High CPU utilization (100%).
I observed high CPU utilization (100%) on F5 device, resource provision ASM nominal. I checked the client-side throughput and server-side throughput both are normal but found management interface throughput is very high and what i noticed this is happening in same time period for last 30 days. What could be the reason for this spike. Many thanks in advanced for your time and consideration.
Can BIG-IP DNS recursion only my domain?
Hi We are using F5 DNS as DNS server and have many CNAME record. We want to query those CNAME record and then get IP as a result too. (Which solved by Enable "recursion yes; in named configuration) But we found problem that our F5 DNS perform recursion on EVERY domain client asking. (eg. f5.com, nginx.com., etc.) We want F5 DNS to answer query on only domain we handle (many domain in zonerunner and gslb) How can we do that? Is it possible to do that? because "recursion yes;" is config on named configuration. I think it's global configuration. and "allow-recursion {}" is only check for client IP address (it's not check on domain we handle) Thank you
Use Fully Qualified Domain Name (FQDN) for GSLB Pool Member with F5 DNS
Normally, we define a specific IP (and port) to be used as GSLB pool member. This article provides a custom configuration to be able to use Fully Qualified Domain Name (FQDN) as GSLB pool member--with all GSLB features like health-check monitoring, load balancing method, persistence, etc. Despite GSLB as a mechanism to distribute traffic across datacenters having reached years of age, it has not become less relevant this recent years. The fact that internet infrastructure still rely heavily on DNS technology means GSLB is continuously used due to is lightweight nature and smooth integration. When using F5 DNS as GSLB solution, usually we are dealing with LTM and its VS as GSLB server and pool member respectively. Sometimes, we will add a non-LTM node as a generic server to provide inter-DC load balancing capability. Either way, we will end up with a pair of IP and port to represent the application, in which we sent a health-check against. Due to the trend of public cloud and CDN, there is a need to use FQDN as GSLB pool member (instead of IP and port pair). Some of us may immediately think of using a CNAME-type GSLB pool to accommodate this. However, there is a limitation in which BIG-IP requires a CNAME-type GSLB pool to use a wideIP-type pool member, in which we will end up with an IP and port pair (again!) We can use "static target", but there is "side-effect" where the pool member will always consider available (which then triggers the question why we need to use GSLB in the first place!). Additionally, F5 BIG-IP TMUI accepts FQDN input when we configure GSLB server and pool member. However, it will immediately translate to IP based on configured DNS. Thus, this is not the solution we are looking for Now this is where F5’s BIG-IP power (a.k.a programmability) comes into play. Enter the realm of customization... We all love customization, but at the same time do not want that to be overly complicated so that life becomes harder on day-2 🙃. Thus, the key is to use some customization, but simple enough to avoid unnecessary complication. Here is one idea to solve our FQDN as GSLB pool problem above The customized configuration object includes 1. External health-check monitor: Dynamically resolve DNS to translate FQDN into IP address Perform health-check monitoring against current IP address Result is used to determine GSLB pool member availability status 2. DNS iRules: Check #1: Checks if GSLB pool attached to wideIP contains only FQDN-type member (e.g. other pool referring to LTM VS is also attached to the wideIP) If false, do nothing (let DNS response refer to LTM VS) Otherwise, perform check #2 Check #2: Checks current health-check status of requested domain name If FQDN is up, modify DNS response to return current IP of FQDN Otherwise, perform fallback action as requirement (e.g. return empty response, return static IP, use fallback pool, etc.) 3. Internal Datagroup: Store current IP of FQDN, updated according to health-check interval Datagroup record value contains current IP if health-check success. Otherwise, the value contains empty data Here are some of the codes, where configured; wideIP is gslb.test.com, while GSLB pool member FQDN is arcadia.f5poc.id 1. External health-check monitor config gtm monitor external gslb_external_monitor { defaults-from external destination *:* interval 10 probe-timeout 5 run /Common/gslb_external_monitor_script timeout 120 #define FQDN here user-defined fqdn arcadia.f5poc.id } External health-check monitor script #!/bin/sh pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" if [ -f $pidfile ] then kill -9 -`cat $pidfile` > /dev/null 2>&1 fi echo "$$" > $pidfile # Obtain current IP for the FQDN resolv=`dig +short ${fqdn}` # The actual monitoring action here curl -fIs -k https://${fqdn}/ --resolve ${fqdn}:443:${resolv} | grep -i HTTP 2>&1 > /dev/null status=$? if [ $status -eq 0 ] then # Actions when health-check success rm -f $pidfile tmsh modify ltm data-group internal fqdn { records replace-all-with { $fqdn { data $resolv } } } echo "sending monitor to ${fqdn} ${resolv} with result OK" | logger -p local0.info echo "up" else # Actions when health-check fails tmsh modify ltm data-group internal fqdn { records replace-all-with { $fqdn { } } } echo "sending monitor to ${fqdn} ${resolv} with result NOK" | logger -p local0.info fi rm -f $pidfile 2. DNS iRules when DNS_REQUEST { set qname [DNS::question name] # Obtain current IP for the FQDN set currentip [class match -value $qname equals fqdn] } when DNS_RESPONSE { set rname [getfield [lindex [split [DNS::answer]] 4] "\}" 1 ] #Check if return is IP address of specially encoded FQDN IP, 10.10.10.10 in this example if {$rname eq "10.10.10.10" }{ #Response is only from pool with external monitor, meaning no other pool is attached to wideIP if {$currentip ne ""}{ #Current FQDN health-check success DNS::answer clear # Use current IP to construct DNS answer section DNS::answer insert "[DNS::question name]. 123 [DNS::question class] [DNS::question type] $currentip" } else { #Current FQDN health-check failed #Define action to be performed here DNS::answer clear } } } 3. Internal Datagroup ltm data-group internal fqdn { records { # Define FQDN as record name arcadia.f5poc.id { # Record data contains IP, where this will be continuously updated by external monitoring script data 158.140.176.219 } } type string } *GSLB virtual server configuration Some testing The resolve will follow whichever current IP address for the FQDN. If a returning CNAME response is required, you can do so by modifying DNS irules above. The logic and code are open to any improvement, so leave your suggestions in the comments if you have any. Thanks!GTM zone record mismatch
We resolved the GTM Zone Record Mismatch on BIG-IP. Steps: Stop the zrd service System > Services: Services List > CLICK the zrd service > CLICK stop button Disable/Uncheck the GTM synchronization Copy the zone file from GTM 1 to GTM 2(missing zone record) Start the zrd service Enable GTM synchronization
GTM setup for waiting 10 mins for primary pool member of wideip once get down.
Hi All, I wanted to set up a wide ip with 2 pool members. Suppose we have wide ip - abc.gtm.com pool - abc_pool Pool member - Server A : 0(Generic Host) --> Primary Server B : 0 (Generic Hosts) Now I want to make a setup like If Server A go down, Server B will be active. And Server A should not come online or wait till 10 mins to take part in ip resolution again. I mean if Server A came up within 10 mins from its down start time, even then wide ip should transfer the request to server B only for 10 mins.Not able to change virtual server traffic group from traffic-group-local-only to traffic-group-1
We have two LTM device in which i observe one virtual server is missing in secondary device. I checked the virtual server configuration in primary that virtual server configure in traffic group from traffic-group-local-only now i am changing the traffic group but it is not changing. Is there any way to change it?
F5 DNS with cPanel Web Hosting Server
Hi, We have a publicly accessible web hosting server backed by cPanel and currently we are using F5 to handle our DNS. The problem that we are facing is when one of our end customer adds a Zone /DNS record INSIDE his cPanel account and everytime we have to manually check and add those records in F5 to make things work. Is there a solution for this?.
gtm_add failing due to CERT error
I am trying to cluster to GTM devices using the gtm_add command, but this is failing with this error: ERROR: found "END CERT..." without BEGIN at line: 0. ERROR: Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt. But when I check the mentioned file it looks like a valid certificate: more /config/httpd/conf/ssl.crt/server.crt -----BEGIN CERTIFICATE----- MIIHFjCCBP6gAwIBAgIDbUVxMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAoTA0lORzERMA8GA1UE CxMIU2VydmljZXMxIDAeBgNVBAsTF0NlcnRpZmljYXRlIEF1dGhvcml0aWVzMScwJQYDVQQDEx5J TkcgQ29ycG9yYXRlIEludGVybmFsIENBIC0gRzMwHhcNMjQwNjI0MTQyMzAyWhcNMjUwNzI0MTMw ... E1Zg8g9QlL+jksX7ew0tIuZPNGPbhPE3StATtD7b4oi1TYjVfIwn79DluSwkIp5hwVDrAcW/B5T6 zK+sJJlib4ZeCnV19cCkwBnYyRz0p46VrwXw7i3bYeC8Cq4Of++LaYaXDuhOVq/V61phJRoGTlRU vOII3wHBmXiXQv7MIScQQbmKaBRC2lxu0gAJV9a8vzpXfN6T+n7PxNBH4AuNdR5KeeG7 -----END CERTIFICATE----- Also via the browser the correct certificate is shown. Any suggestions on what the problem could be?
BIG-IP DNS Generic Host
Hello, I need to add some services running on 'generic host'. The destination host is reachable (icmp) from CLI (rd0), but after adding it to GTM configuration as 'server' with 'icmp monitor' - it is not getting up (green) but monitor fails with reason 'no reply from big3d: timed out'. configuration: gtm server /Common/host-dca { datacenter /Common/DCA devices { host-dca { addresses { 172.25.113.23 { } } } } monitor /Common/my_icmp product generic-host virtual-servers { service1 { destination 172.25.113.21:0 } service3 { destination 172.25.113.23:0 } } } gtm monitor gateway-icmp /Common/my_icmp { defaults-from /Common/gateway_icmp interval 5 probe-attempts 3 probe-interval 1 probe-timeout 5 timeout 15 } log: # host 172.25.113.21 alert gtmd[13178]: 011a5004:1: SNMP_TRAP: Server /Common/host-dca (ip=172.25.113.21) state change blue --> red (No enabled VS available) alert gtmd[13178]: 011ae0f2:1: Monitor instance /Common/my_icmp 172.25.113.21:0 CHECKING --> DOWN from /Common/dca-dcdns-adc (no reply from big3d: timed out) alert gtmd[13178]: 011a6006:1: SNMP_TRAP: VS service1 (ip:port=172.25.113.21:0) (Server /Common/host-dca) state change blue --> red ( Monitor /Common/my_icmp : no reply from big3d: timed out) # host 172.25.113.23 alert gtmd[13178]: 011a5004:1: SNMP_TRAP: Server /Common/host-dca (ip=172.25.113.23) state change blue --> red (No enabled VS available) alert gtmd[13178]: 011ae0f2:1: Monitor instance /Common/my_icmp 172.25.113.23:0 CHECKING --> DOWN from /Common/dca-dcdns-adc (no reply from big3d: timed out) alert gtmd[13178]: 011a6006:1: SNMP_TRAP: VS service3 (ip:port=172.25.113.23:0) (Server /Common/host-dca) state change blue --> red ( Monitor /Common/my_icmp : no reply from big3d: timed out) why is there 'no reply from big3d: timed out'?? the server type is 'generic host' (not 'bigip'). network: GTM is running in HA (there are two GTM devices). Each of them has one self and one float IP address configured. All in routing domain 0 only. Nothing special. Troubleshooting host 172.25.113.21 is currently down, host 172.25.113.23 is reachable: # ping 172.25.113.21 PING 172.25.113.21 (172.25.113.21) 56(84) bytes of data. ^C --- 172.25.113.21 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms # ping 172.25.113.23 PING 172.25.113.23 (172.25.113.23) 56(84) bytes of data. 64 bytes from 172.25.113.23: icmp_seq=1 ttl=253 time=2.11 ms 64 bytes from 172.25.113.23: icmp_seq=2 ttl=253 time=1.96 ms 64 bytes from 172.25.113.23: icmp_seq=3 ttl=253 time=3.68 ms ^C --- 172.25.113.23 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 1.964/2.586/3.684/0.780 ms tcpdump from bigip CLI (rd0) with above 'ping' tests: # tcpdump -i0.0:nn -nnp host 172.25.113.21 or 172.25.113.23 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0:nn, link-type EN10MB (Ethernet), capture size 65535 bytes 11:28:50.368443 IP 172.18.210.20 > 172.25.113.21: ICMP echo request, id 1286, seq 1, length 64 out slot1/tmm0 lis= port=1/0.16 trunk=.itrunk0 flowtype=130 flowid=4000013D1C00 peerid=4000013D1B00 conflags=20E26 inslot=1 inport=18 haunit=0 priority=0 11:28:52.816810 IP 172.18.210.20 > 172.25.113.23: ICMP echo request, id 1321, seq 1, length 64 out slot1/tmm0 lis= port=1/0.16 trunk=.itrunk0 flowtype=130 flowid=4000013CD140 peerid=4000013CD040 conflags=20E26 inslot=1 inport=18 haunit=0 priority=0 11:28:52.818050 IP 172.25.113.23 > 172.18.210.20: ICMP echo reply, id 1321, seq 1, length 64 in slot2/tmm0 lis= port=.itrunk0 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=7 inport=26 haunit=0 priority=3 Question: I thing, the configuration is correct, but server (host-dca) and virtual services (service1 and service3) are going down. Why is the reason of virtual service is going down 'no reply from big3d: timed out'? the server type is 'generic host', not 'bigip' I can't see monitoring (my_icmp monitor) requests in the tcpdump. why is this not working? I can see only ping request from CLI, but not from monitor 'my_icmp'. thank you for adviceGSLB - Monitoring LTM VIP load balancing via iRule
In one of our environments we are configuring a single LTM VIP and load balancing multiple applications via an iRule. We currently have other LTM environments integrated via iQuery with our GTM for GSLB configuration and monitoring. Is there a way to monitor the VIP at the GTM level via iQuery that would give a true back-end pool status? Since, let's say, we are load balancing 100 different applications via a single VIP, if 99 of them went offline, the VIP would still show as ONLINE/GREEN. Or would we even go as far as integrating via iQuery and adding a dependency monitor of the pool itself instead?
