How to correctly monitor a Database Oracle
we are configuring a monitor health for a Oracle database which has the next configuration parameters: Send String: select * from dual Response: X user:CONSULTA_ANALISTA password:xxxxxxx connection string: PRODM1 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = %node_ip%)(PORT = %node_port%)) ) (CONNECT_DATA = (SID = PRODM1) ) ) Row:3 Column:1 alias address:172.20.1.73 alias service port:1527 the monitor doesn't work and the pool member never is seen up, i have looked at the debug of the connection and this is what i see in a portion of it: [root@ltm1:Active:Changes Pending] monitors tail -30 Common_BD_monitor_PDN-Common_BD-1527.log DATABASE=PRODM1 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = %node_ip%)(PORT = %node_port%)) ) (CONNECT_DATA = (SID = PRODM1) ) ) DEBUG=yes MON_INST_LOG_NAME=/var/log/monitors/Common_BD_monitor_PDN-Common_BD-1527.log MON_TMPL_NAME=/Common/BD_monitor_PDN NODE_IP=::ffff:172.20.1.73 NODE_PORT=1527 PASSWORD=nc5gf56y RECVCOLUMN=1 RECVROW=3 RECV_I=X SEND=select * from dual USERNAME=CONSULTA_ANALISTA TMOS_RD: 0 (0) Daemon port: 1521 count='0' converts to '0' Command-line PID filename: /var/run/ORACLE__Common_BD_monitor_PDN_::ffff:172.20. 1.73-0_1527.pid PID file /var/run/DBDaemon-0.pid exists. Checking for correctness of PID. DBDaemon on port 1521 says its PID is 19578. PID matches EXCEPTION connecting to DBDaemon: fflush(): Connection reset by peer i have also tried putting all the info directly like this: ********** Debugging session beginning at: Mon Jul 6 17:07:02 2015 Arguments 1-2: ::ffff:172.20.1.73 1527 Environment variables: COUNT=0 DATABASE=PRODM1 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 172.20.1.73)(PORT = 1527)) ) (CONNECT_DATA = (SID = PRODM1) ) ) DEBUG=yes MON_INST_LOG_NAME=/var/log/monitors/Common_BD_monitor_PDN-Common_BD-1527.log MON_TMPL_NAME=/Common/BD_monitor_PDN NODE_IP=::ffff:172.20.1.73 NODE_PORT=1527 PASSWORD=nc5gf56y RECVCOLUMN=1 RECVROW=1 RECV_I=ok SEND=TNSPING 172.20.1.73 1527 USERNAME=CONSULTA_ANALISTA TMOS_RD: 0 (0) Daemon port: 1521 count='0' converts to '0' Command-line PID filename: /var/run/ORACLE__Common_BD_monitor_PDN_::ffff:172.20.1.73-0_1527.pid PID file /var/run/DBDaemon-0.pid exists. Checking for correctness of PID. DBDaemon on port 1521 says its PID is 19578. PID matches Asking daemon to ping remote database. Expected result not received: Database down, see /var/log/DBDaemon.log for details. Database down, see /var/log/DBDaemon.log for details. If i look into /var/log/DBDaemon.log; it isn't updating. It seems that somehow the process is attached to other monitor over port 1521 an maybe that is the origin of the conflicto and fail of Oracle monitoring: [root@ltm1:Active:Changes Pending] monitors ps -fe|grep DB root 19578 1 0 Jun16 ? Ssl 43:33 /usr/lib/jvm/jre-1.7.0-openjd k.x86_64/bin/java -cp /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/rt.jar:/usr/lib/ jvm/jre-1.7.0-openjdk.x86_64/lib/charsets.jar:/usr/share/monitors/mysql-connecto r-java.jar:/usr/share/monitors/DB_monitor.jar:/usr/share/monitors/sqljdbc4.jar:/ usr/share/monitors/ojdbc6.jar:/usr/share/monitors/postgresql-8.3-604.jdbc3.jar - Xmx64m com.f5.eav.DBDaemon 1521 19578 0
Connections vs sessions
Hi all This is my first post so apologies if I'm breaking any standards. I'm having trouble figuring out the difference between connections and sessions. No matter how much I Google this, I'm not finding a simple answer. Let me phrase it this way...if you read the article on "LTM: Dueling Timeouts" (https://devcentral.f5.com/articles/ltm-dueling-timeouts), it says: "Persistence timeouts are actually idle timeouts for a session, rather than a single connection." Unfortunately that statement does not tell us anything meaningful unless the definition of a connection and session is clarified. Or to put it another way, if you consult the F5 V11 configuration guide as it relates to session persistence profiles (http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-1-0/ltm_persist_profiles.html), it says: "The primary reason for tracking and storing session data is to ensure that client requests are directed to the same pool member throughout the life of a session or during subsequent sessions." So my question here would be, what factors influence whether ongoing HTTP GET requests (as an example) constitute a single session, or subsequent sessions? I'd really appreciate somebody's help here as I know this is a fundamentally basic concept but I'm unable to find a definitive answer.Use Specific Gateway Pool based on SNAT address
Hi All, Currently we have 3 ISP Links which I am trying to get routing correctly based on outbound SNAT. I have created SNAT Pools for the internal subnets that contain a IPs from each of the three ISPs. The F5 seems to be SNATing to one of the external IP's from the pool then using our Wildcard Server, Round Robin to send the traffic down any one of the three ISP links. This results in the traffic going down the right link only every other time. ISP A ISP B ISP C Internal 192.168.20.0/24 Current Issue F5 -> Snat addresses 192.168.20.0/24 to external IP from ISP A -> Round Robin and send down link ISP A, B or C I would like to configure it so the F5 uses the correct ISP link based on its SNAT address. Someone please tell me this is possible? Best Regards, Scott
Using APM to authenticate to Windows AD with a UPN that is different then our domain name
Hi all I am trying to use F5 APM to login into a webtop with Windows AD credentials but when using my UPN = myuser@univeristy.com it does not work because our real AD domain is school.univerity.com Without APM, normally a user with UPN student@university.com logs in and AD does a look up in the GAL and finds out who you are and where you belong. IE student@university.com is also student@mail.univeristy.com So when using my APM webtop, if I login as myuser@school.university.com - all works fine. But if I try myuser@school.com - it fails. I have read a SOL12252: Microsoft Active Directory authentication using UPN may fail if the user's UPN suffix does not match the domain suffix This sounds like the right way to go, but I can not seem to get it work. Has anyone had to deal with a similar situation? Thanks Chung
tmsh, can list partition.. but what about applications (path)?
with TMSH, performing a "list ltm virtual" displays the list of virtual server in the partition. If I'm in a partition (probably the same with Common but haven't tested) where I configured my applications with iApps and run a "list ltm virtual" I do not get any result. This because it's an application and I should "cd" to the application (example: cd /// ) before being able to list the virtual servers. Interesting: with virtual-address I do not need that, as it will be shown from the partition with "list ltm virtual-address". Questions: the application is somehow working as a sub-partition when in tmsh. How to get the name? "list auth partition" doesn't list the application (path). If I have tmsh scripts running, how could I list it? My issue is that the name of the app can be changed from my application manager, the partition name not (as the BIGIP admin I control that). So I should be able to find it in a dynamic way. how to list all objects in the same way as the GUI provides ("ALL-readonly" partition)?iRule for SMTP: Passing Client IP Addr to backend mail servers
When SNATs are used for a virtual server, the backend SMTP servers cannot get the client IP address. This irule is intended to replace the string after "EHLO" or "HELO" in mail client initiation with the client's real IP address. For us, this could enable us to track down an offending mail originating device. when CLIENT_ACCEPTED { set c-addr [IP::client_addr] log local0. "Client addr: $c-addr" } when CLIENT_DATA { STREAM::expression {@^EHLO.*\r\n@@ @^HELO.*\r\n@@} STREAM::enable event STREAM_MATCHED enable } when STREAM_MATCHED { set mstring [STREAM::match] log local0. "STREAM_MATCHED: string: $mstring" if {$mstring starts_with "EHLO"} { set replacment "EHLO $c-addr\r\n" log local0. "STREAM_MATCHED: replacement string: $replacement" STREAM::replace "$mstring/$replacment" } if {$mstring starts_with "HELO"} { set replacment "HELO $c-addr\r\n" log local0. "STREAM_MATCHED: replacement string: $replacement" STREAM::replace "$mstring/$replacment" } event STREAM_MATCHED disable } when SERVER_DATA { STREAM::disable } This is just an idea at this moment, and I won't be able to test the code until I find a suitable test environment for it; but for now, any comment is welcome as to if this will work at all and if yes what can be improved. Thanks.Logging SMTP traffic info via HSL to remote log server.
Our SMTP servers need info about mail messages being sent in order to identify the mail sending devices (and thereby the mail sending users) but are not able to do so due to the use of SNATs on the ltm. I have put together an irule based on some existing shared code to log relevant info to a remote log server, as shown below. I'd appreciate it if anybody can let me know if there is anything missing/incorrect in it: when CLIENT_ACCEPTED { set hsl [HSL::open -proto UDP -pool /APPLICATION/test_logserver] set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"] HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] CLIENT_ACCEPTED\n" TCP::collect } when CLIENT_DATA { set cdata [TCP::payload] if { [ string length $cdata ] <= 0 } { return } if { not ( $cdata contains "\r\n" ) } { return } if { $cdata starts_with "MAIL FROM:" } { set cfrom [TCP::payload] set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"] HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] $cfrom\n" return } if { $cdata starts_with "RCPT TO:" } { set crcpt "$crcpt[TCP::payload]" set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"] HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] $crcpt\n" return } TCP::release TCP::collect } when CLIENT_CLOSED { set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"] HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] CLIENT_CLOSED\n" } Another question is if an SMTP security profile in ASM is enabled, will this irule run first or after the security profile is assessed first?
GTM Listener ip with routing domain
Hello, is it possible to make listener ip with routing domain value such as %1. Because we need to implement gtm on single network with delegation method. So we have to make that.? For example; There is single subnet like 12.12.12.0/24 and i have given two different ip in self ip such as 12.12.12.12%1 for client side 12.12.12.14%2 for server side.That's why, Could some one interpret about the implementation ? Thank you.
