Jump to content
Show header slider

We measure success with smiles

Making Your Event a Success!

F5 Blog

A group blog by keyboard cowboy in Tech

  • entries
    30
  • comments
    3
  • views
    315

Contributors to this blog

About this blog

Entries in this blog

What SNAT address assigned to traffic?

It's quite difficult to troubleshoot traffic issues when a SNAT is assigned from a pool since its random and changes every time a new connection is established. Below are some hints on how to IDENTIFY what SNAT is assigned to the traffic using tmsh show sys connection SNAT stands for Source Network Address Translation. IDENTIFY what SNAT is assigned to the traffic from user source IP 74.32.5.21 (typically you don't want to specify source port since its random generated) tmsh sh
rev.dennis

rev.dennis

0

Viprion troubleshooting commands

Here are some useful commands I use to troubleshoot the Viprion chassis Check the state of all the vCMP Guests [root@txsat1slbcov02-ch:/S1-green-P::Active:Standalone] config # tmsh show /vcmp health prompt ------------------------------------------------- Vcmp::Guest Prompt Name           Slot ID                     Prompt ------------------------------------------------- txsat1slbco02        1       /S1-green-P::Standby txsat1slbco12        3    /S3-yellow-P::avrd DOWN txsat1slbco14  
rev.dennis

rev.dennis

0

Utilize BIG-IQ to update admin & root passwords on all F5 Devices

With the F5 BIG-IQ tool you can update the admin and root passwords for all your devices you manage or just a select few and its fast and very easy to do. When you manage BIG-IP device from BIG-IQ Centralized Management, it is good practice to change the default admin and root passwords on a regular basis. From BIG-IQ, you can change the passwords for several BIG-IP devices at one time. Note: You can change the passwords for several BIG-IP devices simultaneously only if they have the s
rev.dennis

rev.dennis

0

Using ssldump on F5

You can use the ssldump utility to examine, decrypt, and decode SSL-encrypted packet streams managed by the BIG-IP system. The ssldump utility can act on packet streams real-time as they traverse the system, or on a packet capture file saved in the libpcap format, such as that produced by the tcpdump utility. Although it is possible for the ssldump utility to decode and display live traffic real-time as it traverses the BIG-IP system, it is rarely the most effective method to examine the volumin
Cowboy Denny

Cowboy Denny

0

Using BIG-IQ to troubleshoot

If you have BIG-IQ in your environment to help manage/monitor your applications then let me help understand how to use some cool features of BIG-IQ. Many times you have several F5's in your environment and trying to identify what F5 has the application you need to troubleshoot is kind of a pain in the butt unless you have BIG-IQ. First thing I do is if someone says they have an issue with their application is I ask for the FQDN or the URL that is having issues. Next thing I do is
guru

guru

0

Unable to remove device due to linked applications

So you are in BIG-IQ and for some reason or another BIG-IQ is asking for you to remove the device and add it back in to re-establish trust but wait..  you can’t because Applications are linked to that device.  Here are some steps to follow to remove an application. So say you are trying to remove the LTM service from a device and its saying you can’t remove the device because this application is linked to it t_10.47.32.9_openpagescc-dev.int.thezah.com._app So you need to find the conf
rev.dennis

rev.dennis

0

Unable to Redirect using Policy

Ran into an issue last night where I had to redirect https://example.thezah.com/ to https://example.thezah.com/?idp_id=two   Attempted a few different way of redirecting the URI in the Policy and they all didn't work.  Ran into a few issues... When creating the Redirect_URI policy under the do the following: Replace - HTTP URI - path with value /?idp_id=two at request time What would happen is when you enter the value /?idp_id=two and save F5 would change it to
guru

guru

0

Troubleshooting proxy and/or 3rd party URLs

This is extremely useful troubleshooting external URLs going through proxy / eGTMs / iGTMs and all other sort of combinations. What i really like about it is it really gives good data for different touch points. 1.time_namelookup 2.time_connect 3.time_appconnect 4.time_pretransfer 5.time_redirect 6.time_starttransfer It helped me handling extrenal 3rd party URLs and their response times, handshake failures. ********************************************************
guru

guru

0

Splunk Request Logging

Assumptions: Log volume will be huge and will only turn for critical applications that too in production. This can be tested in Dev/Pre-prod prior moving to the production but need to be turned off immediately.This will not cause performance issues because of High-speed logging HSL feature. This logging feature can also be turned on for troubleshooting purposes if required. Dependencies: Enterprise splunk team should provision dedicated storage for the new applications with F
guru

guru

1

Software Upload Error

Trying to upload a file that got aborted previously either because of a loss of connection or navigating away from the page while uploading (it happens). So when you try and upload again you get an error message like this What is the answer?  What can you do? Well just ssh to the BIG-IQ CM device and navigate to /shared/images/tmp There you will, more than likely, find the partial image that was trying to upload. Just delete it and go back to the GUI and try again. AND
rev.dennis

rev.dennis

0

Show Connections on F5

Here are some commands you can use to troubleshoot connections on your F5  With the following command it will help you see how many Active connections to the F5 total and break it out by Client and Server. tmsh show sys performance connections Sys::Performance Connections --------------------------------------------------------------------------- Active Connections Current Average Max(since 03/02/14 08:13:41) -------------------------------------------------------------------
rev.dennis

rev.dennis

0

Send BIG-IQ logs to Splunk

Need to identify a way to send logs from BIG-IQ to Splunk so we can see failures when BIG-IQ is trying to send signature updates to the DMZ F5’s running AWAF. First, setting up logging was pretty easy to do System Tab – Audit Log Syslog Servers Enter NAME and IP address of syslog servers and TCP 514. NOTE: I tried the newer rfc5424 and got nothing in Splunk so have to leave the old school rfc3164 Next, Found some interesting articles https://techdocs.f5.com/kb/en-us
rev.dennis

rev.dennis

0

No Statistics on BIG-IQ from BIG-IPs

After upgrade to 8.0 I am unable to get any stats which means Applications tab doesn't work and just kicks out an error and same thing for most everything under the Monitoring tab. What did I try? I removed the BIG-IP device and readded it with same results I removed DCD and readded it back in which took about an hour each because it would hang on ES_ service What worked? These steps will only affect the configuration between the Big-IQ and the DCDs, none of the B
rev.dennis

rev.dennis

0

LTM Migration compare OLD to NEW

When migrating you want to make sure you don't miss anything so here are a few commands that I run to help me make sure what was on the old is on the new. CONFIGURATION PHASE Virtual Servers First objective is to check to make sure all the Virtual Servers are present.  If you aren't changing IP addresses then all I grab is the destination field since in many cases the name and/or partition may change.  For example we are moving to deploying all our Virtual Servers using JSON forma
guru

guru

0

iQuery issues troubleshooting

REQUIREMENTS: For the BIG-IP DNS synchronization group members to properly synchronize their configuration settings, verify that the following requirements are in place: BIG-IP DNS synchronization group members must be running the same software version A BIG-IP DNS device should be running the same software version as other members in the synchronization group. BIG-IP DNS devices that are running different software versions will not be able to communicate and properly synchro
guru

guru

0

Identify SSL Profile with Virtual Server

Sometimes you just need to know what SSL Profile is attached to what Virtual Servers. Here are a couple of cheats I use..  maybe it helps ya, maybe it don't Simple command to run that looks in every partition tmsh -q -c 'cd / ; show ltm virtual recursive profiles' | egrep 'Ltm::Virtual Server:| Ltm::ClientSSL Profile:' You can always tack on | grep virtualservername OR To find what virtual servers have a certain ssl profile, you can tack on | grep -B1 sslprofile name
wildweaselmi

wildweaselmi

1

How to Decrypt SSL Traffic on LTM

For this to work you need to decrypt the traffic as it comes in.  Its too late if you did a capture and all the traffic is encrypted.  So this entry is for those of you that would like to do some work ahead of time on the F5 and then have the user do some application testing while you are running a tcpdump.  In many cases for me, I have only needed to do this on our DMZ LTM which is where the our F5 works as an SSL Bridge SETUP Put the source IPs in a txt file.  I'm calling mine /var/t
Cowboy Denny

Cowboy Denny

0

Health Monitors

So Health Monitors are a big deal to ensure your pool members are up and working.  Obviously a health monitor tells whether a pool member is up or down and when its down the pool won’t send any traffic to that pool member. Now you can assign health monitors two different ways.  The right way and the wrong way but sometimes the wrong way is the right way but not the majority of the time…  its more of a custom thing.  Let me explain further Example of a pool health monitor ltm pool /I
rev.dennis

rev.dennis

0

F5 LTM and tcp timeouts

I got this request that stated Increase the tcp timeout client  to 7 mins. This is out of the norm for requests so I figured I would share my findings in the event anyone else might run into this same thing. So if you don't do anything and just apply the standard tcp protocol profile the timeout is 5 minutes.  Do I trust that the user knows that they need exactly 7 minutes for a timeout?  No so I utilize an existing tcp protocol profile called tcp.15.minutes which just increases t
rev.dennis

rev.dennis

0

F5 Identify what Changes are Pending

So when a change is done on an F5 that is part of a device group (making it HA) the box will display Changes Pending until sync'd You can use tmsh to show the most recent changes to a device group by running the following command. You can identify the device-group by simply typing tmsh show /cm sync-status tmsh show cm device-group <device_group> these are the two entries to pay attention to CID Time (UTC)                   2019-Mar-27 10:07:21    LSS Time (UTC)        
rev.dennis

rev.dennis

0

F5 GTM/DNS Load Balancing Modes

this will be the description of the different modes     Topology Load Balancing Mode Topology is a proximity based load balancing mode that allows you to direct traffic by defining topology records and selecting the Topology load-balancing mode for the wide IP or pool. The Topology mode bases the distribution of requests on the topology records and the weighted scores configured for each record. The topology records direct DNS queries to the closest virtual server, based on g
rev.dennis

rev.dennis

0

F5 GTM-DNS Sync Group

This is to help better explain the purpose of a sync group on the F5 GTM's or otherwise known as BIG-IP DNS. The following figure shows that, after a configuration change is made on the Los Angeles BIG-IP DNS system, the local big3d process initiates an iQuery connection to BIG-IP DNS sync group members in New York and Europe and advertises the updated configuration to the remote gtmd processes. Synchronization details When you configure BIG-IP DNS synchronization, the sync
guru

guru

0

Deploy unavailable Virtual Server via AS3 JSON

I am migrating from an End Of Life hardware to a new vCMP Guest and with the migration I am deploying all the applications using JSON and AS3 (through BIGiQ). So we would like all the applications to be staged on the F5 in a disabled state and as we migrate each application with the team on the phone for verification, I just want to make the change in JSON and push to the F5 and disable the Virtual Server on the legacy EoL box and BOOM, live traffic on new box. Why disabled state?  I d
rev.dennis

rev.dennis

0

  • Who's Online   0 Members, 0 Anonymous, 1 Guest (See full list)

    • There are no registered users currently online

Announcements



  • Recently Browsing

    No registered users viewing this page.

  • Who's Online

    1 Guest

    There are no registered users currently online

×
×
  • Create New...

Important Information

Privacy Policy

  I accept