F5 DNS external monitor
Hi , we are using an F5 DNS (v12.1.2) . We are now getting request for doing a DNS loadbalalancing for 2 IP's in seperate datacenters. (openshift setups) Both IP's are accessible via https but are running multiple instances on same port (so different uri's on same IP) . So using a standard https monitor isn't a solution in this case . https monitor will work but will not show status of individual services . And we need to known the status of individual instances. I was thinking about defining seperate monitors for each url specified . But the problem is that monitoring pools or members is done based on IP address . And i would instead need to use the FQDN in the monitor . i'm able to use a curl command "curl -kvX -H GET https://<dns-name>/checkService" & this works when i use the FQDN .Using IP doesn't work . Anybody an idea on how to use FQDN's in monitor? i also tested with external monitors from articles " https://devcentral.f5.com/s/articles/http-monitor-curl-basic-get" & " https://devcentral.f5.com/s/articles/https-sni-monitoring-how-to" But i'm getting some weird results when using these on F5 DNS .i was able to define the tls-sni monitor but when checking logs from debug i saw it takes all the variables i defined , except the 'hostname" , where F5 DNS continued to use his own hostname. Resulting in a failure . But not really sure if these external monitors are designed for use on LTM only or also on DNS ?
NTP Monitor for 11.x -- With Complete Instructions
Problem this snippet solves: As the F5 LTM does not come with an NTP health monitor, I began my search for one. I found one here, written for 9.x and spent a few minutes getting it to work in 11.5.4. Disclaimer: All the hard work was already done, I simply made a few updates to it for 11.x: https://devcentral.f5.com/codeshare/ntp-monitor How to use this snippet: Upload NTP.pm (NTP Library) via FTP to the '/usr/bin/monitors/CPAN/Net' directory (You will have to create the CPAN and Net folders using the 'mkdir' command in UNIX shell). Import custom NTP healthcheck file, ntp_mon: 'System >> File Management >> External Monitor Program File List >> Import' Local Traffic>> Monitors >> Create Name: ntp_monitor Type:external External Program: ntp_mon Bind to pool, and treat like normal health monitor. To ensure functionality, temporarily add a host that you know does not serve NTP such as your desktop, to ensure it marks the host down. Code : 71928
Health monitor to mark pool member up when a ping FAILS (inverse ping health check)
Hello, I am attempting to figure out the best way to create a health monitor that is an inverse of the ICMP monitor-when ping to an IP fails, I want the pool member to be marked UP. When ping to an IP succeeds, I want the pool member to be marked DOWN. My first attempt at this was using an external monitor with the below script; that does not seem to be working. #!/bin/sh ping -c 5 [IP here] > /dev/null && exit || echo "down" exit $? I am running 11.5.3 HF2. Does anyone know if the best way to achieve this beahvior, or why my script isn't working? It looks like it outputs nothing to stdout (should cause the monitor to fail) unless the ping fails, at which point it outputs something (should cause the monitor to pass)
Radius External Monitor (Python)
This'll be a long post so get a cup of coffee or whatever your poison of choice is. Sooooo, from all my digging around, Python based External Monitors are something that nobody talks about, has gotten right or maybe they just keep the solution to themselves or have realised the futility of python for advanced external monitors. I am unfortunately pretty stubborn when I am faced with an interesting challenge so like a dog with a bone persisted until I got everything working except the actual F5 monitoring part. Bear in mind I am no coder, I'm ok at python, I know F5's relatively well and this is my first external monitor that I have written. The shyte part is that there is, as far as I have seen, no information on using python for external monitors other than a couple of mentions here and there saying that it is possible. As many of you know F5's current Radius monitor will only mark a member up when it has a successful login against a user account and has no means of establishing a connection then simply testing for ANY valid radius response regardless of whether the account supplied is valid or not. This effectively shuts out the use of the F5 Radius monitor for Two Factor Auth systems where security is stringent enough to disallow the use of a single factor auth account with a fixed password for monitoring purposes. To try solve this I wrote up this python script that will establish a connection to a radius server regardless of the number of auth factors it requires, it will then fire off a bogus(or not) authentication attemmpt to the radius server. It's pretty crude, but as long as the connection doesn't time out there will be some sort of response from the radius server which will result in the script writing to stdout so that the F5 will mark the member as up. If there is a timeout the script's exit code is zero with no output so that the member will be marked as down. After importing the script it works like a charm when run from /config/filestore/files_d/Common_d/external_monitor_d/ with the various options. It happily handles the ::ffff: prefix to the IPv4 addresses as well as strips, for now, the routing domain tag in case it's appened to the address, but when it is executed as part of a monitor it fails. For the life of me I can't figure out why and nor have I figured out how to do a detailed debug of the script and what parameters are being handed to it at execution by the F5. So this is where you guys and gals come in and hopefully you can help. The issues I have are as follows: I don't know if I'm envoking the python shebang correctly for F5. Unable to debug the script and /var/log/monitors/Common_radius_monitor.log doesn't have anything relating to script runtime errors. Inspite of using a Syslog handler to try write to syslog-ng I'm unable to output to /var/log/ltm so there isn't anything useful in there (for now). This entire thing might be a complete non-starter if the F5 is super strict about code execution and is shutting out my use of the six and radius modules stored in /config/eav/, but without a run-time debug I can't tell what it's problem is. Unfortunately because of the length of the code and this description I've had to add my script via code share: External Radius Monitor using PythonVariables in an external monitor BASH script
Greetings, I have written a shell script to use as an external monitor. It works as expected when I execute it from the bash shell, but fails as a monitor. I believe the reason for the failure is the way I am using VARIABLEs. Is the code below legal? TMSH='/usr/bin/tmsh' VCS1='10.12.1.11' VCS2='10.12.1.12' DEBUG=1 PRI=$TMSH list ltm snat snat_ids_primary | $GREP -E "$VCS1|$VCS2" if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: Result of Primary SNAT check -> $PRI" | $LOGGER -p local0.debug; fi When run from the CLI interactively the log will have data to in the $PRI variable. Mar 26 17:24:46 local/bip-bxb-lab-01 debug logger: IDS_SNAT: Result of Primary SNAT check -> 10.12.1.11/32 Mar 26 17:24:46 local/bip-bxb-lab-01 debug logger: 10.12.1.12/32 When run as an external monitor the $PRI variable is empty. Mar 26 17:21:24 local/bip-bxb-lab-01 debug logger: IDS_SNAT: Result of Primary SNAT check -> I am clearly doing something wrong I just don't know what. Any help would be appreciated. Thank you.
External Monitor for checking proxy authentication and Internet access
Hello Experts, We are load balancing 3 proxy servers and we are trying to construct an external monitor that both checks if an user can authenticate to the proxy and access the internet. So far we've managed to get the following script working when run from the F5 CLI: !/bin/sh (c) Copyright 1996-2007 F5 Networks, Inc. This software is confidential and may contain trade secrets that are the property of F5 Networks, Inc. No part of the software may be disclosed to other parties without the express written consent of F5 Networks, Inc. It is against the law to copy the software. No part of the software may be reproduced, transmitted, or distributed in any form or by any means, electronic or mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose without the express written permission of F5 Networks, Inc. Our services are only available for legal users of the program, for instance in the event that we extend our services by offering the updating of files via the Internet. @() $Id: http_monitor_cURL+GET,v 1.0 2007/06/28 16:10:15 deb Exp $ (based on sample_monitor,v 1.3 2005/02/04 18:47:17 saxon) these arguments supplied automatically for all external monitors: $1 = IP (IPv6 notation. IPv4 addresses are passed in the form ::ffff:w.x.y.z where "w.x.y.z" is the IPv4 address) $2 = port (decimal, host byte order) Additional command line arguments ($3 and higher) may be specified in the monitor template This example does not expect any additional command line arguments Name/Value pairs may also be specified in the monitor template This example expects the following Name/Vaule pairs: URI = the URI to request from the server RECV = the expected response (not case sensitive) remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) IP=`echo ${1} | sed 's/::ffff://'` PORT=${2} PIDFILE="/var/run/`basename ${0}`.${IP}_${PORT}.pid" kill of the last instance of this monitor if hung and log current pid if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${IP}:${PORT}" | logger -p local0.error kill -9 `cat $PIDFILE` > /dev/null 2>&1 fi echo "$$" > $PIDFILE send request & check for expected response STATUS=`curl -s -o /dev/null -w '%{http_code}' -H 'Cache-Control: no-cache' http://www.google.com --proxy $IP:$PORT -U username@ourdomain:strongpassword --proxy-ntlm` if [ "$STATUS" -eq "200" ] then rm -f $PIDFILE echo "UP" else rm -f $PIDFILE echo "DOWN" fi exit As here I have substituted the username, domain name and the password for obvious reasons. Currently the username has no access to google.com (this is how it should be since it is not allowed access on the proxy) and when executed in CLI the script returns DOWN, as the http_code is 403 - Forbidden. ANYWAY in the WEB interface it shows all nodes green, which should not be the case.. Any help is much appreciated. Regards, Naydenarg-ex-out using over half of space on partition
Hi, I'm getting the error message, that my F5 has 0% free space - this sucks. I've noticed that this space is used mostly by /var partition: /dev/mapper/vg--db--sda-set.12--hf1._var 3.0G 2.8G 23M 100% /var ` I've found a file named arg_ex_out that uses 1,8G of disk space, and I have no idea what this is. My other F5 (active in HA configuration) has the same file, but "only" around 650M big. The content of the file seems to repeat itself over and over and looks like this: `---- Command Line Args ---- ::ffff: 53 ---- Environment Args ---- ARGS_I= MON_INST_LOG_NAME=/var/log/monitors/SHARED_m_dns-SHARED_2-53.log MON_TMPL_NAME=/SHARED/m_dns NODE_IP=::ffff: NODE_NAME=/SHARED/ NODE_PORT=53 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/contrib/bin:/usr/local/bin:/usr/contrib/sbin:/usr/local/sbin:/usr/libexec RUN_I=/Common/arg_example TMOS_RD=2 = ---- End Args ---- ---- Command Line Args ---- ::ffff: 53 ---- Environment Args ---- ARGS_I= MON_INST_LOG_NAME=/var/log/monitors/SHARED_m_dns-SHARED_-53.log MON_TMPL_NAME=/SHARED/m_dns NODE_IP=::ffff: NODE_NAME=/SHARED/ NODE_PORT=53 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/contrib/bin:/usr/local/bin:/usr/contrib/sbin:/usr/local/sbin:/usr/libexec RUN_I=/Common/arg_example TMOS_RD=2 = ---- End Args ---- This repeats over and over again - judging by the filesize quite a lot. Perhaps it's some sort of external monitor? Any ideas? I'll be needing to upgrade the devices quite soon, I guess I'd need the disk space