BIG-IP : iControl LocalLBDataGroupFile.set_local_path()
F5 BIG-IP LTM VE v11.4.0 on ESXi iControl re-cache data-group operation : LocalLBDataGroupFile.set_local_path() For a live prod BIG-IP cluster with a VIP iRule that is actively reading data from the data-group , is the above considered a risky operation ? e.g. attempt live-swap of data-group's data-file, fails due to locks or other systems-level issues, data-group now unavailable to iRule I've attempted live-update of a data-file's contents via BIG-IP browser admin ( copy/paste new contents and click “Update” ) and seen the corresponding data-group become unavailable to the iRule. The paranoid approach is to create a new data-group/file and a copy of the iRule modified to point to this new data-group , and then in the VIP’s iRule list swap old/new iRules – so that never actually update a “live” data-group. So now I am concerned about performing similar operation via iControl LocalLBDataGroupFile.set_local_path() –- although apparently this API is not actually live-updating a cached data-file but rather re-pointing data-group to a new cached data-file ?184Views0likes2CommentsBIG-IP : device-side timeout applied to iControl operations ?
F5 BIG-IP LTM VE v11.4.0 on ESXi The iControl API classes accept a timeout parameter - which to be safe I set to 3600000 ms = 1 hr ( how to set to infinite ? ) However calls to LocalLB.DataGroupFile.set_file_path() API ( that when successful complete in under 10 mins ) sometimes return this error : The underlying connection was closed: An unexpected error occurred on a send. Is it possible that BIG-IP is applying its own internal timeout to iControl requests ? If so, how to configure my BIG-IP device's internal timeout ?224Views0likes0CommentsIssue setting route domain parent with PowerShell / iControl
Good morning, I am attempting to script the configuration of an existing route domain. I am able to set the description, set strict isolation, and other settings, but when I attempt to set the parent ID I am running into some strange behavior. I am attempting to configure a route domain with an ID of 6 to have a parent that has an ID of 501. If I run the script below I receive the following error: error_string : 01070734:3: Configuration error: Invalid route domain modification. A domain id change from 4 to 6 is not supported" $objiControlBigIP1 = New-Object iControl.Interfaces $objiControlBigIP1.initialize(IPADDRESS, PORT, USERNAME, PASSWORD) $objiControlBigIP1.NetworkingRouteDomain.Set_Parent_ID(6,501) But when I look at the system audit list it appears to have taken the change, but the change is never made in the console: client Unknown, user admin - transaction 1665299-3 - object 0 - modify { route_domain { route_domain_id 6 route_domain_parent_name "/Common/PublicInternet" } } [Status=Command OK]: If I run the script with any number other than 501 it runs without an error, logs in the audit log with a success, but still does not make the change. Thank you for any information or assistance!206Views0likes0CommentsCannot overwrite existing certificate/key using iControl certificate/key import_from_pem calls
I have been testing importing SSL certificate or key from PEM using iControl calls https://devcentral.f5.com/wiki/iControl.Management__KeyCertificate__certificate_import_from_pem.ashx (and key_import_from_pem). The two calls accept a boolean overwrite parameter which supposedly should allow overwriting of existing certificate/key. But this doesn't seem to work, my test Perl script (the actual API call part) looks like this: $soapResponse = $KeyCert->certificate_import_from_pem ( SOAP::Data->name(mode => MANAGEMENT_MODE_DEFAULT), SOAP::Data->name(cert_ids => [$sCert]), SOAP::Data->name(pem_data => [$CertPEM]), SOAP::Data->name(overwrite => 1) ); I've also tried "true" instead of 1 for the overwrite parameter, neither works, I'm getting errors like this: 01020066:3: The requested Certificate File (/Common/test-cert.crt) already exists in partition Common. My target is an F5 VM running BigIP v12.1.0, the script works fine when the cert/key didn't already exist on the F5.344Views0likes1CommentWhy do calls to REST API fail?
We are seeing intermittent failures for calls to the rest api on 11.5.1 HF6. The TCP handshake completes, client sends SSL Client Hello, BigIP sends ACK, and no further packets are seen. Is this related to iControl/REST connection limits? In the icrd log I see: Nov 1 12:45:34 mylb notice icrd_child[31618]: 31618,31633, RestRequestSender, INFO,Connection idle too long fd:9 cached. Nov 1 12:45:42 mylb notice icrd: 8195,13830, RestRequestSender, INFO,Connection idle too long fd:13 cached. Nov 1 12:50:34 mylb notice icrd_child[31655]: 31655,31670, RestRequestSender, INFO,Connection idle too long fd:10 cached. Nov 1 12:50:52 mylb notice icrd: 8195,13830, RestRequestSender, INFO,Connection idle too long fd:13 cached. Nov 1 12:55:33 mylb notice icrd_child[31717]: 31717,31732, RestRequestSender, INFO,Connection idle too long fd:10 cached. Nov 1 12:56:02 mylb notice icrd: 8195,13830, RestRequestSender, INFO,Connection idle too long fd:13 cached. Nov 1 12:56:08 mylb notice icrd: 8195,13817, RestServer, INFO,Connection idle too long fd:11 Nov 3 13:05:33 mylb notice icrd_child[31936]: 31936,31951, RestRequestSender, INFO,Connection idle too long fd:10 cached. Nov 3 13:05:51 mylb notice icrd: 8195,13830, RestRequestSender, INFO,Connection idle too long fd:13 cached. Nov 3 13:06:08 mylb notice icrd: 8195,13817, RestServer, INFO,Connection idle too long fd:11 The restjavad log doesn't register anything during the failure time, and lsof shows the below. [myuser@mylb:Active:Changes Pending] ~ lsof -nPu apache | grep -E "(TCP|COMMAND)" COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME httpd 12579 apache 3u IPv6 1272168705 TCP *:80 (LISTEN) httpd 12579 apache 5u IPv6 1272168710 TCP *:443 (LISTEN) httpd 12579 apache 18u IPv4 1554156729 TCP 127.0.0.1:52743->127.0.0.1:8100 (CLOSE_WAIT) ...several iterations of the above... httpd 16246 apache 3u IPv6 1272168705 TCP *:80 (LISTEN) httpd 16246 apache 5u IPv6 1272168710 TCP *:443 (LISTEN) httpd 16246 apache 16u IPv6 1555163788 TCP 10.1.1.1:443->10.10.10.10:50000 (ESTABLISHED) httpd 16246 apache 18u IPv4 1554419261 TCP 127.0.0.1:43108->127.0.0.1:8100 (CLOSE_WAIT)546Views0likes3CommentsRead Access Denied on LocalLBRule::get_metadata
I'm using the iControl Java lib and am getting "Read Access Denied" errors. public class F5Test implements Credentials { private Interfaces f5Interface = new Interfaces("my-lb.example.com", 443, UNAME, PSWD); public static void main(String[] args) { F5Test test = new F5Test(); test.test(); } void test() { try { f5Interface.getManagementPartition().set_active_partition("my-partition"); String[] rules = { "irule_my_rule" }; String[][] md = f5Interface.getLocalLBRule().get_metadata(rules); for(String[] mds : md) { for(String metadata : mds) { System.out.println(metadata); } } } catch (RemoteException e) { e.printStackTrace(); } catch (Exception e) { e.printStackTrace(); } } } When I run this I get: AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server faultSubcode: faultString: Exception caught in LocalLB::urn:iControl:LocalLB/Rule::get_metadata() Exception: Common::OperationFailed primary_error_code : 17238051 (0x01070823) secondary_error_code : 0 error_string : 01070823:3: Read Access Denied: user (zharvey) type (rule metadata) faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:Exception caught in LocalLB::urn:iControl:LocalLB/Rule::get_metadata() Exception: Common::OperationFailed primary_error_code : 17238051 (0x01070823) secondary_error_code : 0 error_string : 01070823:3: Read Access Denied: user (zharvey) type (rule metadata) at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222) at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129) ...rest of stack trace omitted for brevity I have confirmed that the iRule "irule_my_rule" is defined inside "my-partition" and our IT staff confirms I have full r/w permission for it. Am I using the API incorrectly or is this an F5 config issue?243Views0likes2CommentsIllegalArgumentException using iControl 11.1 Java
We are using the iControl-11.1.0 Java library to interface with LTM version 11.5.1 Build 4.0.128 Hotfix HF4. Whenever we're trying to call LocalLB.PoolMember.get_all_statistics we are getting the following exception; all other calls seems to be working fine. Any ideas what might be causing this issue? Since iControl-11.1 have the same major branch (11.x) as BigIp 11.5.1 shouldn't these be compatible? ERROR 2015-01-05 06:15:02,797 Call schedulerFactoryBean_Worker-9 Exception: org.xml.sax.SAXException java.lang.IllegalArgumentException at org.apache.axis.encoding.ser.SimpleDeserializer.onEndElement(SimpleDeserializer.java:176) at org.apache.axis.encoding.DeserializerImpl.endElement(DeserializerImpl.java:502) at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087) at org.apache.axis.message.SAX2EventRecorder.replay(SAX2EventRecorder.java:171) at org.apache.axis.message.MessageElement.publishToHandler(MessageElement.java:1141) at org.apache.axis.message.RPCElement.deserialize(RPCElement.java:236) at org.apache.axis.message.RPCElement.getParams(RPCElement.java:384) at org.apache.axis.client.Call.invoke(Call.java:2467) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at iControl.LocalLBPoolMemberBindingStub.get_all_statistics(LocalLBPoolMemberBindingStub.java:905) ... Caused by: java.lang.IllegalArgumentException at iControl.CommonStatisticType.fromValue(CommonStatisticType.java:1579) at iControl.CommonStatisticType.fromString(CommonStatisticType.java:1584) at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.axis.encoding.ser.EnumDeserializer.makeValue(EnumDeserializer.java:53) at org.apache.axis.encoding.ser.SimpleDeserializer.onEndElement(SimpleDeserializer.java:172) ... 24 more292Views0likes1CommentBIG-IP : iControl : System/ConfigSync::download_configuration() : error opening file for read operations
BIG-IP 11.4.1 Build 608.0 Final VE I'm in .NET 4.5 C : using proxy classes generated from WSDL, I call into iControl API to retrieve BIG-IP system configuration : var systemConfigSync = new SystemConfigSync("bigip", "admin", "admin", 600000); long offset = 0; SystemConfigSyncFileTransferContext context = systemConfigSync.download_configuration("bigip", 131072, ref offset); throws exception : Exception caught in System::urn:iControl:System/ConfigSync::download_configuration() Exception: Common::OperationFailed primary_error_code : 16908289 (0x01020001) secondary_error_code : 0 error_string : Error opening file for read operations On v11.4.0 , this call successfully retrieved the system configuration ( bigip.conf ). However, on upgrading to 11.4.1 it began failing.334Views0likes1CommentExport AFM firewall rules using Icontrol
Hi All, I am trying to export the complete firewall rule list using RestAPI in version 12.1.3 but I get the following response: command used: $select=rulesReference&expandSubcollections=true ver=12.1.3.1","isSubcollection":true}}]}'expandSubcollections' is not recognized as an internal or external command It seems the expandsubcollections command is not being recognized at all. Complete response is: {"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://localhost/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=12.1.3.1","items":[{"rulesReference":{"link":"https://localhost/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=12.1.3.1","isSubcollection":true}},{"rulesReference":{"link":"https://localhost/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=12.1.3.1","isSubcollection":true}},{"rulesReference":{"link":"https://localhost/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=12.1.3.1","isSubcollection":true}}]}'expandSubcollections' is not recognized as an internal or external command, operable program or batch file.Solved794Views0likes7CommentsJAVA - Save Configuration not working
Hi Team icontrol version:13.0.0 Device Version: 11.x we are trying to save the configuration of F5 device using the following code in java. Interfaces interface = new iControl.Interfaces(ipAddress, userName, decryptedPassword);boxInterface.getSystemConfigSync().save_configuration("backup.ucs", iControl.SystemConfigSyncSaveMode.SAVE_FULL); we are getting exception as follows while saving the configuration, Exception caught in System::urn:iControl:System/ConfigSync::save_configuration() Exception: Common::OperationFailed primary_error_code : 16908289 (0x01020001) secondary_error_code : 0 error_string : Error saving configuration we checked that the device have sufficient space also, what may be root cause of this issue, is there any alternate way to save configuration?231Views0likes0Comments