CPU utilization of F5OS on r2600
We have installed a new r2600 cluster and configured successful SNMP-monitoring. Here I must notice, that the CPU utilization of the F5OS with an average of more than 50% and peaks up to 90% is relatively high. The CPU utilization of the tenant looks fine with an average of around 15%. There is currently no active configuration on it nor any virtual server traffic passing the device. Is this a normal behavior, especially in comparison to the r5600 platform, where the F5OS CPU utilization average is at around 10%? Thank you! Regards, Stefan :)F5OS VLAN naming length restrictions
I must notice, that there seems to be a length restriction when creating VLANs on F5OS. I'm allowed to enter long names on F5OS-level without any warnings or errors, but when assigning them to a tenant, the name within the tenant will be truncated if its longer than 31 characters. It looks like this, means there is a suffix in the format of "-T<VLAN-ID>.0" On F5OS-level it looks like this: Is this a normal behavior? Can or will this be fixed? And are there any other such restrictions for other configuration items? For your reference, we are running F5OS 1.8.3 and BIG-IP 17.5.1.3. Thank you! Regards, Stefan :)SNMP Monitoring/OIDs for rSeries
I'm currently configuring the required OIDs for monitoring our new rSeries, but I'm wondering if the provided MIBs contain all information? I'm searching especially the values from the GUIs dashboard for Memory Utilization and Storage Utilization like in the following screenshot: Also the mentioned "Base OS Version" and "Service Version" details seems to be not part of the MIB. I only found it under the OID .1.3.6.1.2.1.1.1.0 -> SNMPv2-MIB::sysDescr.0 = STRING: F5 rSeries-r5600 : Linux 3.10.0-1160.119.1.f5.1.el7_8.x86_64 : Appliance services version 1.8.3-23453. Where does the GUI render these information from? Is it possible to poll these details via SNMP as well? Any more details would be very helpful! Thank you! Regards, Stefan :)Is there F5 Virtual Wire(vWire) variable support for vCMP or rSeries tenant?
Hey Everyone, Is there F5 Virtual Wire(vWire) variable support for vCMP or rSeries tenant? I am asking this about vCMP iSeries or rSeries 5800 as the vWire is created on the host and allocated to the tenant but for example in Virtual-wire Configuration and Troubleshooting | DevCentral there are system db variables and how are those supported in this case ? Do you configure this from the vCMP quest or Tenant or from the vCMP host or rSeries appliance ?
Credentialed Scanning - F5OS - Rseries
After solving the remote authentication issue previously with F5OS. My next question is related to credentialed scanning on R series appliances running F5OS. The tenable agent logs in via SSH and tries to run commands in the shell to pull system information. This has never been on issues on the iseries appliances and BIG-IP guests as they allow uses directly to the shell upon login. All linux commands run as intended. F5OS is a new beast for me to understand as it dumps you into its own OS. The shell is protected and only root at the local level is allowed access to the linux shell. This is the issue I face with credentialed scanning. Authentication works perfectly fine but the ability to run the proper commands at the appropriate level seems to be locked and it doesn't appear I can grant shell access to remote accounts. Anyone have any experience running authenticated scans on their rseries appliances with f50S?
Issue with 2 parallel F5 clusters
Hello everybody and first of all thank you for taking the time to read my issue! The issue that I have is in regards to a migration We have a productive F5 BigIP cluster (Active/Standby), let's call this "Old F5", which has a lot of Virtual Servers in partitions, with specific pools and monitors for each application/service This device also has 2 Vlans, internal (vlan11) and external (vlan10), and 2 interfaces in an LACP that it's tagged on both Vlans, and it's connected to the same one leg to a Cisco APIC It has 2 Self IP addresses (one for each Vlan): 10.10.10.1-Vlan "external" 10.20.20.1-Vlan "internal" (numbers are just for example) It also has 4 Floating IP address (2 for each Vlan) with 2 traffic groups: 10.10.10.2-Vlan external traffic group 1 10.10.10.3-Vlan external traffic group 2 10.20.20.2-Vlan internal traffic group 1 10.20.20.3-Vlan internal traffic group 2 This device (cluster) has to be replaced by another F5 BigIP cluster (let's call this new F5), this device is an identical copy to the old F5 (the config was took from the old one and imported to the new one), meaning same Vlans, monitors, pools, VServers IP addresses etc At the moment this one has the 2 interfaces disabled and a blackhole default reject route set up in order to not interfere with the old F5 which is the productive one. The ideea is to configure the new F5 device with IP addresses from the same subnet (for example 10.10.10.5), and disable all the Virtual Servers so it doesn't handle traffic (the nodes, monitors, pools stay up on both devices), and have the 2 F5 devices, old and new, running in parallel and then move the Virtual servers one by one by just disabling the VS on the old F5 and enable it on the new F5. At this point we also remove the blackhole route, configure the correct default static route (the same which is on the old F5), and enable the interfaces This sounded and looked good, on the new F5 the nodes, pools are green and the Virtual servers are disabled as expected. On the old productive F5 everything is up and green BUT if I try to reach one of the Virtual servers, either by the Virtual IP address or hostname the attempt just times out without any response (if I try to telnet to the VS on port 443 it connects meaning that the old F5 accepts the traffic) I tried to disable on the new F5 also the nodes but still the same behaviour, the only to get it back to work is to disable the interfaces on the new F5 and add the default reject blackhole route. This is not how I imagined it to work, in my mind I was expecting that the old F5 will work as normal, and the new F5 device will see the nodes and pools up (confirming good communication) but don't handle any traffic regarding the Virtual servers because they are disabled. Does anyone have any idea what is causing this issue, why when both F5 devices are up in parallel, the connection to the Virtual server through the old productive F5 times out while that F5 sees both the pools and Virtual servers as up and running. Thank you in advance!
HA between rSeries tenant and iSeries appliance.
According to F5 documentation, the BIG-IP system supports either homogeneous or heterogeneous hardware platforms within a device group. I want to confirm if anyone has tried to put rSeries tenants and iSeries appliances in the same cluster? Obviously, I understand they will need to be on same version and of course vlans will be same on both. If you have tried this before, what were your challenges and how did you overcome them? I am considering this approach because it makes migration easier and seamless.
r4600 Tenant CPU Assignment
The r4600 has 12 CPUs (by default) available for a max of 2 tenants. My initial thought was to assign 6 CPUs to each but that is not an option. 4, 8, or 12 are the only options. Question: Are these options of 4, 8, or 12 CPUs arbitrary or do they have to do with the Atom chip architecture? It seems like a waste. I can either do 4 CPUs each wasting 4 or do a 4 CPU tenant and an 8 CPU tenant. The only other option would be to purchase the license for the additional 4 CPUs to make each tenant 8 CPU. Regards, MattrSeries Management route
Hi Experts, I have a situation in rSeries where I want to define a management route for a specific IP (outside the OOB network). I'm facing a scenario where this server is outside the OOB network and cannot be reached from rSeries. I can see from the PCAP that rSeries is able to receive the ICMP request, but rSeries is not sending an ICMP reply and only an ARP request, as if it doesn't know how to reach the server IP. The following steps I tried but still fail: Adding the allowed IP address: server network and server IP with all protocols. Adding a route to the Linux kernel. Note that only the IP outside the OOB network is not reachable, and no ACL/FW in between. Thanks.
