CPU data, control and analytics plane utilization
Hi everyone, Wondering if there is any "quick" way of extracting the CPU statistics for Data, Control and Analytics plane utilization via iControl ? As far as I read, Even-numbered logical cores (hyperthreads) are allocated to TMM, while odd numbered cores are available for other processes, while last core is used for analytics. Do I need to do the math myself ?
F5 ASM
Hey I'm trying to get to know the ASM feature in Big-IP. I want to be able to block request based on specific ips or headers (+values) and more. I also want to configure it using an API, I saw there is something called iControl. Is there any docs that contain all the paths in iControl so I could search everything I need? It would also help me get more familiar with the feature
Upload SSL certificate/key via REST API
Hello All, Looking to see if anyone knows of a method of uploading certs and keys to a BIGIP unit, using a method similar to the following example, but using REST instead of the SOAP API. Example: puts bigip["Management.KeyCertificate"].certificate_import_from_pem('MANAGEMENT_MODE_DEFAULT', [ cert['cert_name'] ], [ File.open(cert['cert_file']).read ], true) puts bigip["Management.KeyCertificate"].key_import_from_pem('MANAGEMENT_MODE_DEFAULT', [ cert['cert_name'] ], [ File.open(cert['key_file']).read ], true) Thanks!
iControl REST Python Requests module
While iControl REST is great and pretty robust given how much we use it. But I come to the forum today to see if anyone has any experience with the Python requests module and the underlying urllib3 module. When I do have problems with iControl its often with things like the following: Here I've increased the timeout to 5.0 seconds but still get read timeouts. HTTPSConnectionPool(host='redacted', port=443): Read timed out. (read timeout=5.0) I also often see this message and, no I don't have a proxy in front of the F5. However, I know the the F5 proxies the REST call (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 503 Service Unavailable', Thanks!
Extract content of Certificate key file with REST or Ansible
Hi Community, I'm working on an automation for renewing Certificates on multiple BIG-IP's using Ansible. As not all available Ansible F5 modules provide what is required, I'm currently using a mix of modules and REST calls (which is call from Ansible). F5 Module Index What works so far is: Create new CSR/Key on BIG-IP Get new "CA based" Cert and upload to the BIG-IP Upload the same Cert to other BIG-IP's Update SSL profiles on multiple BIG-IP's and some others tasks, like irules..etc Anyhow, what doesnt work so far is to get the content of the key which was created on the first device together with the CSR. Basically I dont have the key which needs to be uploaded to the other BIG-IP's as well. From the CLI, the following gives me what I need: cat/config/filestore/files_d/Common_d/certificate_key_d/*name.key* The problem with this is, I cant integrate it in Ansible using the bigip_command – Run TMSH and BASH commands on F5 devices module. Looks like only tmsh commands are supported even though it states BASH as well. Plus I try to avoid using this module whenever possible in a first place. Through the GUI, simple export and import on an other device - done, but obviously not automated. I have tried all possible Ansible modules as well as REST calls, but dont get the content out of the .key file. I thought that this would/should be a simple tasks. If anyone's done this using any approach please share. I could create a new key and get a cert for each device, but first try to find out if there's another way. Thanks in advance, Stefan
Partition description misbehaviour API vs GUI
Hello, we noticed strange environment with partition description on v14.1.4. I create partition with command POST https://10.10.10.10/mgmt/tm/auth/partition/ {"name":"partitiondescr","description":"neco"} I get expected response: { "kind":"tm:auth:partition:partitionstate", "name":"partitiondescr", "fullPath":"partitiondescr", "generation":3531, "selfLink":"https://localhost/mgmt/tm/auth/partition/partitiondescr?ver=14.1.4", "defaultRouteDomain":0, "description":"neco" } BUT I cannot see the description in GUI: Seems like Description in GUI is defined somewhere else than "description" in API JSON structure. Any change through API is not visible in GUI and vice versa. Do you know where I could find API key-value pair for partition description? Thank you, Zdenek
Eventd.xml file changes its enabled value from <enabled>1</enabled> to <enabled>0</enabled>
When there is a change that triggers a notification, the value of enabled changes from 1 to 0. When I edit the enabled value to 1 and restart eventd daemon - It remains same. But after triggering a change that will trigger an event, immediately the value changes to 0. Kindly advice. NOte : This set up is used by Appviewx to receive notification events.iControl soap
Hi! Trying to import a key/certificate with the iControl SOAP powershell snapin, but I get these errors: Exception calling "key_import_from_pem_v2" with "6" argument(s): "Exception caught in Management::urn:iControl:Management/KeyCertificate::key_import_from_pem_v2() Exception: Common::OperationFailed primary_error_code : -14 (0xFFFFFFF2) secondary_error_code : 0 error_string : Keys do not match" At C:\Scripts\LetsencryptQA\letsencrypt1.1.ps1:418 char:90 + ... rt_from_pem_v2($ManagementModetype, @($KeyName), @($StringPem), $Secu ... + ~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : SoapHeaderException And for the certificate Exception calling "certificate_import_from_pem" with "4" argument(s): "Exception caught in Management::urn:iControl:Management/KeyCertificate::certificate_import_from_pem() Exception: Common::OperationFailed primary_error_code : -14 (0xFFFFFFF2) secondary_error_code : 0 error_string : Keys do not match" At C:\Scripts\LetsencryptQA\letsencrypt1.1.ps1:441 char:103 + ... om_pem($ManagementModetype, @($CertificateName), @($StringPem), $true ... + ~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : SoapHeaderException ` **Importing the key with another name works though**, which would indicate that the key exists somewhere. However: `list sys file ssl-key | grep name Nothing list sys file ssl-cert | grep name Nothing ls -alR | grep name Nothing And nothing in the GUI certificate list under any partition. I have also: Done a mcpd reload and restarted the device. Manually imported the certificate and key in the Web UI (works, but then I can t reproduce the error) Any clever ideas? /Patrik
F5 LTM customized Packet cloning
Hello every body I have an application using SMPP, SMPP is TCP based protocol and it establish sessions to send traffic, SMPP has unique command IDs to Establish session and tear them up, below image is simple protocol flow: In below example in packet 8 in attached tcpdump, you will see under SMPP (Short Message Peer to Peer) layer a command ID: 0x00000009 which represent bind command (establish a connection/SMPP session). What I need to similar to customized clone pool concept but on pool member level and on certain condition, I need an iRule or may be an iCall procedure to check for SMPP bind command by scanning packet PDU, similar example is below: https://devcentral.f5.com/questions/balancing-smpp-traffic-based-on-recipient-address when CLIENT_ACCEPTED { set s_seq_idx 1 set first_bind_resp 1 set smsc1 set smsc2 TCP::collect } when CLIENT_DATA { while { [TCP::payload length] > 16 } { binary scan [TCP::payload] IH8IIa* len oper status seq p if { [TCP::payload length] < $len &&} // We need here to add check for bind command id as well { TCP::collect $len return } My challenge is to replicate SMPP bind packet to all available pool members in certain pool 😃 , Once SMPP Bind packet is replicated, as result we will get established SMPP sessions with all available pool members, and F5 LTM then will be able to load-balance other incoming traffic with all pool members as far as connection is established. If concept is OK, the rest is not challenging as we need to consider other bind command IDs to be replicated (0x00000001, 0x00000002 and 0x00000009), and of course we need to replicate unbind as well 0x00000006 if possible. Thank you so much in advance. Sincerely, SAM
