BIG-IP : iControl API failure to retrieve system configuration file
BIG-IP 11.4.1 Build 635.0 Hotfix HF2 We have a C service that on a schedule performs a "health ping" of our BIG-IP devices by calling iControl API to retrieve the system configuration file : SystemConfigSync.download_file("/config/bigip.conf", ... ) If exception is thrown (or blank config retrieved), the service will trigger an alert. Once a subsequent retrieve sys config succeeds, the alert is cancelled. This service has been operational in production for over one year -- with no alerts. However, over the past 4 days we've seen alerts firing frequently. Day 1 was the peak of a period of extraordinary site traffic that placed record load on our devices, however the peak dropped off drastically near end of day 1 and days 2,3,4 were normal traffic. Logs reveal three distinct types of errors : ERROR : SystemConfigSync.download_file() threw exception [Client found response content type of 'text/html; charset=iso-8859-1', but expected 'text/xml'.] ERROR : SystemConfigSync.download_file() threw exception [The underlying connection was closed: An unexpected error occurred on a receive.] ERROR : SystemConfigSync.download_file() threw exception [The request failed with HTTP status 401: F5 Authorization Required.] The text/html errors are by far the most common, followed by connection-closed : both of these types of errors are ongoing. The auth errors occurred infrequently over the initial two days and then stopped completely. What are some possible BIG-IP factors that could be contributing to iControl API failures to retrieve sys config file ? Could it be load related ( even though that doesn't match-up with day 2,3,4 ) ? Are there any config settings that could be contributing ? Also, what determines the text format returned by SystemConfigSync.download_file() ?
tacacs attibute value pair settings for remote role attributes
Hi, I've read Sol8811 and sol8808 and articles https://devcentral.f5.com/articles/v10-remote-authorization-via-tacacs-43.U0yHO_mulsE http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_mgmt_auth.html1030640 on ACS 4.2 - i got auth working via the following: create a 'new service' on the Interface Configuration>Tacacs+(Cisco IOS)>New Services. I created a new service called 'F5_extras' with protocol 'IP'. This enables the new setting to appear in my existing Group (which contains many different vendor equipment). In the Group setting I can assign PPP IP via 'custom attributes' window: service=PPP protocol=IP Obviously set your F5_extras in your LTM tacacs configuration. (NOTE: ip assignment of dialup was not required for me - its mentioned a in a forum). For REMOTE ROLES how to I configure the ACS for the attributes? eg, mentioned on the dev central forum a user applied these attributes to the ACS device: F5-LTM-Host=4500ltm1 F5-LTM-User-Role=administrator F5-LTM-User-Partition=Common F5-LTM-User-Console=tmsh From Cisco site the Attribute values eg's are: eg's •acl= •autocmd= •callback-line •callback-rotary •cmd-arg= •cmd= http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2-1/User_Guide/acs421ug/A_TACAtr.htmlwp977782