Snapshot capability of VE Guests on VCMP
Hi all, I wish to investigate on the backup/restore capcacity beyond ucs backup. With VEs running on VMWare we can take adavantage of VMWare's snapshot capability to have images of the VE before we operate on it. Are there similar capabilities available on my 5250V/VCMP? Cheers, Gabe
LDAPS Monitor with Certificate Expiration
Hi Team, I have been working with my AD team trying to resolve a problem where they forget to update a Domain Controller certificate and it expires and ADLDAPS queries fail since they dont bind to expired certificates. They have requested to see if we can drop a member out of the pool if the certificate is expired ( ie, not a valid SSL cert ) I have been messing with the LDAP Health monitor, turning on the Security settings, but I dont believe this would actually check that a certificate is valid or not. I know with server side SSL configuration you can enable SSL authentication but would just stop traffic from flow, not actually drop a member out of the pool. Any ideas ?
Sharepoint 2010 Health Monitor
I have an HTTP GET health monitor setup for our Sharepoint 2010 servers. The health montior seems to work as I am seeing 200s come back from the server after authentication. However, what I'm also seeing is the health monitor sending along several GETs without the NTLM credentials and those come back with 401 authentication errors: Logs from Sharepoint server...top two are not successful as the LTM did not send along the credentials of PPL\spsearchqa. Bottom two are successful with the creds: 2015-04-24 13:48:04 xxx.xxx.xxx.xxx GET /sitepages/Home.aspx - 80 - xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+5.1;+rv:2.0.1)+Gecko/20100101+Firefox/4.0.1 401 2 5 5 2015-04-24 13:48:04 xxx.xxx.xxx.xxx GET /sitepages/Home.aspx - 80 - xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+5.1;+rv:2.0.1)+Gecko/20100101+Firefox/4.0.1 401 1 2148074254 5 2015-04-24 13:48:08 xxx.xxx.xxx.xxx GET /sitepages/Home.aspx - 80 PPL\spsearchqa xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+5.1;+rv:2.0.1)+Gecko/20100101+Firefox/4.0.1 200 0 64 12045 2015-04-24 13:48:14 xxx.xxx.xxx.xxx GET /sitepages/Home.aspx - 80 PPL\spsearchqa xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+5.1;+rv:2.0.1)+Gecko/20100101+Firefox/4.0.1 200 0 64 10075 Here is how my health monitor is setup: Any help would be very much appreciated. Thank you!GTM Internal and External View configuration
Hi Team, One of our customer requirement is to configure GTM as DNS server for both external user and internal user. Few of the records are common for both internal and external user but ip address are different. eg : abc.test2.com fqdn, 1.1.1.1 is ip address for external user and 2.2.2.2 is ip address for internal user. This is first time we are doing such internal and external view configuration on GTM, so we tested this first on lab env. On over lab setup we created external view for test2.com with 172.16.1.1 as SOA and resource record for abc.test2.com (1.1.1.1) and created internal view for test2.com with 192.192.1.1 as SOA and resource record for abc.test2.com (2.2.2.2), we were able to create internal and external zone and resource record . But both View have both abc.test2.com (1.1.1.1) and abc.test2.com (2.2.2.2) record, also internal view SOA is overwritten with 172.16.1.1(external view IP). Please help me how to configure internal and external view. Below are screenshot taken from view and zone. External view Internal view View list Zone list Thanks, Sachin
Maxed out CPU utilization - cbrd process
As I wait for a response from F5 support, thought I'd ask the question here. We just noticed that our BIG-IP (VE) is running at max cpu with the cbrd process taking up 160% of the cpu ( tmm takes up almost all the rest. And the total being 200% due to the 2 cores, from what I gather). I know the cbrd process is a core process, and according to SOL8035 it's for XML content based routing. However, we don't have anything set up to use XML content based routing so I'm not sure why the process would be using so much CPU. So my question is two fold: Is it safe to restart the cbrd process on a production box (i.e. Will it cause any negative impact on existing connections) if we're not using xml content based routing? Has anyone seen something like this before, or know why it might be happening (or how to troubleshoot why it's happening)? Thanks! -MichaelHelp with configuring F5 load-balancing in between two ASA pairs (full routing)
Hello, I'm fairly new to F5s, and from what I've been seeing in my searches it appears as though I've really dived into the deep end for complex F5 setups. I've been spending time researching my issues but so far haven't been able to find the specific answers I need. Topology Details: Route Path: Internet <--> External ASA <--> F5 <--> Nexus 5k <--> Internal ASA <--> Server DMZs External ASA: - inside IP is 172.16.0.1/24 - Performs Static NAT from public IPs to VS IPs F5: - external VLAN (172.16.0.0/24) attached to external LACP trunk, tagged - internal VLAN (10.99.0.0/24) attached to internal LACP trunk, tagged - default gateway points to 172.16.0.1/24 - internal gateway (10.0.0.0/8) points to 10.99.0.10/24 - self-ip (float) 10.99.0.1/24 - All VS on 172.16.0.0/24 - nodes on multiple 10.x.x.x/24 subnets Nexus5k: - 'outside' IP is 10.99.0.10/24 - default gateway points to 10.99.0.1/24 Internal ASA: - default gateway points to Nexus5k - All load-balanced servers behind ASA on different security zones/interfaces - No NAT Notes: - Active/Standby HA using an HA VLAN on Internal trunk. - The gateway of the servers must be the internal ASA. - The topology cannot be changed. Questions: Will I need any SNATs in this setup? The routing should technically take care of everything so I'm not seeing much purpose in SNATs based on my understanding of how it works. I already set up an IP forwarding server (source/destination of 0.0.0.0/0) to allow OUTBOUND (server initiated) routing to pass through the F5; I have enabled loose initiation/close and disabled 'reset on timeout' using an attached custom FastL4 profile. Will I need any special forwarding servers or other virtual servers outside of Standard to make this work for INBOUND connections? Are there any other details I need to consider that I haven't mentioned here?
Sync problem with Sync-Failover ConfigSync
Hello, I'm running two BigIp LTM (version 11.3 HF3) with Sync-Failover ConfigSync. I'm experiencing issues with the synchronisation on both devices. All the configuration is well replicated excepts for the Virtual Server List in a particular Partition. On the other partition, the configuration is synchronised. After digging on F5 support and devcentral, I've tried many workarounds : Reboot both nodes Create "dummy" elements to force the configuration to be considered as "new" http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13887.html None of them worked, the devices always consider themselves as "In Sync", but they still keep a different configuration on their side even by forcing the sync-leader . This only happens with the Virtual Server configuration on this particular partition. The configuration is well synced on the other partitions.... If anyone could have a clue or a way to debug this problem that would greatly appreciated 🙂 Thanks in advance.
"bad IP address format" errors when using geolocation iRule
Hey guys, I am currently working on an iRule that shall append an URL parameter called "isCountryEMD=yes" whenever US or CA users try to access my website. I am using multiple domains where some of them are using a CDN and some of them don't. To cover both scenarios I am checking the geolocation with either IP::client_addr or the HTTP header "True-Client-IP" which is being set by my CDN, containing the origin IP address of my visitors: when HTTP_REQUEST { set True_Client_IP "[HTTP::header "True-Client-IP"]%1" if { (([whereis [IP::client_addr] country] equals "US") or ([whereis [IP::client_addr] country] equals "CA") or ([whereis $True_Client_IP country] equals "US") or ([whereis $True_Client_IP country] equals "CA")) } { if { [HTTP::uri] contains "?"}{ HTTP::uri "[HTTP::uri]&isCountryEMD=yes" log local0. "GEOREDIRECT - URL: [HTTP::host][HTTP::uri] - IP Remote: [IP::client_addr] - True-IP: $True_Client_IP" pool pool_ebiz_prod_80 } else { HTTP::uri "[HTTP::uri]?isCountryEMD=yes" pool pool_ebiz_prod_80 } } } I am using set to append the True-Client-IP variable with an %1 due to route-domain requirements The iRule seems to work fine but I can see a lot of error messages in /var/log/ltm: May 26 17:58:26 err tmm2[10930]: 01220001:3: TCL error: /DMZ_700/irule_-prod-80-EMD - bad IP address format (line 3) invoked from within "whereis $True_Client_IP country" May 26 17:58:28 err tmm3[10930]: 01220001:3: TCL error: /DMZ_700/irule_-prod-80-EMD - bad IP address format (line 3) invoked from within "whereis $True_Client_IP country" May 26 17:58:32 err tmm1[10929]: 01220001:3: TCL error: /DMZ_700/irule_-prod-80-EMD - bad IP address format (line 3) invoked from within "whereis $True_Client_IP country" May 26 17:58:43 err tmm3[10930]: 01220001:3: TCL error: /DMZ_700/irule_-prod-80-EMD - bad IP address format (line 3) invoked from within "whereis $True_Client_IP country" May 26 17:58:46 err tmm[10929]: 01220001:3: TCL error: /DMZ_700/irule_-prod-80-EMD - bad IP address format (line 3) invoked from within "whereis $True_Client_IP country" May 26 17:58:48 err tmm1[10929]: 01220001:3: TCL error: /DMZ_700/irule_-prod-80-EMD - bad IP address format (line 3) invoked from within "whereis $True_Client_IP country" May 26 17:58:52 err tmm3[10930]: 01220001:3: TCL error: /DMZ_700/irule_-prod-80-EMD - bad IP address format (line 3) invoked from within "whereis $True_Client_IP country"
