No traffic on network card in virtual Big-IP
Hi, We have two virtual deployments of F5 version 17.1.2.2 in a VMware environment, Each deployment has 3 network cards: MGMT external (for VSs) internal (for backend pool) Lately we started to experience a very strange behavior, where randomly, the external NIC stops receiving traffic. To resolve the issue we can restart the Big-IP, or disable/enable the NIC on the VMside. When taking pcaps on the BIG-IP there's just nothing coming in, this is why the F5 support told us they can't troubleshoot if there's no traffic, and pointed us to VMware support. We took pcaps and logs on the vmware side and it looks like traffic is not passing from the hypervisor to the VM but the support doesn't see any errors. Because the issue is random we can't simulate it. We tried to correlate the issue with vm migration, or external backups but couldn't pin point anything. We have a large virtual environment it this issue only occurs on two F5 machine (out of 400+ other VMs). I'm not entirely sure, but I think the issue started after upgrading from version 16.1.4.1 to 17.1.2.2. I was wondering if anyone stumbled upon something similar? Thanks
Mgmt Interface Shows Up as TMM
So I have an F5-VE I'm working on that the Mgmt doesn't ping or accept SNMP requests. I opened a case with F5 and they say my 1.0 interface and my Mgmt interface has the same MAC. tmsh show sys mac-address | grep interface 00:50:XX:XX:XX:XX net interface 1.2 mac-address 00:50:XX:XX:XX:XX net interface 1.1 mac-address 00:50:XX:82:b5:aa net interface mgmt mac-address 00:50:XX:82:b5:aa net interface 1.0 mac-address 00:50:XX:XX:XX:XX net interface 1.3 mac-address I have never seen anything like this. Has anyone ever seen anything like this and what did you do to fix? My plan is to remove the 1.0 boot and see what happens. Add it back if needed. From all the documents I've looked at when that interfaces is created in VMware it should make a TMM interface is should make the Mgmt interface in the VLAN we specify when building it from the OVA.
APM :: VMware View :: Blast HTML5
I'm trying to get the APM functioning with VMware View Blast client - and I am having quite the time. I have tried the iApp (1.5) but haven't been able to get that to function either. At the moment, I have a manual configuration based-off of the deployment guide. The deployment guide says to create a forwarding virtual server, and the iApp does the same thing. Neither of which seem to be working for me. So with the forwarding VS above created… I can log-in fine, the webtop displays, the RDP link I have works great... the Blast HTML5 link... not so much. If I click on the VMware View desktop shown above, it brings me to the following: The error shown above is thrown-around a lot by View, so it’s hard to say what the real problem is. I’ve seen that error displayed for straight-up communications issues in the past… which I think this is. If I do a tcpdump on the BIG-IP, I can see it trying to connect to 8443, but it cannot connect (SYNs… no SYN/ACKs). 11:27:30.022625 IP x.x.x.10.28862 > x.x.x.252.8443: Flags [S], seq 2246191783, win 4140, options [mss 1380,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/xxxxxxxxxxxxxxxxxxxx-https Source is the floating IP, destination is the VS. I know 8443 is listening on the VMware View server because I can connect to it locally. And I know the VMware View server knows how to get back to the F5 because it populates the webtop with my available desktop(s) shown above. I tried converting the forwarding VS to standard, assigned a pool, etc… and it still did the same thing. SYNs… no SYN/ACKs. What might be telling though is the lis= above. It lists my main virtual server with the APM policy assigned. That makes me think though… Why is it trying to connect to that VS and not the forwarding VS? The forwarding virtual server is a better match no? In any event, yeah if the virtual server isn’t listening on 8443, of course it won’t reply back (my thought-process anyway). So I figure… welp, why not just try an “any” port VS… yeah not so much. If I manually remove the :0 and submit, it loads the same error about the certificate. Nothing shows-up in tcpdump trying to connect to 8443 either - so, a step back. If anybody happen to have any ideas for me, I would be really appreciative. Thanks!
BIG-IP : iRule return statement
From the docs : Causes immediate exit from the currently executing event in the currently executing iRule. iRule processing is not aborted, and subsequent events will be triggered and evaluated. Note that return does not: - cause an exit from the iRule altogether; - prevent the same event from firing in another iRule; or - prevent the same event with a higher priority value from firing in the same iRule. To prevent further processing of an event in the current rule or other rules for the current TCP connection, you can use 'event EVENT_NAME disable'. Here are my questions : How can the same event exist more than once within a single iRule ? Is 'current TCP connection' refer to a session that is maintained across multiple request-response sequences from a given client-browser ? Or does each new request initiate a new TCP connection ?irule class match each query param separately
Data Group dg1 param1=p11¶m2=p21 := host1 param1=p12¶m2=p22 := host2 The problem is that some request urls might list their query params in reverse order param2=p21¶m1=p11 Therefore I need to match query params individually. So I have two problems to solve : extract from [HTTP::query] the param segments for param1 and param2 determine if both param1_segment and param2_segment are found together in some key in dg1 So something like : set param1 "param1" set param2 "param2" set param1_segment = [[HTTP:query] $param1] set param2_segment = [[HTTP:query] $param2] if { (class match $param1_segment&$param2_segment equals dg1) or (class match $param2_segment&$param1_segment equals dg1) } { NOTE: I know the above is wrong in terms of both language elements and syntax. I'm just providing to better describe the problem I need to solve. Because my use-case might extend to 3 query params ( in any order ) it might be better to AND together class match for each query param segment.ADFS 3.0 Monitor not working
Hi All, I have been tussling with this for a couple of days now. I have used the links, http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf and https://devcentral.f5.com/articles/big-ip-and-adfs-part-5-working-with-adfs-30-and-sni to follow with no success. I have uploaded the script and set the variable but i still get the monitor down, when i browse directly to the server i am able to get to the sign in page, so I know at least ADFS configuration is correct. Below is the script i am using: !/bin/sh These argument This script expects the following Name/Value pairs: s supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) SNI = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE= echo ${1} | sed 's/::ffff://' if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then node is v4 NODE=${NODE} else node is v6 NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/ basename ${0} .sni_monitor_${SNI}_${PORT}_${NODE}_sni.pid" kill of the last instance of this monitor if hung and log current pid if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${SNI}:${PORT}:${NODE}" | logger -p local0.error kill -9 cat $PIDFILE > /dev/null 2>&1 fi echo "$$" > $PIDFILE curl-apd -k -v --resolve $SNI:$PORT:$NODE https://$SNI$URI 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit Variable are: SNI= sso.mysite.com URI= adfs/ls/idpinitiatedsignon.htm RECV= HTTP/1.1 200 Please assist if you can. Thanks!11.4.0 unable to import 3M-record external data-file
f5 BIG-IP LTM VE v11.4.0 ESXi VM allocated with 200 gb hdd , 16 gb ram System > File Management > Data Group File List > Import > point to 3M-record data-file on disk ( 216 MB ) receive error : " File upload failed, please check log file for details " I review all logs but don't see any entries related to data-file load. System > File Management > iFile List > Import > point to the same 3M-record file I receive the same error. Examining /var/log/ltm I see : err diskmonitor: 011d0004: Disk partition _root_ has only 0% free but the timestamp of this error does not coincide with my attempted file uploads. I assume _root_ refers to the Linux disk partition -- why would I receive an error showing 0% free ? In /var/log i see tmm , tmm1 , tmm2 , tmm3bigstart restart now logs not being written
I successfully completed a bigstart restart sequence ( logs show everything coming back up as expected ). However, now logs that should be written by my irule are not being written. Also, I've been restarting BIG-IP to force data-group-files to be re-cached, but is there a better way ?
