Forum Discussion

F5_guy_380365's avatar
F5_guy_380365
Icon for Nimbostratus rankNimbostratus
Jan 02, 2019
Solved

How one can see relation between virtual server and lease pool in the cli configuration while configuring APM for the ssl vpn ?

I am trying to see, how I can develop/see a relation between virtual server and lease pool in the APM config file while using it for the ssl vpn.

 

Thank you in advance, J

 

APM
application delivery
ssl vpn
  • AMiles_377865's avatar
    AMiles_377865
    Jan 02, 2019

    Hello Sanjay,

    It is generally best to make configuration changes in the GUI instead of the CLI when it comes to APM. In my experience running APM configuration straight from the CLI usually results in one mistake or another, as settings are forgotten or misconfigured.

    That being said, it is pretty simple to view your APM configuration using 'list.' Here are some basic commands to figure out how your leasepools, VPNs, and servers are related, and to prove how they have been configured. Run:

    tmsh list apm resource leasepool

    to view information about all your leasepools, and 

    tmsh list apm resource network-access

    to view configuration information about your VPNs.

    This should give you some very basic information about their configuration, all of which can also be viewed from the GUI. Since leasepools and VPNs are assigned to an Access Policy/Profile, which is then attached to a virtual server, viewing the server and your policy individually would likely be the best way to show a relationship between the two.

    To view information about your virtual server, use

    tmsh list ltm virtual

    In the output for that command, there will be a profiles section. You will see your Access Profile listed there. And to view your specific Access Policy and Access Profile, use: 

    tmsh list apm policy access-policy

    and 

    tmsh list apm profile access

    With all of these together, you can prove that your VPN and lease pool have been assigned to your Access Profile, and that your Access Profile has been assigned to your virtual server.

    I hope this helps you figure out the relationship between your VPN and your Virtual Server. Feel free to ask if you have any follow-up questions,

    Austin

4 Replies

Sort By
  • AMiles_377865's avatar
    AMiles_377865
    Icon for Cirrocumulus rankCirrocumulus
    Jan 02, 2019

    Hello Sanjay,

    It is generally best to make configuration changes in the GUI instead of the CLI when it comes to APM. In my experience running APM configuration straight from the CLI usually results in one mistake or another, as settings are forgotten or misconfigured.

    That being said, it is pretty simple to view your APM configuration using 'list.' Here are some basic commands to figure out how your leasepools, VPNs, and servers are related, and to prove how they have been configured. Run:

    tmsh list apm resource leasepool

    to view information about all your leasepools, and 

    tmsh list apm resource network-access

    to view configuration information about your VPNs.

    This should give you some very basic information about their configuration, all of which can also be viewed from the GUI. Since leasepools and VPNs are assigned to an Access Policy/Profile, which is then attached to a virtual server, viewing the server and your policy individually would likely be the best way to show a relationship between the two.

    To view information about your virtual server, use

    tmsh list ltm virtual

    In the output for that command, there will be a profiles section. You will see your Access Profile listed there. And to view your specific Access Policy and Access Profile, use: 

    tmsh list apm policy access-policy

    and 

    tmsh list apm profile access

    With all of these together, you can prove that your VPN and lease pool have been assigned to your Access Profile, and that your Access Profile has been assigned to your virtual server.

    I hope this helps you figure out the relationship between your VPN and your Virtual Server. Feel free to ask if you have any follow-up questions,

    Austin

    • F5_guy_380365's avatar
      F5_guy_380365
      Icon for Nimbostratus rankNimbostratus
      Jan 03, 2019

      Austin, Thank you for taking time and replying with such a great details. However, I am still not 100% sure about what configuration lines in the output shows virtual server and lease pool are connected. I am attaching out put for the profile New as below and I'd appreciate any inputs. I can see resource pool is under virtual server but how can I see such relation between lease pool and virtual server?

       

      Here is he configuration output from given commands. [admin@localhost:Active:Standalone] ~ tmsh list apm profile access New apm profile access New { accept-languages { en } access-policy New app-service none default-language en generation 1 generation-action noop log-settings { default-log-setting } modified-since-last-policy-sync true type all user-identity-method http } [admin@localhost:Active:Standalone] ~ tmsh list apm policy access-policy New apm policy access-policy New { caption general default-ending New_end_deny items { New_act_av_software_check { priority 1 } New_act_logon_page { priority 2 } New_act_radius { priority 3 } New_act_resource_assign { priority 4 } New_end_allow { priority 6 } New_end_deny { priority 5 } New_ent_in { } } start-item New_ent_in } [admin@localhost:Active:Standalone] ~ tmsh list ltm virtual New_vs ltm virtual New_vs { destination 193.193.193.197:https fallback-persistence source_addr ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } pool pool1 profiles { New { } New_cp { context clientside } clientssl { context clientside } http { } ppp { } rba { } tcp { } websso { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 52 } [admin@localhost:Active:Standalone] ~ tmsh list apm resource network-access New_na_res apm resource network-access New_na_res { customization-group New_na_res_resource_network_access_customization dns-primary 10.10.10.1 dns-suffix localhost leasepool-name New_lp } [admin@localhost:Active:Standalone] ~ tmsh list apm resource leasepool New_lp apm resource leasepool New_lp { members { 172.16.1.1-172.16.1.2 { } } }

       

    • AMiles_377865's avatar
      AMiles_377865
      Icon for Cirrocumulus rankCirrocumulus
      Jan 04, 2019

      I've been going through tmsh commands, and it looks like you can't see a direct correlation between where the network access resource is assigned to the profile. We can prove that the lease pool is assigned to the network access resource, we can prove that the access policy is assigned to the access profile, and we can prove the access profile is assigned to the virtual server.

      The missing link is proving that the network access resource is assigned to the access policy. It seems the closest we can get from the command line is seeing that the Access Policy is assigning resources; but we can't tell what resources it is assigning.

       New_act_resource_assign {
            priority 4
        }
    • F5_guy_380365's avatar
      F5_guy_380365
      Icon for Nimbostratus rankNimbostratus
      Jan 07, 2019

      Thank you Austin. I was thinking the same and really appreciate your inputs.