. Look at the Json reply "diff" section that is seen thanks to trace and traceResponse options and an automation can just check this section and stop the new deployment if the manual changes need to be reviewed first. For AS3 basic declaration not Per-App actually the "dry-run" is a different. F5 likes changing the naming like Local Traffic policies to Endpoint Policies or naming of TLS profiles between GU/TMSH and AS3 😅 { "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.55.0/as3-schema.json", "class": "AS3", "action": "dry-run", "logLevel": "debug", "trace": true, "traceResponse": true, "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.55.0", "id": "BIG-IP-Example-Tenant", "Example": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "Example_Response": { "remark": "Used for F5 response", "class": "iRule", "iRule": { "base64": "d2hlbiBIVFRQX1JFUVVFU1Qgew0KICAgSFRUUDo6cmVzcG9uZCAyMDAgY29udGVudCB7DQogICAgICA8aHRtbD4NCiAgICAgICAgIDxoZWFkPg0KICAgICAgICAgICAgPHRpdGxlPkFwb2xvZ3kgUGFnZTwvdGl0bGU+DQogICAgICAgICA8L2hlYWQ+DQogICAgICAgICA8Ym9keT4NCiAgICAgICAgICAgIFdlIGFyZSBzb3JyeSwgYnV0IHRoZSBzaXRlIHlvdSBhcmUgbG9va2luZyBmb3IgaXMgdGVtcG9yYXJpbHkgb3V0IG9mIHNlcnZpY2U8YnI+DQogICAgICAgICAgICBJZiB5b3UgZmVlbCB5b3UgaGF2ZSByZWFjaGVkIHRoaXMgcGFnZSBpbiBlcnJvciwgcGxlYXNlIHRyeSBhZ2Fpbi4NCiAgICAgICAgIDwvYm9keT4NCiAgICAgIDwvaHRtbD4NCiAgIH0NCn0=" } } } } } } This will not show if someone has manually added a vlan for example as only changes on the apps that were deployed with AS3 will be seen. For those you will get error like the one below when you try to delete the partition. "" 0107082a:3: All objects must be removed from a partition "" https://my.f5.com/manage/s/article/K02718312 https://my.f5.com/manage/s/article/K000138638 Github link: https://github.com/Nikoolayy1/AS3-Per-App-Manual-Changes/tree/main
DNS topology not distributing as expected
We have many pools that use topology with servers in two different datacenters. Originally, we configured regions that didn't really reflect the location. The app teams told us how they wanted the LDNS servers mapped to the pool members and we a topology rule for each pool member. As time went on, I decided to model our regions and records so new topology based apps would be easier to manage. I created two new regions that reflected the DNS servers' locations and then topology rules that mapped each region to their respective datacenter. The idea is that we would no longer need to create records for each app. I didn't want to introduce any changes to how the existing topology apps were distributing traffic, so my assumption was that a lower order and lower score would prevent any conflicts. Based on the snippet below, a DNS request from 10.2.2.1 for legacy.domain.com would match rule 1 and rule 4. Rule 1 has 10.1.1.100 with a score of 100 and rule 4 has 10.2.2.100 with a score of 10. I expected that rule 1 would 'win' since it has a higher score and every request from that server would point to 10.1.1.100. But it appears to be doing some kind of weighted ratio instead. I was under the impression that GTM would select the server with the highest score all the time, unless it was unavailable. I looked through the topology docs and found the examples very confusing and didn't see anything that matches my scenario. Any feedback or explanation would be apprciated. gtm server DC1_SERVER { addresses { 10.1.1.100 { device-name DC1_SERVER_vs } } datacenter DC1 gtm server DC2_SERVER { addresses { 10.2.2.100 { device-name DC2_SERVER_vs } } datacenter DC2 gtm pool a legacy.domain.com_pool { alternate-mode global-availability load-balancing-mode topology members { DC1_SERVER_vs { member-order 0 } DC2_SERVER_vs { member-order 1 } } monitor https } gtm region REGION1_LEGACY { region-members { subnet 10.1.1.1/32 { } subnet 10.2.2.1/32 { } } } gtm region REGION2_LEGACY { region-members { subnet 10.1.1.2/32 { } subnet 10.2.2.2/32 { } } } gtm region DC1_DNS_NEW { region-members { subnet 10.1.1.1/32 { } subnet 10.1.1.2/32 { } } } gtm region DC2_DNS_NEW { region-members { subnet 10.2.2.1/32 { } subnet 10.2.2.2/32 { } } } gtm topology ldns: region /Common/REGION1_LEGACY server: subnet 10.1.1.100/32 { order 1 score 100 } gtm topology ldns: region /Common/REGION2_LEGACY server: subnet 10.2.2.100/32 { order 2 score 100 } gtm topology ldns: region /Common/DC1_DNS_NEW server: datacenter /Common/DC1 { order 3 score 10 } gtm topology ldns: region /Common/DC2_DNS_NEW server: datacenter /Common/DC2 { order 4 score 10 }GRE Tunnel Issue
Has anyone run into an issue with GRE tunnels on a BIG-IP? I have a few setup running into a TGW in AWS and something seems to break them. Config change, Module change, ?? I haven't been able to pin down an exact trigger. Sometimes I could failover and have the tunnels on the other HA member work fine and failing back would results in tunnels going down again. (The tunnels are unique to each BIG-IP) They start responding with ICMP protocol 47 unavailable. Once this happens a reboot doesn't seem to fix it. If I tear down the BIG-IP and rebuild it, I can keep them working again for X amount of time before the cycle repeats. Self-IPs are open to the protocol, also tried allow all for a bit. No NATs involved with underlay IPs.How to get a F5 BIG-IP VE Developer Lab License
(applies to BIG-IP TMOS Edition) To assist operational teams teams improve their development for the BIG-IP platform, F5 offers a low cost developer lab license. This license can be purchased from your authorized F5 vendor. If you do not have an F5 vendor, and you are in either Canada or the US you can purchase a lab license online: CDW BIG-IP Virtual Edition Lab License CDW Canada BIG-IP Virtual Edition Lab License Once completed, the order is sent to F5 for fulfillment and your license will be delivered shortly after via e-mail. F5 is investigating ways to improve this process. To download the BIG-IP Virtual Edition, log into my.f5.com (separate login from DevCentral), navigate down to the Downloads card under the Support Resources section of the page. Select BIG-IP from the product group family and then the current version of BIG-IP. You will be presented with a list of options, at the bottom, select the Virtual-Edition option that has the following descriptions: For VMware Fusion or Workstation or ESX/i: Image fileset for VMware ESX/i Server For Microsoft HyperV: Image fileset for Microsoft Hyper-V KVM RHEL/CentoOS: Image file set for KVM Red Hat Enterprise Linux/CentOS Note: There are also 1 Slot versions of the above images where a 2nd boot partition is not needed for in-place upgrades. These images include _1SLOT- to the image name instead of ALL. The below guides will help get you started with F5 BIG-IP Virtual Edition to develop for VMWare Fusion, AWS, Azure, VMware, or Microsoft Hyper-V. These guides follow standard practices for installing in production environments and performance recommendations change based on lower use/non-critical needs for development or lab environments. Similar to driving a tank, use your best judgement. Deploying F5 BIG-IP Virtual Edition on VMware Fusion Deploying F5 BIG-IP in Microsoft Azure for Developers Deploying F5 BIG-IP in AWS for Developers Deploying F5 BIG-IP in Windows Server Hyper-V for Developers Deploying F5 BIG-IP in VMware vCloud Director and ESX for Developers Note: F5 Support maintains authoritative Azure, AWS, Hyper-V, and ESX/vCloud installation documentation. VMware Fusion is not an official F5-supported hypervisor so DevCentral publishes the Fusion guide with the help of our Field Systems Engineering teams.iRule based RADIUS Server Stack
Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’. Short Description The iRule based RADIUS Server Stack can be used to turn a UDP-based Virtual Server into a flexible and fully featured RADIUS Server, including regular REQUEST/RESPONSE as well as CHALLENGE/RESPONSE based RADIUS authentication. Problem solved by this Code Snippet The RADIUS Server Stack covers the RADIUS protocol core-mechanics outlined in RFC 2865 and RFC 5080 and can easily be extended to support every other RADIUS related RFC built on top of these specifications. The RADIUS Server Stack can be used as an extension for LTMs missing RADIUS Server functionalities, as well as iRule command functionalities to support Self-Hosted RADIUS Server scenarios. How to use this Code Snippet Visit my GitHub Repository for further explanations how the RADIUS Server Stack can be used to perform RADIUS Server operations within an iRule. Code Snippet Meta Information Version: 1.1 Coding Language: TCL Full Code Snippet Visit: https://github.com/KaiWilke/F5-iRule-RADIUS-Server-StackiRule based RADIUS Client Stack
Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’. Short Description The iRule based RADIUS Client Stack can be used to perform RADIUS based user authentication via SIDEBAND UDP connections. Problem solved by this Code Snippet The RADIUS Client Stack covers the RADIUS protocol core-mechanics outlined in RFC 2865 and RFC 5080 and can be utilized for a Password Authentication Protocol (PAP) authentication within an iRule. How to use this Code Snippet Visit my GitHub Repository for further explanations how the RADIUS Client Stack can be used to perform RADIUS Client operations within an iRule. Code Snippet Meta Information Version: 1.1 Coding Language: TCL Full Code Snippet Visit: https://github.com/KaiWilke/F5-iRule-RADIUS-Client-StackPrism.js language definition for iRules (TMOS v21.0)
Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’. Short Description The provided iRule language definition can be used to highlight iRule code within websites using the Prism.js framework. Problem solved by this Code Snippet The Prism.js framework is widely used to highlight code blocks on websites. Even the DevCentral Page uses the Prism.js framework to highlight code boxes using the default TCL language definition contributed by Peter Chaplin to the Prism.js repository. if { "1" equals "1" } then { HTTP::path "/something" pool some_pool } As you may see in the example above, the default TCL language definition is not trained to highlight any of the F5 specific commands (e.g. HTTP::path) and operators (e.g. equals), so that they remain non-highlighted in black color. I took the time to write a language definition for iRules based on the reduced TCL 8.4 syntax supported by iRules in addition to the iRule command and operator set based on TMOS version 21.0. I finally ended up with nearly 10kbyte RegEx signatures to provide a rich command highlighting experience for iRule code snippets. How to use this Code Snippet Visit my GitHub Repository for additional implementation notes of the 'Prism.js language definition for iRules'. Feel free to discuss the project here on CrowSRC! Cheers, Kai Code Snippet Meta Information Version: 1.1 Coding Language: Prism.js, JS, RegEx Full Code Snippet Visit: https://github.com/KaiWilke/F5-PrismJS-iRule-Language-Definition
