F5 DNS/GTM External Monitor(EAV) with SNI support and response code check
I have used this monitor for XC Distributed Cloud as the HTTP LB share by default the same tenant IP address and SNI support is needed. You can order dedicated public IP addresses for each HTTP LB and enable "Default Load Balancer" ( https://my.f5.com/manage/s/article/K000152902 ) option but it will cost you extra 😉 The script is a modified version of External https health monitor for SNI-enabled pool as to handle response codes and to set the SNI globally for the entire pool and it's members. If you are uploading from Windows machine see External monitor fails to run as you could hit the bug. This could be needed for F5 DNS/GTM below 16.1 that do not support SNI in HTTPS monitors. The only mandatory variable is "SNI" that should be set in the external monitor config that references this uploaded bash script. The "URI" variable by default is set to "/" and "$2" variable by default is empty or 443, the default expected response code 200. #!/bin/sh # External monitoring script for checking HTTP status code # $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname) # $2 = port (optional; defaults to 443 if not provided) # Default SNI to IP if not explicitly provided node_ip=$(echo "$1" | sed 's/::ffff://') # Remove IPv6 compatibility prefix SNI=${SNI:-"$node_ip"} # Assign sanitized IP to SNI # Default variables MON_NAME=${MON_NAME:-"MyExtMon$$"} pidfile="/var/run/$MON_NAME.$1..$2.pid" # PID file path DEBUG=${DEBUG:-0} # Enable debugging if set to 1 EXPECTED_STATUS=${EXPECTED_STATUS:-200} # Default HTTP status code to 200 URI=${URI:-"/"} # Default URI DEFAULT_PORT=443 # Default port (used if $2 is unset) # Set port to default if $2 is not provided if [ -z "${2}" ]; then PORT=${DEFAULT_PORT} else PORT=${2} fi # Kill old process if pidfile exists if [ -f "$pidfile" ]; then kill -9 -$(cat "$pidfile") > /dev/null 2>&1 fi echo "$$" > "$pidfile" # Perform the HTTP(S) request via single curl (fetch status code only) status_code=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 5 --resolve "${SNI}:${PORT}:${node_ip}" "https://${SNI}:${PORT}${URI}") # Cleanup rm -f "$pidfile" > /dev/null 2>&1 # Output server status based on HTTP status code match if [ "$status_code" -eq "$EXPECTED_STATUS" ]; then echo "up" else echo "down" fi # Debugging if [ "$DEBUG" -eq 1 ]; then echo "Debugging on..." echo "SNI=${SNI}" echo "URI=${URI}" echo "IP=${node_ip}" echo "PORT=${PORT}" echo "MON_NAME=${MON_NAME}" echo "STATUS_CODE=${status_code}" echo "EXPECTED_STATUS=${EXPECTED_STATUS}" echo "curl -s -o /dev/null -w '%{http_code}' --connect-timeout 5 --resolve ${SNI}:${PORT}:${node_ip} https://${SNI}:${PORT}${URI}" fiDNS/GTM health monitor big3d timeout because of alias config
Hello Everyone, I was testing some experimental config for DNS/GTM where the health monitor does not monitor the pool members but a specific IP address configured in the "alias" and it does not work as the error says bigd timeouts to report the state. For LTM http/https health monitors the "alias" option works but not for gtm/dns. I think I discovered a bug as this is rare use case to not monitor the pool members themselves. I have changed the ip to 1.1.1.1 just for the picture screenshot 😄 Also in the logs after gtm and big3d is enabled I see the logs below and too bad that F5 DNS does not have monitor debug like LTM to just enable a debug for a monitor and not the entire box. ----- Will not probe x.x.x.x:80 ( in DC /Common/niki-dc because will be done by other GTM (<unknown>:<unknown>) Unable to identify which gtm server represents the local device
cross platform migration issue
Hi, we want to migrate the config from iseries 4K to rseries 5k . The current software version on iseries is 13.x.. I tried to run bigip v15.x on rseries, then export the config from iseries and import it into rseries, but not successful, there were some errors. Can someone please advise how should I do to make the migration successful? Thanks in advance!
SNI Sites not taking correct certificate.
I have configured one VIP with two certificate aks.test.com aks4.test.com On SSL profile for aks.test.com i have enabled SNI feature and aks.test.com is working fine taking correct certificate (aks.test.com). but aks4.test.com having not secure error on browser and taking the certificate of (aks.test.com). Could someone please help what could be the issue in this case.BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member
Good day, everyone! Within the LTM platform, if a Pool is configured with "Min 1 of" with multiple monitors, you can check the status per monitor via tmsh show ltm monitor <name>, or you can click the Pool member in the TMUI and it will show you the status of each monitor for that member. I cannot seem to locate a similar function on the GTM/BIG-IP DNS platform. We'd typically use this methodology when transitioning to a new type of monitor, where we can passively test connectivity without the potential for impact prior to removing the previous monitor. Does anyone have a way through tmsh or the TMUI where you can check an individual pool member's status against the multiple monitors configured for its pool? Thanks, all!why the gtm probing result is not shown on debug log?
hi ,we encounter some gtm wideip pool monitoring issue. then I tried to turn on the debug for gtm logging. The log captured for pool member status monitoring is shown as below only. There is no result about the probing, why? Can someone please advise on it? thanks in advance. debug gtmd[6034]: 011ae039:7: Check probing of IP:Port 10.50.62.252:8833 in DC /Common/DC-NY debug gtmd[6034]: 011ae03b:7: Will probe 10.50.62.252:8833 in DC /Common/DC-NYIs iQuery sent to each other among GTMs and LTMs? full mesh?
hi, we have 3 data centers and there are two LTM and one GTM at each data center. All GTM are configured in the same sync-group. And LTM are added to local GTM server list. For this setup, normally we shall see the iQuery are sent bidirectionally with full mesh, right? I saw one GTM A sent iQuery to GTM B, but no iquery from GTM B to GTM A, is it normal? please advise, thanks in advance!Priority group activation on GTM.
Hello All, I need to configure active standby configuration on GTM pool level, only one VS should be UP and second should be standby if one vs is down then traffic should pass to another VS and i can see there is one option Minimum-up Members but i do not know how to use it as a priority group activation on GTM level. If any one has any article or config suggestion please share. Many thanks in advanced for your time and consideration.
