DNS LTM adding recommendation
Hello, What is the recommendation in adding GTM and LTM/AWAF devices in multi datacenter More explanation if we have HQ and DR datacenters HQ data center GTM device (One device) LTM/AWAF Device (Pair) DR data center GTM device (One device) LTM/AWAF Device (Pair) shall we add DR LTM/AWAF to HQ GTM by using DR LTM/AWAF self IP reachable through internet or internally? Please highlight pros and cons for each method Why are we think to add DR LTM/AWAF to HQ GTM is to ensure that HQ GTM will see VS on DR LTM/AWAF down when internet link is down in DR If there another way to ensure that by monitoring links please clarify22Views0likes3CommentsGSLB - Monitoring LTM VIP load balancing via iRule
In one of our environments we are configuring a single LTM VIP and load balancing multiple applications via an iRule. We currently have other LTM environments integrated via iQuery with our GTM for GSLB configuration and monitoring. Is there a way to monitor the VIP at the GTM level via iQuery that would give a true back-end pool status? Since, let's say, we are load balancing 100 different applications via a single VIP, if 99 of them went offline, the VIP would still show as ONLINE/GREEN. Or would we even go as far as integrating via iQuery and adding a dependency monitor of the pool itself instead?92Views0likes6CommentsReplacing GTM f5
hello guys! this is also related to F5 GTM GSLB replacement | DevCentral I have some question on our F5 GTM replacement, we have an issue when we add the new F5 on data center following this KB https://my.f5.com/manage/s/article/K45907236 on the part "Creating a server (existing BIG-IP DNS)" the new server is in unknown state. When we check the error we see routines:ssl3_get_server_certificate:certificate verify failed f5 I am thinking bigip_add x.x.x.x will solve the problem however since the existing devices are on production I didnt use it instead, I uploaded the cert of existing f5 to new F5 on device management and Trusted certificate I saw on https://my.f5.com/manage/s/article/K85555245 Trusted device certificatesSystem>Certificate Management>Device Certificate Management>Device Trust Certificates Trusted server certificatesDNS>GSLB>Servers>Trusted Server Certificates the existing and new f5 has same certs now, however the problem is still there but this time error is different iqmgmt_ssl_connect: SSL error: Connection reset by peer (104) from connection x.x.x.x Do you guys know how to solve this SSL issue we have? I also have a question 1. when I updatedDNS>GSLB>Servers>Trusted Server CertificatesI export the server.crt from existing f5 and upload it on the new device. this overwrites the original server.crt. on the new F5. I am thinking running the bigip_add x.x.x.x but my worry is that it will make the certs doubled? because running bigip_add x.x.x.x will "append" the cert from existing F5 to new F5.. so I am thinking to delete the server.crt on my new f5, but the problem is I didnt save a backup of the original server.crt :( is there a way I can generate new server.crt on my new F5? do you think it is necessary to delete the current server.crt? or what I need is to do below per https://my.f5.com/manage/s/article/K9114? cat /config/httpd/conf/ssl.crt/server.crt >> /config/gtm/server.crt 2. Running bigip_add x.x.x.x will be from existing F5 correct existing f5# bigip_add x.x.x.x (new F5 IP) 3. new F5 is in v17 and existing F5s are in v14, do you guys think it is a problem? Thank you!73Views0likes0Commentsprober pool Round Robin with multi health monitors and with multi prober pool members
I have a question about The GTM monitors and prober pools: In my case, I have three datacenters, three gtm(one in each DC), and one prober pool, the prober pool include all three GTM, and the prober pool was set to use Round Robin. And two vs, vs1 and vs2 in different DC, each vs was configured two health monitors(each monitor with different porbe interval, eg. vs1's monitors have interval 5s and 7s, vs2's monitors have interval 9s and 11s). so, my questions is, how does the porber pool Round Robin work? Looking forward to your help, thank you.295Views0likes2CommentsAdding LTM to GTM with different version
Hi Experts, I am looking for a KB that shows the prerequisites or consideration prior doing BIGIP ADD in GTM. Are goal is to use GSLB functionality of our GTM. Our GTM is running in 11.6.1 version and we will upgrade our LTM from 11.6.1 to 13.0. May we know if it is possible or there is an issue with this setup.610Views0likes2CommentsGTM Topology Load Balancing - Order of Operation
Two-part question: 1.) For wide IP-level topology load balancing, what takes precedence: order, weight, or prefix length? (Assuming topology load balancing is choosing between pools based on source IP subnet). 2.) This question came about due to a situation in which I'm seeing some unexpected LB results. Given the below topology configuration (11.x) 1 IP Subnet is 10.0.1.0/29 Pool is West_DC_Pool 1 2 IP Subnet is 10.0.1.0/24 Pool is West_DC_Pool 150 3 IP Subnet is 10.0.0.0/24 Pool is East_DC_Pool 1 4 IP Subnet is 10.0.0.0/16 Pool is East_DC_Pool 100 The LDNS server IP is 10.0.1.5 (there's only one LDNS server at the moment) The East_DC_Pool is being chosen every time. Based on the logs, it seems to be comparing 1 (10.0.1.0/29 with a weight of 1) to 4 (10.0.0.0/16 with a weight of 100) and therefore 4 is winning based on a weight of 100. No mention of 2 (10.0.1.0/24 with a weight of 150) in the logs. If I delete 1, then 2 (10.0.1.0/24 with weight of 150) wins so traffic is then sent to West_DC_Pool. Now re-adding 1 (10.0.0.0/29 with weight 1) causes 4 (East_DC_Pool) to win again. Is this expected behavior??? I would have expected in all cases (with a LDNS IP of 10.0.1.5) that traffic would be routed to the West_DC_Pool based on either longest prefix match(1 would win), weight(2 would win), or order (again 1 would win). But maybe there's something about the order of operation that I'm unaware of. Thanks in advance, Dave338Views0likes3CommentsLoad-balancing generic hosts between different datacenters
Hi all I have GTM F5 Load-balancer sitting in my primary Denver (USA) data center. I have two VPN firewalls sitting in theChennai (India) data center, where there is no F5 load balancer. Hence there is no GSLB. I would like to load-balance these two VPN firewalls through the Denver F5 GTM load balancer. The public IPs are completely different between the data centers. The expectation is that the end host ==> Public DNS Server ==>F5 GTM Listener (Denver) ==>Chennai (India) Datacenter (VPN Firewall). Will this be doable?802Views1like4CommentsDNS to LTM (Server peering for GSLB)
GTM1 (one external selfIP) LTM1 (one external selfIP, multiple internal selfIPs) I noticed that the HELP under DNS->GSLB->Server List states "Address: Spedifies an external (public) address for the device." In Guides - it is recommended to use SELF-IPs of devices to peer. BUT does it really HAVE to be 'external' ? Are there any limitations simply peering to the LTM using one of the internal selfIPs? Thanks for feedback!447Views0likes3Comments