Simple iRule For DNS Intercept on Big IP DNS
Within our network we are using Big IP DNS for all of our DHCP clients, so all DNS requests come to the BIG IP DNS first for resolution. If there as no Wide IP setup for the DNS request, then the request is just forwarded to our Windows DNS servers for resolution. This all works fine; however due to various mergers we now have a situation whereby we have a FQDN is handled on the Windows DNS servers by use of conditional forwarders for that FQDN domain. Unfortunately, the DNS servers which are in another country are resolving the IP Address of this specific IP address (which is a NAT address) which we cannot route to from our country. The specific server which provides the services for this FQDN is actually based in our country and we can route to the 'real' IP address (but not the NAT), but for operational reasons, we need to use the conditional forwarders and the DNS resolution from the overseas DNS servers. So, all I want to do is put a very simple iRule on the F5 Big IP DNS which sits behind the FQDN, which I will present as a Wide IP, so that if any of the DHCP clients, which use the F5 Big IP DNS for DNS resolution does a lookup for that specific FQDN, then the iRule will return the 'real' IP address of the server and the DNS request will have been intercepted before it reaches the Windows DNS servers. I'm sure that this is something REALLY simple to achieve, but not being an iRule expert, I just cannot seem to get the syntax correct to make this happen. I'm sure this is probably a 3 line iRule, but I'm failing to find a simple example anywhere! All it needs to do is: Create a Wide IP of "ABC.DOMAIN.PRIVATE" and apply the simple iRule of: if DNS lookup = "ABC.DOMAIN.PRIVATE" then return DNS response "123.123.123.123" else process requests as normal Surely this is possible? Can anyone help with an example iRule? Any help appreciated. Dom.
GTM (DNS) Monitoring of LTM Virtual Servers with LTM Virtual Server IPs are NAT via Firewall
I'd like to share my experience of a specific scenario in deploying GTM and LTM and open it up to the community if we could find a better way to do this than what I've come up with. My company recently purchased some F5 LTMs and GTMs and there were a couple of design requirements / constraints that we had to follow. Scenario & Network Design Requirements: All Self-IPs and Virtual Servers on the F5 LTM must use private IP addresses and must not use public IP addresses For applications that are served via F5 LTM Virtual Servers which needs to be accessed over the internet, the public IP will be NAT-ed from an internet facing firewall to the private IP that is configured on the F5 LTM virtual server GTM will need to be able to monitor the status of Virtual Servers on the LTM using iQuery but when GTM responds to public DNS queries, GTM must return the public IP. As you can see, we already have a problem here because the Virtual Server Discovery will populate the LTM Server Object on the GTM with all the Virtual Servers on the LTM but they're all configured with private IPs. You cannot link these virtual servers to Wide IP Pools and onwards to Wide IPs because then GTM will return private IPs when it receives DNS queries. The solution that I came up with was to do this: Establish iQuery between the LTM and GTM and also enable Virtual Server Discovery Manually create Server objects of product Generic Host for each Virtual Server that needs to be reached over the internet, use the public IP that has been allocated by the Network Team which will be NAT-ed at the Firewall (eg. 1.1.1.1), do not apply any Health monitors, do not fill in the "Translation" field Manually create Virtual Server objects under the Server object created in 2 above, use the public IP that has been allocated by the Network Team which will be NAT-ed at the Firewall (eg. 1.1.1.1), switch the "Configuration" drop down menu to "Advanced", apply a simple gateway_icmp monitor, in the Dependency List - search for the actual virtual server which will accept the traffic (eg. 10.1.1.1), this virtual server would have been discovered earlier in 1 by Virtual Server Discovery. This means the diagram now becomes like this: When we do 3 above, what happens is that the GTM will ping the public NAT-ed IP of the Virtual Server (1.1.1.1), the firewall will NAT the IP to the private IP (10.1.1.1), the ping will reach the LTM Virtual Server and if the ping is successful, the object will be green on the GTM. This alone is not enough however as on the LTM, a "Standard" type virtual server will still respond to pings even if all the pool members are unavailable and the virtual server is also unavailable (this is where I think Virtual Server status as updated via iQuery is superior to a normal monitor), so to solve this problem I used the Dependency List option below the Health Monitor section and I chose the corresponding Virtual Server that was discovered by the Virtual Server Discovery (VS1 10.1.1.1). This way, should all the pool members become unavailable on the LTM, the LTM will update the status of the virtual server to the GTM via iQuery and the GTM will make the 1.1.1.1 Virtual Server object unavailable even if the pings are still successful. So my question to the community is: Given the restrictions above, is this the correct way to make GTM give out Public IPs when the Virtual Servers on the LTMs are configured with private IPs? There was another question on this same topic from 2016 (linked below), but it sort of died out without a resolution: https://devcentral.f5.com/questions/gtm-to-give-away-public-ip-address-while-monitoring-the-private-ltm-vs-49835 Update 15 Mar 2019: I learnt that when adding an LTM that's separated from the GTM via a Firewall that does NAT translation, the GTM will not perform Virutal Server Discovery: https://support.f5.com/csp/article/K9138LTM/GTM Combo w/ multiple partitions - Datacenters creation outside Common
I have two F5 BIG-IP Virtual Editions each with LTM and GTM modules. We've created a secondary partition on each to allow for future expansion. All of the LTM config is deployed outside of the common partition. I've managed to make my way through getting the SSL certs shared between both devices with the bigip_add command and have verified with iqdump. The next step was to add the Datacenters to the GTM configuration. I have the secondary (non-common) partition selected, however, when I create the Datacenter objects they are always created in the "Common" partition. Beings I wasnt able to create the Datacenters in the new partition in any obvious way I ran with the assumption that this was expected behavior. Now when I move on to create the Server objects for the GTM/LTM devices I am able to do so successfully and they pull back and show all VS online. Moving on to creating pools is where the problems start. When I attempt to create a Pool I get this "An error has occurred while trying to process your request." I should note that currently each device is configured with a single Self IP and the GTM listener is attached to that IP address. Also, the following is found in the GTM log. No additional log entries are generated when I attempt to create a Pool. Oct 5 03:16:03 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.45:80 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:03 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_ad_http (ip:port=130.24.107.45:80) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green Oct 5 03:16:04 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.50:135 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:04 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_rpc (ip:port=130.24.107.50:135) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green Oct 5 03:16:07 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.42:80 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:07 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_owa_http (ip:port=130.24.107.42:80) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green Oct 5 03:16:09 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.44:443 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:09 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_oa_https (ip:port=130.24.107.44:443) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green Oct 5 03:16:10 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.43:443 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:10 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_as_https (ip:port=130.24.107.43:443) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green I have a couple of questions. 1) are the Datacenters being created inside the common partition instead of the secondary partition an expected result or should I be able to create Datacenters and have them show in my secondary partition? 2) Knowing the above is currently true (datacenters in common partition) when I go to create the Pools would this be a cause for the error? Thanks to anyone who actually read this lengthy post and to anyone who can help out! CheersF5 GTM 12.1.2 log mcpd error repeatly
Hi, we found out log error after upgrade F5 GTM from 11.4.1 to 12.1.2. (this is just some two line. we have log like this many line and different object on each line) Sep 18 17:11:00 gtm02 err mcpd[6182]: 01020036:3: The requested gtm pool (/Common/Pool_192.168.1.170) was not found. Sep 18 17:11:01 gtm02 err mcpd[6182]: 01020036:3: The requested gtm pool member (/Common/Pool_192.168.1.176 gtm_ltm /Common/VS_210_10_104_15) was not found. Is this an issue or it's benign log? How to correct this? or v.12 is not good for GTM Thank youWhy configure L7 monitor in GTM for PCF applications load-balancing
I came across a GTM-LTM-GoRouter setup, where a common set of GoRouters are the pool-members for all the LTM VIPs and are monitored with TCP (L4) monitor. Whereas, GTMs which are configured with the FQDNs of the various applications have the VIPs of these LTMs as pool-members. However, as a monitor a HTTPS (L7) monitor is deployed. I am not sure why we have this kind of setup. Is it something needed for the PCF kind of deployment?Changing member priority in GTM using i-rule
Hi, We have a requirement of changing the pool member priority in GTM for global availability based on the status of pool member of another pool. How can we accomplish it? We can check the active_members status of the pool but what command can be used to change the priority of pool in question? We are currently running 11.6.0 versionSearching and Filtering Objects by Metadata
I've been adding some metadata to the WIPs in our f5 GTMs, eg "metadata": [ { "name": "xxAppName", "persist": "true", "value": "Web Service" }, { "name": "xxAppOwner", "persist": "true", "value": "myGroup2" }, { "name": "xxAppSupport", "persist": "true", "value": "support_email@mydomain.com" }, { "name": "xxServiceName", "persist": "true", "value": "myService2" }, { "name": "xxWIPStatus", "persist": "true", "value": "active" } ], This is useful when I'm using Splunk or jq to parse the results, but what if I want to limit the scope of the returned data in the original request, analogous to a filter like "where xxAppSupport == support_email@mydomain.com?" Do any versions of iControl REST (and by extension, the SDK) support this? It'll be really useful when this effort extends to our LTMs. Thanks.
Insight into GTM Preferred vs. Alternate
I have a configuration under the GTM > Topology section in which I have two topologies each to one DC. I have DC1 weighted higher than DC2 as it is our primary datacenter. Under the GTM Pool, the load balancing algorithm for preferred is set to Topology based so I would expect, when using nslookup, to always see myself getting sent to DC1. The alternate is set to Round Robin and Fallback is return to DNS. Under statistics and using nslookup i see myself sporadically being sent to DC2 and under statistics I do see that the Alternate method is being triggered. My question is why? What does preferred actually mean? Is it a definite? If I set both preferred and alternate to Topology I get the desired behavior of always being sent to DC1 (Unless it is down in a worst case scenario). If someone could give me some insight into this, that would be great! Thanks, WWTBIGIP
GTM Listener Hostname - Zonerunner NS Records
When a wide IP for a new domain is added, the NS record for the domain is created in automatically using the GTM hostname. Should the GTM listener IP be defined as the A record for that hostname? Is there any best practice defined here? Or should NS records be manually added for all GTMs? Is there any documentation of this?
