How to correctly monitor a Database Oracle
we are configuring a monitor health for a Oracle database which has the next configuration parameters: Send String: select * from dual Response: X user:CONSULTA_ANALISTA password:xxxxxxx connection string: PRODM1 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = %node_ip%)(PORT = %node_port%)) ) (CONNECT_DATA = (SID = PRODM1) ) ) Row:3 Column:1 alias address:172.20.1.73 alias service port:1527 the monitor doesn't work and the pool member never is seen up, i have looked at the debug of the connection and this is what i see in a portion of it: [root@ltm1:Active:Changes Pending] monitors tail -30 Common_BD_monitor_PDN-Common_BD-1527.log DATABASE=PRODM1 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = %node_ip%)(PORT = %node_port%)) ) (CONNECT_DATA = (SID = PRODM1) ) ) DEBUG=yes MON_INST_LOG_NAME=/var/log/monitors/Common_BD_monitor_PDN-Common_BD-1527.log MON_TMPL_NAME=/Common/BD_monitor_PDN NODE_IP=::ffff:172.20.1.73 NODE_PORT=1527 PASSWORD=nc5gf56y RECVCOLUMN=1 RECVROW=3 RECV_I=X SEND=select * from dual USERNAME=CONSULTA_ANALISTA TMOS_RD: 0 (0) Daemon port: 1521 count='0' converts to '0' Command-line PID filename: /var/run/ORACLE__Common_BD_monitor_PDN_::ffff:172.20. 1.73-0_1527.pid PID file /var/run/DBDaemon-0.pid exists. Checking for correctness of PID. DBDaemon on port 1521 says its PID is 19578. PID matches EXCEPTION connecting to DBDaemon: fflush(): Connection reset by peer i have also tried putting all the info directly like this: ********** Debugging session beginning at: Mon Jul 6 17:07:02 2015 Arguments 1-2: ::ffff:172.20.1.73 1527 Environment variables: COUNT=0 DATABASE=PRODM1 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 172.20.1.73)(PORT = 1527)) ) (CONNECT_DATA = (SID = PRODM1) ) ) DEBUG=yes MON_INST_LOG_NAME=/var/log/monitors/Common_BD_monitor_PDN-Common_BD-1527.log MON_TMPL_NAME=/Common/BD_monitor_PDN NODE_IP=::ffff:172.20.1.73 NODE_PORT=1527 PASSWORD=nc5gf56y RECVCOLUMN=1 RECVROW=1 RECV_I=ok SEND=TNSPING 172.20.1.73 1527 USERNAME=CONSULTA_ANALISTA TMOS_RD: 0 (0) Daemon port: 1521 count='0' converts to '0' Command-line PID filename: /var/run/ORACLE__Common_BD_monitor_PDN_::ffff:172.20.1.73-0_1527.pid PID file /var/run/DBDaemon-0.pid exists. Checking for correctness of PID. DBDaemon on port 1521 says its PID is 19578. PID matches Asking daemon to ping remote database. Expected result not received: Database down, see /var/log/DBDaemon.log for details. Database down, see /var/log/DBDaemon.log for details. If i look into /var/log/DBDaemon.log; it isn't updating. It seems that somehow the process is attached to other monitor over port 1521 an maybe that is the origin of the conflicto and fail of Oracle monitoring: [root@ltm1:Active:Changes Pending] monitors ps -fe|grep DB root 19578 1 0 Jun16 ? Ssl 43:33 /usr/lib/jvm/jre-1.7.0-openjd k.x86_64/bin/java -cp /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/rt.jar:/usr/lib/ jvm/jre-1.7.0-openjdk.x86_64/lib/charsets.jar:/usr/share/monitors/mysql-connecto r-java.jar:/usr/share/monitors/DB_monitor.jar:/usr/share/monitors/sqljdbc4.jar:/ usr/share/monitors/ojdbc6.jar:/usr/share/monitors/postgresql-8.3-604.jdbc3.jar - Xmx64m com.f5.eav.DBDaemon 1521 19578 0
Connections vs sessions
Hi all This is my first post so apologies if I'm breaking any standards. I'm having trouble figuring out the difference between connections and sessions. No matter how much I Google this, I'm not finding a simple answer. Let me phrase it this way...if you read the article on "LTM: Dueling Timeouts" (https://devcentral.f5.com/articles/ltm-dueling-timeouts), it says: "Persistence timeouts are actually idle timeouts for a session, rather than a single connection." Unfortunately that statement does not tell us anything meaningful unless the definition of a connection and session is clarified. Or to put it another way, if you consult the F5 V11 configuration guide as it relates to session persistence profiles (http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-1-0/ltm_persist_profiles.html), it says: "The primary reason for tracking and storing session data is to ensure that client requests are directed to the same pool member throughout the life of a session or during subsequent sessions." So my question here would be, what factors influence whether ongoing HTTP GET requests (as an example) constitute a single session, or subsequent sessions? I'd really appreciate somebody's help here as I know this is a fundamentally basic concept but I'm unable to find a definitive answer.Use Specific Gateway Pool based on SNAT address
Hi All, Currently we have 3 ISP Links which I am trying to get routing correctly based on outbound SNAT. I have created SNAT Pools for the internal subnets that contain a IPs from each of the three ISPs. The F5 seems to be SNATing to one of the external IP's from the pool then using our Wildcard Server, Round Robin to send the traffic down any one of the three ISP links. This results in the traffic going down the right link only every other time. ISP A ISP B ISP C Internal 192.168.20.0/24 Current Issue F5 -> Snat addresses 192.168.20.0/24 to external IP from ISP A -> Round Robin and send down link ISP A, B or C I would like to configure it so the F5 uses the correct ISP link based on its SNAT address. Someone please tell me this is possible? Best Regards, Scott
Using APM to authenticate to Windows AD with a UPN that is different then our domain name
Hi all I am trying to use F5 APM to login into a webtop with Windows AD credentials but when using my UPN = myuser@univeristy.com it does not work because our real AD domain is school.univerity.com Without APM, normally a user with UPN student@university.com logs in and AD does a look up in the GAL and finds out who you are and where you belong. IE student@university.com is also student@mail.univeristy.com So when using my APM webtop, if I login as myuser@school.university.com - all works fine. But if I try myuser@school.com - it fails. I have read a SOL12252: Microsoft Active Directory authentication using UPN may fail if the user's UPN suffix does not match the domain suffix This sounds like the right way to go, but I can not seem to get it work. Has anyone had to deal with a similar situation? Thanks ChungF5 CNF/BNK issue with DNS Express tmm scaling and zone notifications
I did see an interesting issue with DNS Express with Next for Kubernetes when playing in a test environment. When you have 2 TMM pods in the same namespace as the DNS zone mirroring is done by zxfrd pod and I you need to create a listener "F5BigDnsApp" as shown in https://clouddocs.f5.com/cnfs/robin/latest/cnf-dnsexpress.html#create-a-dns-zone-to-answer-dns-queries for the optional notify that will feed this to the TMM and then to the zxfrd pod. The issue happens when you have 2 or more TMM as then the "F5BigDnsApp" that is like virtual server/listener as then then on the internal vlans there is arp conflict as the two tmm on two different kubernetes/openshift nodes advertise the same ip address on layer 2. This is seen with "kubectl logs" ("oc logs" for Openshift) on the TMM pods that mention the duplicate arp detected. Interesting that the same does not happen when you do this for the normal listener on the external Vlan (the one that captures and responds to the client DNS queries) as I think by default the ARP is stopped for the external listener that can be on 2 or more TMM as ECMP BGP is used to redistribute the traffic to the TMM by design. I see 4 possible solutions as I see it. One is to be able to control the ARP for the "F5BigDnsApp" CRD for Internal or External Vlans (BGP ECMP to be used also on the server side then) and the second is to be able to select "F5BigDnsApp" to be deployed just one 1 TMM even if there are more. Also if an ip address could be configured for the listener that is not part of the internal ip address range but then as I see with "kubectl logs" on the ingress controller (f5ing-tmm-pod-manager) the config is not pushed to the TMM as also with "configview" from the debug sidecar container on the tmm pods there is no listener at all. The manager logs suggest that because the Listener IP address is not part of the Self-IP IP range under the intnernal Vlan as this maybe system limitation and no one thinking about this use case as in BIG-IP this is is supported to have VIP on non self ip address range that is not advertised with arp because of this. The last solution that can work at the moment is to have many tmm in different namespaces on different kubernetes nodes with affinity rules that can deploy each tmm on different node even if the tmm are on different namespaces by matching a configured label (see the example below) as maybe this is the current working design to have one zxfrd pod with one tmm pod in a namespace but then the auto-scaling may not work as euto scale should create a new tmm pod in the same namespace if needed. Example: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: tmm # Match Pods in any namespaces that have this label namespaceSelector: {} # empty selector = all namespaces topologyKey: "kubernetes.io/hostname" Also it should be considered if the zxfrd pod can push the DNS zone to the RAM of more than one TMM pods as maybe it can't as maybe currently only one to one is supported. Maybe it was never tested what happens when you have Security Context IP address on the Internal Network and multiple TMM pods. Interest stuff that I just wanted to share as this was just testing things out😄
tmsh, can list partition.. but what about applications (path)?
with TMSH, performing a "list ltm virtual" displays the list of virtual server in the partition. If I'm in a partition (probably the same with Common but haven't tested) where I configured my applications with iApps and run a "list ltm virtual" I do not get any result. This because it's an application and I should "cd" to the application (example: cd /// ) before being able to list the virtual servers. Interesting: with virtual-address I do not need that, as it will be shown from the partition with "list ltm virtual-address". Questions: the application is somehow working as a sub-partition when in tmsh. How to get the name? "list auth partition" doesn't list the application (path). If I have tmsh scripts running, how could I list it? My issue is that the name of the app can be changed from my application manager, the partition name not (as the BIGIP admin I control that). So I should be able to find it in a dynamic way. how to list all objects in the same way as the GUI provides ("ALL-readonly" partition)?iRule for SMTP: Passing Client IP Addr to backend mail servers
When SNATs are used for a virtual server, the backend SMTP servers cannot get the client IP address. This irule is intended to replace the string after "EHLO" or "HELO" in mail client initiation with the client's real IP address. For us, this could enable us to track down an offending mail originating device. when CLIENT_ACCEPTED { set c-addr [IP::client_addr] log local0. "Client addr: $c-addr" } when CLIENT_DATA { STREAM::expression {@^EHLO.*\r\n@@ @^HELO.*\r\n@@} STREAM::enable event STREAM_MATCHED enable } when STREAM_MATCHED { set mstring [STREAM::match] log local0. "STREAM_MATCHED: string: $mstring" if {$mstring starts_with "EHLO"} { set replacment "EHLO $c-addr\r\n" log local0. "STREAM_MATCHED: replacement string: $replacement" STREAM::replace "$mstring/$replacment" } if {$mstring starts_with "HELO"} { set replacment "HELO $c-addr\r\n" log local0. "STREAM_MATCHED: replacement string: $replacement" STREAM::replace "$mstring/$replacment" } event STREAM_MATCHED disable } when SERVER_DATA { STREAM::disable } This is just an idea at this moment, and I won't be able to test the code until I find a suitable test environment for it; but for now, any comment is welcome as to if this will work at all and if yes what can be improved. Thanks.Logging SMTP traffic info via HSL to remote log server.
Our SMTP servers need info about mail messages being sent in order to identify the mail sending devices (and thereby the mail sending users) but are not able to do so due to the use of SNATs on the ltm. I have put together an irule based on some existing shared code to log relevant info to a remote log server, as shown below. I'd appreciate it if anybody can let me know if there is anything missing/incorrect in it: when CLIENT_ACCEPTED { set hsl [HSL::open -proto UDP -pool /APPLICATION/test_logserver] set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"] HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] CLIENT_ACCEPTED\n" TCP::collect } when CLIENT_DATA { set cdata [TCP::payload] if { [ string length $cdata ] <= 0 } { return } if { not ( $cdata contains "\r\n" ) } { return } if { $cdata starts_with "MAIL FROM:" } { set cfrom [TCP::payload] set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"] HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] $cfrom\n" return } if { $cdata starts_with "RCPT TO:" } { set crcpt "$crcpt[TCP::payload]" set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"] HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] $crcpt\n" return } TCP::release TCP::collect } when CLIENT_CLOSED { set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"] HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] CLIENT_CLOSED\n" } Another question is if an SMTP security profile in ASM is enabled, will this irule run first or after the security profile is assessed first?
