F5 DNS with cPanel Web Hosting Server
Hi, We have a publicly accessible web hosting server backed by cPanel and currently we are using F5 to handle our DNS. The problem that we are facing is when one of our end customer adds a Zone /DNS record INSIDE his cPanel account and everytime we have to manually check and add those records in F5 to make things work. Is there a solution for this?.
gtm_add failing due to CERT error
I am trying to cluster to GTM devices using the gtm_add command, but this is failing with this error: ERROR: found "END CERT..." without BEGIN at line: 0. ERROR: Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt. But when I check the mentioned file it looks like a valid certificate: more /config/httpd/conf/ssl.crt/server.crt -----BEGIN CERTIFICATE----- MIIHFjCCBP6gAwIBAgIDbUVxMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAoTA0lORzERMA8GA1UE CxMIU2VydmljZXMxIDAeBgNVBAsTF0NlcnRpZmljYXRlIEF1dGhvcml0aWVzMScwJQYDVQQDEx5J TkcgQ29ycG9yYXRlIEludGVybmFsIENBIC0gRzMwHhcNMjQwNjI0MTQyMzAyWhcNMjUwNzI0MTMw ... E1Zg8g9QlL+jksX7ew0tIuZPNGPbhPE3StATtD7b4oi1TYjVfIwn79DluSwkIp5hwVDrAcW/B5T6 zK+sJJlib4ZeCnV19cCkwBnYyRz0p46VrwXw7i3bYeC8Cq4Of++LaYaXDuhOVq/V61phJRoGTlRU vOII3wHBmXiXQv7MIScQQbmKaBRC2lxu0gAJV9a8vzpXfN6T+n7PxNBH4AuNdR5KeeG7 -----END CERTIFICATE----- Also via the browser the correct certificate is shown. Any suggestions on what the problem could be?
BIG-IP DNS Generic Host
Hello, I need to add some services running on 'generic host'. The destination host is reachable (icmp) from CLI (rd0), but after adding it to GTM configuration as 'server' with 'icmp monitor' - it is not getting up (green) but monitor fails with reason 'no reply from big3d: timed out'. configuration: gtm server /Common/host-dca { datacenter /Common/DCA devices { host-dca { addresses { 172.25.113.23 { } } } } monitor /Common/my_icmp product generic-host virtual-servers { service1 { destination 172.25.113.21:0 } service3 { destination 172.25.113.23:0 } } } gtm monitor gateway-icmp /Common/my_icmp { defaults-from /Common/gateway_icmp interval 5 probe-attempts 3 probe-interval 1 probe-timeout 5 timeout 15 } log: # host 172.25.113.21 alert gtmd[13178]: 011a5004:1: SNMP_TRAP: Server /Common/host-dca (ip=172.25.113.21) state change blue --> red (No enabled VS available) alert gtmd[13178]: 011ae0f2:1: Monitor instance /Common/my_icmp 172.25.113.21:0 CHECKING --> DOWN from /Common/dca-dcdns-adc (no reply from big3d: timed out) alert gtmd[13178]: 011a6006:1: SNMP_TRAP: VS service1 (ip:port=172.25.113.21:0) (Server /Common/host-dca) state change blue --> red ( Monitor /Common/my_icmp : no reply from big3d: timed out) # host 172.25.113.23 alert gtmd[13178]: 011a5004:1: SNMP_TRAP: Server /Common/host-dca (ip=172.25.113.23) state change blue --> red (No enabled VS available) alert gtmd[13178]: 011ae0f2:1: Monitor instance /Common/my_icmp 172.25.113.23:0 CHECKING --> DOWN from /Common/dca-dcdns-adc (no reply from big3d: timed out) alert gtmd[13178]: 011a6006:1: SNMP_TRAP: VS service3 (ip:port=172.25.113.23:0) (Server /Common/host-dca) state change blue --> red ( Monitor /Common/my_icmp : no reply from big3d: timed out) why is there 'no reply from big3d: timed out'?? the server type is 'generic host' (not 'bigip'). network: GTM is running in HA (there are two GTM devices). Each of them has one self and one float IP address configured. All in routing domain 0 only. Nothing special. Troubleshooting host 172.25.113.21 is currently down, host 172.25.113.23 is reachable: # ping 172.25.113.21 PING 172.25.113.21 (172.25.113.21) 56(84) bytes of data. ^C --- 172.25.113.21 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms # ping 172.25.113.23 PING 172.25.113.23 (172.25.113.23) 56(84) bytes of data. 64 bytes from 172.25.113.23: icmp_seq=1 ttl=253 time=2.11 ms 64 bytes from 172.25.113.23: icmp_seq=2 ttl=253 time=1.96 ms 64 bytes from 172.25.113.23: icmp_seq=3 ttl=253 time=3.68 ms ^C --- 172.25.113.23 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 1.964/2.586/3.684/0.780 ms tcpdump from bigip CLI (rd0) with above 'ping' tests: # tcpdump -i0.0:nn -nnp host 172.25.113.21 or 172.25.113.23 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0:nn, link-type EN10MB (Ethernet), capture size 65535 bytes 11:28:50.368443 IP 172.18.210.20 > 172.25.113.21: ICMP echo request, id 1286, seq 1, length 64 out slot1/tmm0 lis= port=1/0.16 trunk=.itrunk0 flowtype=130 flowid=4000013D1C00 peerid=4000013D1B00 conflags=20E26 inslot=1 inport=18 haunit=0 priority=0 11:28:52.816810 IP 172.18.210.20 > 172.25.113.23: ICMP echo request, id 1321, seq 1, length 64 out slot1/tmm0 lis= port=1/0.16 trunk=.itrunk0 flowtype=130 flowid=4000013CD140 peerid=4000013CD040 conflags=20E26 inslot=1 inport=18 haunit=0 priority=0 11:28:52.818050 IP 172.25.113.23 > 172.18.210.20: ICMP echo reply, id 1321, seq 1, length 64 in slot2/tmm0 lis= port=.itrunk0 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=7 inport=26 haunit=0 priority=3 Question: I thing, the configuration is correct, but server (host-dca) and virtual services (service1 and service3) are going down. Why is the reason of virtual service is going down 'no reply from big3d: timed out'? the server type is 'generic host', not 'bigip' I can't see monitoring (my_icmp monitor) requests in the tcpdump. why is this not working? I can see only ping request from CLI, but not from monitor 'my_icmp'. thank you for adviceGSLB - Monitoring LTM VIP load balancing via iRule
In one of our environments we are configuring a single LTM VIP and load balancing multiple applications via an iRule. We currently have other LTM environments integrated via iQuery with our GTM for GSLB configuration and monitoring. Is there a way to monitor the VIP at the GTM level via iQuery that would give a true back-end pool status? Since, let's say, we are load balancing 100 different applications via a single VIP, if 99 of them went offline, the VIP would still show as ONLINE/GREEN. Or would we even go as far as integrating via iQuery and adding a dependency monitor of the pool itself instead?BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member
Good day, everyone! Within the LTM platform, if a Pool is configured with "Min 1 of" with multiple monitors, you can check the status per monitor viatmsh show ltm monitor <name>, or you can click the Pool member in the TMUI and it will show you the status of each monitor for that member. I cannot seem to locate a similar function on the GTM/BIG-IP DNS platform. We'd typically use this methodology when transitioning to a new type of monitor, where we can passively test connectivity without the potential for impact prior to removing the previous monitor. Does anyone have a way through tmsh or the TMUI where you can check an individual pool member's status against the multiple monitors configured for its pool? Thanks, all!F5 as ISP LB - Internet health check based on latency
Hi Community, Just want to ask only if below scenario if our F5 is running as ISP LB to check the latency of ISP1 when it is high ( 250ms) to failover to ISP2? If there an F5 KB article or other solutions that you can refer for this required setup. Thanks in advance.
Replacing GTM f5
hello guys! this is also related to F5 GTM GSLB replacement | DevCentral I have some question on our F5 GTM replacement, we have an issue when we add the new F5 on data center following this KB https://my.f5.com/manage/s/article/K45907236 on the part "Creating a server (existing BIG-IP DNS)" the new server is in unknown state. When we check the error we see routines:ssl3_get_server_certificate:certificate verify failed f5 I am thinking bigip_add x.x.x.x will solve the problem however since the existing devices are on production I didnt use it instead, I uploaded the cert of existing f5 to new F5 on device management and Trusted certificate I saw on https://my.f5.com/manage/s/article/K85555245 Trusted device certificatesSystem>Certificate Management>Device Certificate Management>Device Trust Certificates Trusted server certificatesDNS>GSLB>Servers>Trusted Server Certificates the existing and new f5 has same certs now, however the problem is still there but this time error is different iqmgmt_ssl_connect: SSL error: Connection reset by peer (104) from connection x.x.x.x Do you guys know how to solve this SSL issue we have? I also have a question 1. when I updatedDNS>GSLB>Servers>Trusted Server CertificatesI export the server.crt from existing f5 and upload it on the new device. this overwrites the original server.crt. on the new F5. I am thinking running the bigip_add x.x.x.x but my worry is that it will make the certs doubled? because running bigip_add x.x.x.x will "append" the cert from existing F5 to new F5.. so I am thinking to delete the server.crt on my new f5, but the problem is I didnt save a backup of the original server.crt :( is there a way I can generate new server.crt on my new F5? do you think it is necessary to delete the current server.crt? or what I need is to do below per https://my.f5.com/manage/s/article/K9114? cat /config/httpd/conf/ssl.crt/server.crt >> /config/gtm/server.crt 2. Running bigip_add x.x.x.x will be from existing F5 correct existing f5# bigip_add x.x.x.x (new F5 IP) 3. new F5 is in v17 and existing F5s are in v14, do you guys think it is a problem? Thank you!
