Difference between session user-disabled and state user-down
Both these put the member down but how do they deal with the connections and why do we have two options? root@(bigip2)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm pool app1 members modify { 10.1.62.240:80 {session user-disabled state user-down }} root@(bigip2)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool app1 ltm pool app1 { members { 10.1.62.240:http { address 10.1.62.240 session user-disabled state user-down } And the next one: root@(bigip2)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm pool app1 members modify { 10.1.62.243:80 {session user-disabled }} root@(bigip2)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool app1 ltm pool app1 { members { 10.1.62.240:http { address 10.1.62.240 session user-disabled state user-down } 10.1.62.241:http { address 10.1.62.241 monitor http session monitor-enabled state down } 10.1.62.243:http { address 10.1.62.243 session user-disabled state down } 10.1.62.244:http { address 10.1.62.244Client unable to bind to LDAPs through LTM virtual for LDAPS
I have setup my F5 LTM 11.4.0 to have a virtual server that is receiving LDAP requests over 636. I have a profile setup with a cert/key for the client communication and a server profile setup with no cert/key (as I will use the cert being served up by the AD resource). I made 2 virtuals technically as I did one manually and the other through the iApp .. both failed. The client application attempts to connect and get a "unable to connect". Installed 2 third party tools and get the same type of error messages. When I setup the F5 LTM to have no cert/key on the client and whistle the transaction through - it works. Even when I use 636 on the server side, it works (appears to rule out the AD cert). However, once I put the client cert/key back in - it fails. So everything points to either a cert issue or an F5 configuration issue. I'm not sure how to troubleshoot it as the certificate really does look valid. (Correct SAN, Key Usage, SHA1 algorithm, etc.) Even the tcpdump analysis simply states: SYN/ SYN,ACK/ ACK/ cert exchange/ change cipher spec x3/ ACK/ RST,ACK - Why the hell did it send a reset packet? Any advice on how to troubleshoot this?
Gather a list of virtuals and or pools that are offline state and provide duration
Hi, I am looking for a way in tmsh to provide a list of offline VIPs/pools. In addition to that, I want to know how long they were offline. I know I can sift through the LTM logs but that will take too long for what I want to accomplish. If I go to the GUI, I can list a set of VIPs/Pools based on 'offline' status, however it does not provide duration, just shows the current state.
LTM/GTM Combo w/ multiple partitions - Datacenters creation outside Common
I have two F5 BIG-IP Virtual Editions each with LTM and GTM modules. We've created a secondary partition on each to allow for future expansion. All of the LTM config is deployed outside of the common partition. I've managed to make my way through getting the SSL certs shared between both devices with the bigip_add command and have verified with iqdump. The next step was to add the Datacenters to the GTM configuration. I have the secondary (non-common) partition selected, however, when I create the Datacenter objects they are always created in the "Common" partition. Beings I wasnt able to create the Datacenters in the new partition in any obvious way I ran with the assumption that this was expected behavior. Now when I move on to create the Server objects for the GTM/LTM devices I am able to do so successfully and they pull back and show all VS online. Moving on to creating pools is where the problems start. When I attempt to create a Pool I get this "An error has occurred while trying to process your request." I should note that currently each device is configured with a single Self IP and the GTM listener is attached to that IP address. Also, the following is found in the GTM log. No additional log entries are generated when I attempt to create a Pool. Oct 5 03:16:03 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.45:80 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:03 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_ad_http (ip:port=130.24.107.45:80) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green Oct 5 03:16:04 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.50:135 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:04 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_rpc (ip:port=130.24.107.50:135) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green Oct 5 03:16:07 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.42:80 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:07 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_owa_http (ip:port=130.24.107.42:80) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green Oct 5 03:16:09 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.44:443 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:09 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_oa_https (ip:port=130.24.107.44:443) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green Oct 5 03:16:10 brsl011a alert gtmd[4530]: 011ae0f2:1: Monitor instance /Common/bigip 130.24.107.43:443 UNKNOWN_MONITOR_STATE --> UP from 130.24.107.41 (UP) Oct 5 03:16:10 brsl011a alert gtmd[4530]: 011a6005:1: SNMP_TRAP: VS /PP2-Main-Exch/cgt-pp2-exch-preprod_app/cgt-pp2-exch-preprod_as_https (ip:port=130.24.107.43:443) (Server /Common/ns2.wip-pp.contoso.com) state change blue --> green I have a couple of questions. 1) are the Datacenters being created inside the common partition instead of the secondary partition an expected result or should I be able to create Datacenters and have them show in my secondary partition? 2) Knowing the above is currently true (datacenters in common partition) when I go to create the Pools would this be a cause for the error? Thanks to anyone who actually read this lengthy post and to anyone who can help out! Cheers
iRules base on URL matching
I have following irulesand its working but now i have requirement to match URL developers and developer(without "s") so how do i match that string? also i want to redirect developers.vivox.com (both without s) to http to https so i don't know where do i put that rule in following code? when HTTP_REQUEST { log local0. "client: [IP::remote_addr] -> [HTTP::host][HTTP::uri]" if { [string tolower [HTTP::host]] equals "developers.example.com"}{ pool DEV_pool } else { pool QA_pool } }Recurrent Curl to a Virtual Server Fails on the Same Subnet
On my network, recurrent curl tests to a virtual server (10.184.1.12) only fail when the source ip is on the same subnet. (eg,10.184.1.78) When recurrent curl tests are performed from any other subnet (eg,10.243.2.3 or 10.123.34.5) to the destination virtual server (10.184.1.12), they NEVER fail. Are there any leads to what can warrant this.
Bad gateway error 502 on statistic pages
Hey Guys, We are getting this on one of our boxes. It only shows up in the statistics tabs in virtual servers and pools for now. I tried restarting the httpd and tomcat but nothing. This is the ltm log: tail -f /var/log/ltm Jul 18 11:52:51 hostname err tmm1[26088]: 01010221:3: Per-invocation log rate exceeded; throttling. Jul 18 11:52:51 hostname err tmm2[26088]: 01010221:3: Per-invocation log rate exceeded; throttling. Jul 18 11:52:51 hostname err tmm5[26088]: 01010221:3: Per-invocation log rate exceeded; throttling. Jul 18 11:52:51 hostname err tmm4[26088]: 01010221:3: Per-invocation log rate exceeded; throttling. Jul 18 11:52:51 hostname err tmm3[26088]: 01010221:3: Per-invocation log rate exceeded; throttling. Jul 18 11:52:52 hostname notice mcpd[7982]: 01070727:5: Pool /Common/tibco-preproduction_9257_pool member /Common/dx930:9257 monitor status up. [ /Common/tcp: up ] [ was down for 0hr:0min:28sec ] Jul 18 11:52:53 hostname notice mcpd[7982]: 01070727:5: Pool /Common/tibco-preproduction_9362_pool member /Common/dx930:9362 monitor status up. [ /Common/tcp: up ] [ was down for 0hr:0min:29sec ] Jul 18 11:52:57 hostname notice mcpd[7982]: 01070727:5: Pool /Common/tibco-preproduction_9059_pool member /Common/dx930:9059 monitor status up. [ /Common/tcp: up ] [ was down for 0hr:0min:28sec ] Jul 18 11:52:57 hostname notice logger: /usr/bin/syscalld ==> /usr/bin/bigstart restart tomcat Jul 18 11:53:08 hostname warning tmm5[26088]: 01260009:4: Connection error: hud_ssl_handler:1199: codec alert (20) Jul 18 11:53:24 hostname notice mcpd[7982]: 01070638:5: Pool /Common/arcsight-f5_tcp_514_pool member /Common/AS1285AUFAL02-Sec:515 monitor status down. [ /Common/tcp: down; last error: /Common/tcp: No successful responses received before deadline.; Could not connect. @2018/07/18 11:53:24. ] [ was up for 26hrs:43mins:27sec ] Jul 18 11:53:56 hostname notice mcpd[7982]: 01070727:5: Pool /Common/arcsight-f5_tcp_514_pool member /Common/AS1285AUFAL02-Sec:515 monitor status up. [ /Common/tcp: up ] [ was down for 0hr:0min:32sec ] Jul 18 11:54:56 hostname warning tmm5[26088]: 01260009:4: Connection error: ssl_passthru:4003: not SSL (40) Jul 18 11:55:28 hostname notice logger: /usr/bin/syscalld ==> /usr/bin/bigstart restart tomcat Also did the pcap on the mgmt and it was all clean. The version is 12.1.2 on the box and we see this both on active and standby boxes. So, what you think??. .Thanks.
