For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

iquery

13 Topics

GTM/DNS and LTM - iQuery via Mgmt Ort Self-ip
Hey Guys, is it possible to connect the GTMs and LTMs (for dataexchange via iquery) via the mgmt interface and is there a best practice to do this via mgmt interface OR a configured self-ip?
eneR_159774
May 06, 2019 Place Technical Forum
1.5KViews
0likes
2Comments
iQuery fails between GTM & LTM
POST EDITED Hi all Last night I attempted to enable iQuery between our GTMs and LTMs, however, it failed. To walk through the steps here's what I did: Ensured the Self-IPs to which I would be establishing the iQuery to on the LTMs was set to Port Lockdown "Allow Default" Tested that iQuery, SSH and HTTPs weres not blocked via any firewalls: nc –v –s GTM IP <-> LTM IP 4353/22/443. All returned a success. Great! Attempted to run the bigip_add command from the GTM -> LTMs in DC1 by targeting the LTM Self-IPs: bigip_add4. Attempted to run the big3d_install command from the GTM -> LTMs in DC2 by targeting the LTM Self-IPs. From the GTMs to one set of LTMs (in data centre 1) I received the following output: Retrieving remote and installing local BIG-IP's SSL certs ... Enter root password for -a if prompted ssh: mkdir -p /config/big3d; if [ -e /config/httpd/conf/ssl.crt/server.crt ]; then cat /config/httpd/conf: Name or service not known ERROR: Can't read remote cert via /usr/bin/ssh. Enter root password for admin@x.x.x.x if prompted ssh_exchange_identification: Connection closed by remote host ERROR: Can't read remote cert via /usr/bin/ssh. ==> Done <== On the other link, that is, the GTMs to the LTMs in data centre 2 I received a different problem: Unable to retrieve version and platform information via iqsh for x.x.x.x Attempting via ssh ... Password: (Entered password 3 times) Permission denied (publickey,keyboard-interactive,hostbased). Unable to retrieve tmsh and/or big3d versions from x.x.x.x Regarding the first issue I found an article that seems to describe our first problem: “SOL13823:The bigip_add script fails to connect to BIG-IP systems running in Appliance mode” http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13823.html However, our LTMs are not in appliance mode, but our GTMs are!? And in addition, we actually already have an iQuery between another pair of LTMs and these very same GTMs. Regarding the second issue, as per the steps above the big3d versions were different so I attempted to run the big3d_install command. I'm wondering if the admin user I am putting in doesn't have the correct permissions. Currently the admin user does not have tmsh rights. Could this be the issue? The versions we're running are: GTMs: 11.2.1, LTM (DC1): 11.4.1, LTM (DC2): 10.1.0 Any advice? Thank you
Devlin_T_149357
Jul 15, 2014 Place Technical Forum
1KViews
0likes
3Comments
iQuery/ Big-IP DNS server certificate trust problem
Unable to establish iQuery between bigip devices. Connectivity is in place but failing with: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I take this to be a certificate chain failure. The device certificates have been added to both DNS > GSLB > Servers > Trusted Server Certificates and System > Cert Mgmt > Device Cert Mgmt > Device Trust Certs. Yet, still no joy, running openssl confirms trust issues. Device certs are issued by a 2 tier PKI (intermediary and root). Big IP is 13 HF 2. Any suggestions? Is it common place to be using internal certs here?
JBlogs_314812
Sep 26, 2017 Place Technical Forum
610Views
0likes
1Comment
how initiate iquery from 1 GTM to another post upgrade
Hi, We are going in for image upgrade of our GTM tommorow. I came to know that post upgrade we need to run iquery to check if GTM sync is working fine. Please if you can let me know how to do that
Mohanish_169493
Dec 10, 2015 Place Technical Forum
579Views
0likes
5Comments
choosing self-IPs for iQuery communication
I'm looking for advise on choosing self-ips for iQuery communication between BigIP-DNS (GTM) and LTM. We considered using the LTM virtual server self-IPs, but that net is most likely to experience external (ddos) attacks. We could configure a small network just for iQuery, but that seems like overkill. I'm curious to hear any thoughts/best practices regarding how self-IPs were chosen for bigip_add to exchange iquery SSL certificates with a remote BIG-IP system and ongoing iQuery communication.
stan_peachey_86
Oct 03, 2016 Place Technical Forum
526Views
0likes
3Comments
GTM and LTM iquery issues
Hello experts, We have are facing iquery connectivity issues between our LTM and GTM. any one please guide to solve the same? \Kayiz
Solved
kayiz
Dec 12, 2024 Place Technical Forum
363Views
0likes
3Comments
GTM Multiple iQuery Connections to same LTM
Hi, I've noticed that GTMs typically have multiple iQuery connections going to the same LTM. Does this serve some kind of purpose? Are there different status updates from each IP in this case, or would the information just be getting duplicated across each connection? Thanks
KingMeow_3883
Apr 09, 2015 Place Technical Forum
343Views
0likes
1Comment
iQuery not Returning VIP data from LTM
I have a GTM (12.0.0) and an LTM (12.0.0) setup and have gone through the steps to set up communication between them using bigip_add. When I run a iqdump on the GTM, I see "server" data and "getconfig_element" data being returned but not "vip" data. I run tcpdump on the LTM and I see iquery communications coming in and going out of the LTM. Based on this, I assume the trust is set up correctly. The LTM has a "Green" status and I can go directly to it and reach my web server. Problem is, the GTM shows the LTM object as "Red" and will not return the IP address. We verified the LTM object defined in the GMT has the correct IP address and port number. Has anyone seen this before? Thanks
masciarellis_32
Jul 28, 2017 Place Technical Forum
296Views
0likes
1Comment
GTM issue - GTM on v11.3 and LTMs on v10.2.1 with route domains
Hi all, We just upgraded our GTMs to v11.3 HF7 from 10.x since we had a requirement to run route domains on the LTMs. I created a new partition with a default route domain on the LTM. I have added the LTM server on the GTM (using Self-IPs from the new route domain network). When I add the Virtual server object under the server in the GTM, it is marking it offline. I see the following log in /var/log/gtm : Aug 26 10:54:16 esgtmlab4 alert gtmd[8759]: 011ae0f2:1: Monitor instance /Common/bigip 10.151.67.77:443 UNKNOWN_MONITOR_STATE --> DOWN from /Common/ESGTMLAB5 (no reply from big3d: timed out) Your help is appreciated. Thanks!
Bhanu_9561
Aug 26, 2013 Place Technical Forum
284Views
0likes
2Comments
f5 enterprise manager fails to connect to LTMS
Hello, I have a handful of ltms that cant communicate with EM. There is about half that can talk to the the EM and half that cant. The LTMS are 11.4.1 and EM is 3.1.0. The EM talks to the LTMs fine with iquery communication in the dump logs being ok. On of one of the LTMs in question it was discovered by an engineer who is still working on the case that I have already open, he found these errors on one of the LTM's a couple of days ago: 67 May 21 14:44:18 aprcorpextltm1 err eventd[8174]: 012d0012:3: Notification attempt to consumer id D6E738E8- 1974-626A-2E52-EF1569494AD FAILED with error Failed to connect to host 10.58.1.124, port 443: Operation already in progress. 108 May 21 16:31:33 aprcorpextltm1 err eventd[8174]: 012d0012:3: Notification attempt to consumer id 7451CF6C- 1974-F300-1696-9E58A25A09A FAILED with error Failed to connect to host 10.58.1.124, port 443: Operation already in progress. Anyone run into this before ? Thanks
bigipjr28_13978
May 27, 2014 Place Technical Forum
276Views
0likes
2Comments