201 TMOS ADMINISTRATION Packet-based vs. Proxy-based F5 initially took the packet-based path, but simultaneously started addressing the root problem—making an intelligent solution that also delivers high performance. The result is the F5 TMOS architecture, a collection of real-time features and functions, purpose-built and designed as a full-proxy solution with the power and performance required in today’s network infrastructure. What is a packet-based design? A network device with a packet-based (or packet-by-packet) design is located in the middle of a stream of communications, but is not an endpoint for those communications; it just passes the packets through. Often a device that operates on a packet-by-packet basis does have some knowledge of the protocols flowing through it, but is far from being a real protocol endpoint. The speed of these devices is primarily based on not having to understand the entire protocol stack, short-cutting the amount of work needed to handle traffic. For example, with TCP/IP, this type of device might only understand the protocols well enough to rewrite the IP addresses and TCP ports; only about half of the entire stack. What is a proxy-based design (full proxy)? A full-proxy design is the opposite of a packet-by-packet design. Instead of having a minimal understanding of the communications streaming through the device, a full proxy completely understands the protocols, and is itself an endpoint and an originator for the protocols. The connection between a client and the full proxy is fully independent of the connection between the full proxy and the server; whereas in a packet-by-packet design, there is essentially a direct communication channel between the client and the server (although the device in the middle may manipulate the packets going back and forth). This also means the full proxy can have its own TCP connection behavior, such as buffering, retransmits, and TCP options. With a full proxy, each connection is unique; each can have its own TCP connection behavior. This means that a client connecting to the full-proxy device would likely have different connection behavior than the full proxy might use for communicating with the backend servers. The real solution is to build a proxy-based solution with the performance of the packet-based solution. TMOS is a collective term used to describe the completely purpose-built, custom architecture which F5 spent years and significant investment developing as the foundation for F5 products going forward. From a high-level, TMOS is: A Collection of Modules, Each module performs a particular function. Every component of the system is selfcontained, which helps reduce the complexity of the system and eases future development. Adding support for new protocols is simply a matter of adding a new module. Self-Contained and Autonomous, Many people have observed that a TMOS-based device has a form of Linux running on it, which can be seen when administering the device using the command line. TMOS has its own dedicated CPU, memory, and system bus for access to peripheral devices. The Linux system is used for management tasks, such as the command line or the web GUI only. The reason for this is simple: an operating system which is ideal for high speed traffic management operations is not ideal as a general purpose operating system. A Real-Time Operating System, A real-time operating system means TMOS does not have a preemptive CPU scheduler. This significantly reduces the overhead of CPU scheduling by eliminating interrupts, context switches, and most of the work a scheduler would typically do. This also allows full control over when, and in what order, processing occurs. Both Hardware and Software, Because TMOS is inherently modular in design, it doesn’t matter whether individual functions are handled by software or by hardware. Stateful inspection, The core architecture of TMOS is based on a high speed full proxy which performs stateful inspection to traffic flows as does a stateful firewall. While connection traffic is proxied through TMOS, the F5 iRules engine has full access (layer 2-7) to that traffic and can set various rules (based on traffic characteristics, ACLs, or business logic). As an example, rule actions can be Drop, Block, Redirect, Log, or Transform. Page 1 of 91 Dynamic Packet Filtering, By default, just like a firewall, TMOS has a “deny all” policy. Traffic flow can also be filtered, redirected, or blocked dynamically at the same application layer such as HTTP, or packet by packet, such as via UDP, SCP, or TCP. First, there is the FastL4 stack; a limited-state TCP/UDP or traditional packet-by-packet design to handle any high-connection rate, but limited functionality (layer 4 and below) requirements. Then, there is the FastHTTP stack; a limited-state TCP/HTTP stack representing an extremely advanced packet-by-packet design to handle high-connection rates with increased HTTP (layer 7) intelligence requirements. Finally, there is the Fast Application Proxy; the default full-proxy based stack representing the pinnacle of proxy-based design. TCP Express is a collection of TCP efficiency improvements, in the form of internet standards (RFCs), and hundreds of custom F5 features and tuning based on our extensive real-world experience. TMOS supports every modern TCP efficiency improvement, including: delayed and Selective Acknowledgements, Explicit Congestion Notification (ECN), limited and Fast Retransmits, Slow Start with Congestion Avoidance, Adaptative Initial Congestion Windows, TimeStamps and Windows Scaling, TCP Slow Start, Bandwidth Delay Control, etc. The Fast Application Proxy component of TMOS, the full-proxy stack, is another key differentiator. The Fast Application Proxy provides for the application fluency necessary to implement a host of other TMOS modules, including: HTTP Compression, Multi-Store Caching, SSL Acceleration, Fast Cache, Content Spooling, Intelligent Compression, QoS/ToS, and L7 Rate Shaping. iRules are one of the most unique capabilities of TMOS. iRules are scripts created using the standard Tool Command Language (TCL) with custom F5 extensions that enable users to create unique functions triggered from TMOS events. Since the initial launch of TMOS, F5 customers have found hundreds of ways of taking advantage of the power of the iRules engine in TMOS. For example: • DNS rate limiting. • Implementing an SMTP proxy to inspect and direct individual messages. • Re-ordering HTTP cookies for easier parsing on the back-end systems. • Authenticating user connections with a back-end RADIUS server using credentials stored in a HTTP cookie. • Implementing a simple LDAP parser to inspect parameters of LDAP bind() requests. • Selectively using SSL re-encryption to the back-end servers only for certain HTTP URLs. And selectively requiring SSL client certificates based on HTTP URLs. • Creating and inserting a custom session ID value into an HTTP request, which the server will echo back in the response, then inspect the response and verify it matches the request. If not, logging the full session information, and the last 100 requests. • CORBA/IIOP request multiplexing. There is no other device in the world that can implement this type of highly sophisticated logic via their inspection feature-set. TMOS is the first, completely purpose-built, modular, self-contained, real-time, event-driven proxy architecture with the ability to transparently utilize hardware and software unilaterally to achieve the best performance and intelligence. Page 2 of 91 1.1 Connectivity, packet, and virtual server processing orders SOL6459: Order of precedence for virtual server matching (9.x - 11.2.1) When determining the order of precedence applied to new inbound connections, the BIG-IP system uses an algorithm that places a higher precedence on the address netmask and a lesser emphasis on the port. BIG-IP LTM sets virtual server precedence according to the following criteria: The first precedent of the algorithm chooses the virtual server that has the longest subnet match for the incoming connection. If the number of bits in the subnet mask match, the algorithm chooses the virtual server that has a port match. If no port match is found, the algorithm uses the wildcard server (if a wildcard virtual server is defined). A wildcard address has a netmask length of zero; thus, it has a lower precedence than any matching virtual server with a defined address. This algorithm results in the following order of precedence: <address>:<port> <address>:* <network>:<port> <network>:* *:<port> *:* For example, for a BIG-IP system with the following VIPs configured on the inbound VLAN: 10.0.0.0/8:80 10.10.0.0/16:80 10.10.10.10/32:80 20.0.0.0/8:* 20.0.0.0/8:80 *:80 (alternatively noted as 0.0.0.0/0:80) *:* (alternatively noted as any:any, 0.0.0.0/0:any) The following table illustrates how inbound destination addresses map to the configured VIPs: Inbound destination address VIP 10.10.10.10:80 10.10.10.10/32:80 - address match and port match 10.10.10.11:80 10.10.0.0/16:80 - most specific address match and port match 10.1.10.10:80 10.0.0.0/8:80 - most specific address match and port match 20.0.0.0:80 20.0.0.0/8:80 - most specific address match and port match 20.0.0.0:443 20.0.0.0/8:* - most specific address match with wildcard port 1.1.1.1:443 *:* - wildcard address and wildcard port Beginning with BIG-IP LTM 9.4.0, the bigpipe db TM.ContinueMatching variable is set to false, which negates the precedence order and causes BIG-IP LTM to reject the packet if the requested virtual server is unavailable. When the TM.ContinueMatching db variable is set to true, the BIG-IP system checks if another virtual server is available to handle a request if the higher precedence virtual server is disabled. In the following example, the port-specific virtual server is disabled, which allows the system to use the wildcard virtual server 10.10.1.10:* to handle a client request to 10.10.1.10:80: TM.ContinueMatching = true Virtual Server: 10.10.1.10:80 Status: Disabled Virtual Server: 10.10.1.10:* Status: Up and Available Page 3 of 91 When the TM.ContinueMatching db variable is set to false, the BIG-IP system does not allow a lower precedence virtual server to handle a request when a higher precedence virtual server is disabled. SOL411: Overview of packet tracing with the tcpdump utility The tcpdump utility is able to sniff for packets on only one interface or VLAN. By default, it selects the lowest numbered interface. Selecting an Interface or VLAN #tcpdump -i 1.10 #tcpdump -i internal #tcpdump -i eth0 #tcpdump -i eth0:mgmt Disabling name resolution By default, tcpdump attempts to look up IP addresses and use names, rather than numbers, in the output. The BIG-IP system must wait for a response from the DNS server, so the lookups can be time consuming and the output may be confusing. # tcpdump -ni internal Saving tcpdump output to a file You can save the tcpdump data to one of the following file formats: A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump utility as well as many other traffic analysis packages. A text file that contains a subset of the full tcpdump data, but is readable only as plain text. When working with F5 Technical Support, you must provide the tcpdump output in the binary file format. Binary file Text file # tcpdump -w dump1.bin # tcpdump > dump1.txt Reading tcpdump binary file output # tcpdump -r dump1.bin Filters Filtering on a host address # tcpdump host 10.90.100.1 # tcpdump src host 10.90.100.1 # tcpdump dst host 10.90.100.1 To view all packets that are traveling to or from a specific IP address To view all packets that are traveling from a specific IP address To view all packets that are traveling to a particular IP address Filtering on a port # tcpdump port 80 destined to # tcpdump src port 80 # tcpdump dst port 80 To view all packets that are traveling through the BIG-IP, sourced from or To view all packets that are traveling through the BIG-IP and sourced from a specific port To view all packets that are traveling through the BIG-IP and destined to a specific port Filtering on a tcp flag # tcpdump 'tcp[tcpflags] & (tcp-syn) != 0' To view all packets that are traveling through the BIG-IP system that contain the SYN flag. # tcpdump 'tcp[tcpflags] & (tcp-rst) != 0' To view all packets that are traveling through the BIG-IP system that contain the RST flag. Combining filters with the 'and' operator # tcpdump host 10.90.100.1 and port 80 # tcpdump src host 172.16.101.20 and dst port 80 # tcpdump src host 172.16.101.20 and dst host 10.90.100.1 Page 4 of 91 Capturing packet data You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero). # tcpdump -s0 src host 172.16.101.20 and dst port 80 Alternatively, you can specify a length large enough to capture the packet data you need to examine. # tcpdump -s200 src host 172.16.101.20 and dst port 80 You can also use the -X flag to display ASCII encoded output along with the default HEX encoded output. # tcpdump -r dump1.bin -X -s200 src host 172.16.101.20 and dst port 80 Suppressing hostname and port resolution The tcpdump utility provides an option that allows you to specify whether IP addresses and service ports are translated to their corresponding hostnames and service names. Service port lookups incur less overhead than DNS-based name resolutions, but still are usually unnecessary while performing a capture. You can disable both name and service port resolution while performing a capture, by using the -nn option. # tcpdump -nn src host 172.16.101.20 and dst port 80 Combining tcpdump options Following are examples of how to combine the tcpdump options to provide the most meaningful output: #tcpdump #tcpdump #tcpdump #tcpdump #tcpdump -ni internal -w dump1.bin -ni internal -r dump1.bin host 10.90.100.1 -ni 2.1 host 10.90.100.1 and port 80 -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt -Xs200 -nni eth0 -w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162 Using tcpdump to view traffic on a tagged VLAN To view VLAN tagged traffic on the BIG-IP system, you can specify the interface number. When you specify the interface number in the tcpdump syntax, the VLAN header is present because tcpdump reads the packet when it is copied on switch ingress from the switch fabric to the Host. The following syntax displays all traffic for the interface, including the VLAN tag ID: # tcpdump -ni 1.1 To filter the traffic for a specific VLAN tag ID, use the following syntax: # tcpdump -ni 1.1 vlan 2907 # tcpdump -ni 1.1 vlan 2907 tcpdump: listening on 1.1 09:39:11.800739 802.1Q vlan#2907 P0 10.24.2.254 > 10.24.2.34: icmp: echo request 09:39:11.800739 802.1Q vlan#2907 P0 10.24.2.34 > 10.24.2.254: icmp: echo reply (DF) When you specify the VLAN name in the tcpdump syntax, the VLAN header is not present because tcpdump reads the packet after it is copied on switch ingress. #tcpdump -ni internal o o o o o If you run tcpdump on a heavily loaded BIG-IP system, the packet capture process may not capture all matching traffic, and the statistical values reported by tcpdump may be inaccurate. For systems containing a PVA ASIC, the tcpdump utility does not capture virtual server traffic that is fully accelerated by the PVA chip. Running tcpdump on a switch interface is rate-limited to 200 packets per second. If the specified interface is a member of a trunk, tcpdump captures all traffic flowing through the trunk, not just the traffic traversing the specified interface. When using tcpdump to capture traffic in a non-default route domain, F5 recommends that you run the tcpdump command from the default route domain (route domain 0), and specify interface 0.0. For example, the following command captures traffic from all VLANs in all route domains when invoked from the default route domain: # tcpdump -ni 0.0 Page 5 of 91 SOL8082: Overview of TCP connection setup for BIG-IP LTM virtual server types The BIG-IP virtual server type specifies the attributes for a virtual server. Standard virtual server In a full proxy architecture, the BIG-IP LTM system appears as a TCP peer to both the client and the server by associating two independent TCP connections with the end-to-end session. Although certain client information, such as the source IP address or source TCP port, may be re-used on the server side of the connection, the BIG-IP LTM system manages the two sessions independently, making itself transparent to the client and server. The Standard virtual server requires a TCP or UDP profile, and may optionally be configured with HTTP, FTP, or SSL profiles if Layer 7 or SSL processing is required. Standard virtual server with a TCP profile A Standard virtual server processes connections using the full proxy architecture. The following TCP flow diagram illustrates the TCP handshake for a Standard virtual server with a TCP profile: Page 6 of 91 Standard virtual server with Layer 7 functionality If a Standard virtual server is configured with Layer 7 functionality, such as an HTTP profile, the client must send at least one data packet before the server-side connection can be initiated by the BIG-IP LTM system. A Standard virtual server with Layer 7 functionality processes connections using the full proxy architecture. The following TCP flow diagram illustrates the TCP handshake for a Standard virtual server with Layer 7 functionality: Performance Layer4 virtual server The Performance Layer4 virtual server type uses the Fast L4 profile. Depending on the configuration, the virtual server uses the PVA ASIC chip with the PVA Acceleration mode defined as one of the following: full, assisted, or none. The Performance Layer4 virtual server packet-by-packet TCP behavior operates as follows: The initial SYN request is sent from the client to the BIG-IP LTM virtual server. The BIG-IP LTM system makes the load balancing decision and passes the SYN request to the pool member. Page 7 of 91 Performance HTTP virtual server The Performance HTTP virtual server type uses the Fast HTTP profile. The Performance HTTP virtual server with the Fast HTTP profile is designed to speed up certain types of HTTP connections and reduce the number of connections opened to the back-end HTTP servers. This is accomplished by combining features from the TCP, HTTP, and OneConnect profiles into a single profile that is optimized for network performance. The Performance HTTP virtual server processes connections on a packet-by-packet basis and buffers only enough data to parse packet headers. The Performance HTTP virtual server TCP behavior operates as follows: The BIG-IP system establishes server-side flows by opening TCP connections to the pool members. When a client makes a connection to the Performance HTTP virtual server, if an existing server-side flow to the pool member is idle, the BIG-IP LTM system marks the connection as non-idle and sends a client request over the connection. Performance HTTP virtual server with idle server-side flow Performance HTTP virtual server with no idle server-side flow Page 8 of 91 Forwarding Layer 2 virtual server The Forwarding Layer 2 virtual server type uses the Fast L4 profile. The Forwarding Layer 2 virtual server forwards packets based on the destination Layer 2 Media Access Control (MAC) address, and therefore does not have pool members to load balance. The virtual server shares the same IP address as a node in an associated VLAN. Before creating a Forwarding Layer 2 virtual server, you must define a VLAN group that includes the VLAN in which the node resides. The Forwarding Layer 2 virtual server processes connections on a packet-by-packet basis. The Forwarding Layer 2 virtual server operates on a packet-by-packet basis with the following TCP behavior: the initial SYN request is sent from the client to the BIG-IP LTM virtual server. The BIG-IP LTM passes the SYN request to the node in the associated VLAN based on the destination MAC address. Forwarding IP virtual server The Forwarding IP virtual server type uses the Fast L4 profile. An IP forwarding virtual server forwards the packet directly to the next hop IP address specified in the client request. Therefore, when the BIG-IP LTM system evaluates the packet for processing, the system looks only at the destination IP address. The Forwarding IP virtual server processes connections on a packet-by-packet basis. The Forwarding IP virtual server operates on a packet-by-packet basis with the following TCP behavior: the initial SYN request is sent from the client to the BIG-IP LTM virtual server. The BIG-IP LTM virtual server passes the SYN request to the next IP address in the associated VLAN, based on the destination IP address. The following TCP flow diagram illustrates the TCP handshake for a Forwarding IP virtual server: Page 9 of 91 Reject virtual server The Reject virtual server type causes the BIG-IP system to immediately reject any traffic destined for the virtual server IP address. The Reject virtual server operates using the following TCP behavior: the initial SYN request is sent from the client to the BIG-IP LTM virtual server. The BIG-IP LTM virtual server immediately closes the connection by sending a TCP reset to the client. The following TCP flow diagram illustrates the TCP behavior for a Reject virtual server: Manual Chapter: Introducing BIG-IP Local Traffic Manager The three most basic objects in Local Traffic Manager that you must configure for local traffic management are: a) Virtual Servers b) Load balancing Pools c) Profiles Timeout settings for connections and sessions Local Traffic Manager has a number of time-outs that can be set to promote active connection management. The system manages each load-balanced connection explicitly by keeping track of the connection in the connection table while the connection is still active. Connection reaping Connections that close or reset in a normal way are retired from the connection table automatically. A significant number of connections, however, often remain idle without closing normally, for any number of reasons. Consequently, Local Traffic Manager must reap these connections once they have been determined to be inactive. Reaping is the process of retiring or recycling connections that would otherwise remain idle. Page 10 of 91 Idle timeout Table, Idle timeout settings that affect connection reaping Default in Seconds Userconfigured? Fast L4, Fast HTTP, TCP, and SCTP profiles 300 Yes UDP profiles 60 Yes SNAT automap 300 No VLAN group 300 No Configuration Object Type Table, Idle timeout settings that do not affect connection reaping Configuration Object Type Default in Seconds Userconfigured? OneConnect profiles Disabled Yes Cookie Hash, Destination Address Affinity, Hash, SIP, Source Address Affinity, and Universal persistence profiles 180 Yes MSRDP and SSL persistence profiles 300 Yes The network map Object summary When you first open the Network Map screen, the screen displays a summary of local traffic objects. This summary includes the type of objects specified with the search mechanism, the number of each type of object, and, for each object type, the number of objects with a given status. The summary displays data for these object types: Virtual Servers Pools Pool Members Nodes iRules Note: A local traffic summary includes only those objects that are referenced by a virtual server. For example, if you have configured a pool on the system but there is no virtual server that references that pool, the local traffic summary does not include that pool, its members, or the associated nodes in the summary. 1.2 Troubleshooting virtual servers DevCentral: Pool Member won’t work through BIG-IP LTM tcpdump -ni 0.0 -s0 host 1.1.1.1 or host 2.2.2.2 (where 1.1.1.1 and 2.2.2.2 are the client and server addresses) Page 11 of 91 You can use curl to generate a valid HTTP request from the LTM command line. You can test direct to the pool members as well as to the virtual server. # curl -v 'http://1.1.1.1/path/to/file.ext?param1=value1' If you want to make a request for the root object on the web app, you can just use: # curl -v 'http://1.1.1.1/' It would be simpler to troubleshoot if you create a test virtual server and then tcpdump on the client and server IPs. You can create a test pool as well and only enable one server at a time to help isolate the issue. DevCentral: Troubleshooting LTM Monitors a) Enabling / Disabling debug on the monitoring daemon, bigd tmsh: modify sys db bigd.debug value [enable | disable] bigpipe: db bigd.debug [enable | disable] Enables or disables debug on bigd. Output is written to /var/log/bigdlog Note: The logging is very verbose and increases resource usage. So debug should be enabled sparingly and disabled when troubleshooting is complete. b) Command line tools i. tcpdump ii. netcat (nc) iii. curl [curl is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). The command is designed to work without user interaction] Example troubleshooting steps for a pool member unexpectedly being marked down by a monitor Check the ltm log file for monitor log event # tail -f /var/log/ltm Enable debug on the monitoring daemon, bigd Use tcpdump to check the communication to/from the pool member # tcpdump -nni 0.0 -X -s0 host 10.41.0.21 and port 80 and host 10.41.1.3 (-X - print hex and ascii output) Use curl, netcat or another tool #curl -v http://10.41.0.21:80/monitor_page.html Using netcat (nc) and echo to send a request # echo -ne "GET /monitor_page.html HTTP/1.1\r\nConnection: Close\r\nHost: \r\n\r\n" | nc 10.41.0.21 80 Flags: -n - do not output the trailing newline -e - enable interpretation of backslash-escaped characters (specifically the \r - carriage return and \n - new line characters) My Example: Monitor HTTP 1.1 GET / HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: Close\r\n\r\n [root@asm:Active:Standalone] config # curl -v 'http://208.85.209.20/' * About to connect() to 208.85.209.20 port 80 (#0) * Trying 208.85.209.20... connected * Connected to 208.85.209.20 (208.85.209.20) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 > Host: 208.85.209.20 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 302 Found < Location: https://www.f5.com Page 12 of 91 * HTTP/1.0 connection set to keep alive! < Connection: Keep-Alive < Content-Length: 0 < Server: F5 < * Connection #0 to host 208.85.209.20 left intact * Closing connection #0 [root@asm:Active:Standalone] config # echo -ne "GET / HTTP/1.1\r\nConnection: Close\r\nHost: 208.85.209.20\r\n\r\n" | nc 208.85.209.20 80 HTTP/1.0 302 Found Location: https://www.f5.com Connection: close Content-Length: 0 Server: F5 [root@asm:Active:Standalone] config # 1.3 Troubleshooting pool members SOL12531: Troubleshooting health monitors When experiencing health monitor issues, you can use the following troubleshooting steps: Identifying a failing health monitor Verifying monitor settings Troubleshooting monitor types Troubleshooting daemons related to health monitoring Related solutions Identifying a failing health monitor The BIG-IP system logs messages related to the health monitor to the /var/log/ltm file. SNMP When the BIG-IP system is configured to send SNMP traps and a health monitor marks a pool member or node down or up, the system sends the following traps: Pool members alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.10" } alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS_UP { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.11" } Nodes alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.12" } alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS_UP { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.13" } Verifying monitor settings It is important to verify that monitor settings are properly defined for your environment. For example, F5 recommends that you configure most monitors with a timeout value of three times the interval value, plus one. This is to prevent the monitor from marking the node down before the last check is sent. A simple monitor is used to verify the status of the destination node: gateway_icmp, icmp, tcp_echo, tcp_half_open ECV monitors use Send and Receive string settings to retrieve content from pool members or nodes: tcp, http, https, and https_443. Troubleshooting monitor types 1. Determine the IP address of the nodes being marked down. Page 13 of 91 a. # cat /var/log/ltm |grep 'Node' |grep 'status' 2. Check connectivity to the node. (ping, or traceroute (10.x, 11.x) or tracepath (9.x)) a. # ping -c 4 10.10.65.1 3. Check the monitor settings. a. # tmsh list /ltm monitor mi_monitor 4. Create a custom monitor (if needed). 5. Test the response from the application. [root@asm:Active:Standalone] config # time curl -v 'http://208.85.209.20/' * Closing connection #0 real 0m0.186s user 0m0.004s sys 0m0.001s [root@asm:Active:Standalone] config # 6. Use the tcpdump command to capture monitor traffic. Note: If you want to test a specific HTTP request, including HTTP headers, you can use the telnet command to connect to the pool member. For example: telnet <serverIP> <serverPort> Next, at the prompt, enter an appropriate HTTP request line and HTTP headers, pressing Enter once after each line. For example: GET / HTTP/1.1 <enter> Host: www.yoursite.com <enter> Connection: close <enter> <enter> An HTTP health monitor reads up to 5,120 bytes into HTTP data. If the monitor cannot find a match to the configured search string within the first 5,120 bytes, the BIG-IP LTM system marks the node as down. Troubleshooting daemons related to health monitoring The bigd process manages health checking for pool members, nodes, and services on the BIG-IP LTM system. The bigd process collects health checking status and communicates the status information to the mcpd process, which stores the data in shared memory so that the TMM can read it. If you are having monitoring issues, you can check the memory utilization of the bigd process. If the %MEM is unusually high, or continually increases, the process may be leaking memory. [root@asm:Active:Standalone] config # ps aux | grep bigd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 5438 0.0 0.4 44808 17320 ? S 11:08 0:00 /usr/bin/bigd SOL10516: Overview of BIG-IP pool status The BIG-IP system determines the status of a pool based on the availability of the members of that pool. The availability of a pool member is determined by its health check results, and by the state to which the pool member is set. A BIG-IP Administrator can assign a pool member one of the following states: Enabled The pool member is eligible to receive all traffic. Disabled The pool member accepts new connections with a persistence record (for example, a new connection arriving to the BIG-IP system that presents a persistence cookie pointing to that pool member), and continues to serve existing connections (for example, an established TCP connection). New connections without a persistence record are not load balanced to this pool member. Forced offline The pool member continues to serve only existing connections. No new connections are allowed. Page 14 of 91 The BIG-IP system marks a pool down only when all of its members are either down, forced offline, or a combination of these two statuses; only then does the Configuration utility use the red diamond icon to represent the pool. PM Disabled PM Forced Offline PM Offline (Down) SOL13898: Determining which monitor triggered a change in the availability of a node or pool member (11.x) When a health monitor is in use, the mcpd process logs a message when a pool, pool member, or node changes state, although the mcpd process does not identify which health monitor caused a change in the availability of an object. Page 15 of 91 You may be able to determine which health monitor has caused a change in the availability of an object by enabling the bigd.lognodestatuschange db key, which triggers the bigd process to log which particular health monitor has caused a change in the availability of an object. To enable the key and review the /var/log/ltm file, perform the following procedure: 1. Log in to the Traffic Management Shell (tmsh). 2. Verify the status of the bigd.lognodestatuschange db key by entering the following command: # list /sys db bigd.lognodestatuschange 3. If the status is disabled, enable the bigd.lognodestatuschange db key by entering the following command: # modify /sys db bigd.lognodestatuschange value enable In the following example, the pool member 10.1.2.9:80 is marked down because it fails to pass the http monitor test. The pool member then passes the http monitor test and is subsequently marked up. In the first example there is no indication of which monitor marks the node down or up. However, after enabling the bigd.lognodestatuschange db key, the bigdprocess logs which monitor marks the node down and subsequently back up again. Example output taken before enabling the db key: local/bigip-1 notice mcpd[3741]: 01070638:5: Pool member 10.1.2.9:80 monitor status down. local/bigip-1 notice mcpd[3741]: 01070727:5: Pool member 10.1.2.9:80 monitor status up. Example output taken after enabling the key: local/bigip-1 notice bigd[3747]: 01060001:5: Service detected DOWN for ::ffff:10.1.2.9:80 monitor http. local/bigip-1 notice mcpd[3741]: 01070638:5: Pool member 10.1.2.9:80 monitor status down. local/bigip-1 notice bigd[3747]: 01060001:5: Service detected UP for ::ffff:10.1.2.9:80 monitor http. local/bigip-1 notice mcpd[3741]: 01070727:5: Pool member 10.1.2.9:80 monitor status up. F5 Product Development tracked RFE ID 227271, for an enhancement to allow the BIG-IP system to log which particular health monitor caused a change in the availability of an object. This functionality has been added in BIG-IP 11.4.0. SOL10966: Determining which monitor triggered a change in the availability of a node or pool member (9.x, 10.x) The mcpd process handles the operation of health monitors; however, the bigd process performs the actual health checks. The mcpd process periodically requests the bigd process to spawn a monitor instance to verify the availability of each object. Depending on the number of health monitors you applied to an object, a monitor instance may carry out multiple health checks. Regardless of the number of health checks required, the bigd process returns only the final result (the availability of the object) to the mcpd process. You may be able to determine which health monitor has caused a change in the availability of an object by executing the bigpipe monitor all instance command from the command line. Enabling the bigd.lognodestatuschange db key enables monitor-status logging globally. # bigpipe db bigd.lognodestatuschange If the status is Disabled, # bigpipe db bigd.lognodestatuschange enable 1.4 Persistence DevCentral: Persistent and Persistence, What's the Difference? Persistent Persistent connections are connections that are kept open and reused. The most commonly implemented form of persistent connections are HTTP, with database connections a close second HTTP 1.1 and the KeepAlive header in HTTP 1.0 were aimed at improving the performance of HTTP by reusing TCP connections to retrieve objects. They made the connections persistent such that they could be reused to send multiple HTTP requests using the same TCP connection. Page 16 of 91 Persistence Persistence, on the other hand, is related to the ability of a load-balancer or other traffic management solution to maintain a virtual connection between a client and a specific server. Persistence is often referred to in the application delivery networking world as "stickiness" while in the web and application server demesne it is called "server affinity". Persistence ensures that once a client has made a connection to a specific server that subsequent requests are sent to the same server. This is very important to maintain state and session-specific information in some application architectures and for handling of SSLenabled applications. So persistent connections are connections that are kept open so they can be reused to send multiple requests, while persistence is the process of ensuring that connections and subsequent requests are sent to the same server through a load-balancer or other proxy device. DevCentral: Single Node Persistence Requirement: Direct traffic to only a single node in a pool at a time. Initially, traffic should always go to node A. If Node A fails, then traffic will go to Node B. When Node A comes back online, traffic should continue to go to Node B. When Node B fails, then the traffic should go to Node A. To send traffic to only 1 pool member at a time, you can use an iRule and Universal Persistence to set a single persistence record that applies to all connections. 1. Create a virtual server. 2. Create a pool with the real servers in it. 3. Create an iRule like this: rule PriorityFailover { when CLIENT_ACCEPTED { persist uie 1 } } 4. Create a Persistence profile of type Universal which uses the iRule you just created. Set the timeout high enough so it will never expire under typical traffic conditions. 5. In the virtual server definition, apply pool as the default pool, and the new persistence profile as the default persistence profile (both on the virtual server "resources" screen). The first connection will create a single universal persistence record with a key of "1". All subsequent connections will look up persistence using "1" as the key, resulting in truly universal persistence for all connections. Page 17 of 91 DevCentral: Sessions and Cookies and Persistence Persistence is the process of ensuring that a user is connected to the same server every time they make a request within the boundaries of a single session. Even though users could be persisted based on their IP address, this is rarely done due to the sharing of IP addresses. Persistence is most often implemented using a cookie containing the server session id because it is the most accurate method of determining where a user's session is currently stored. If you're a web developer or administrator, you might think "that sounds a lot like server affinity". You'd be right, of course, server affinity and persistence are two different terms that mean the same thing. Sessions are stored on the server, and are not reliant on cookies being enable in the client's browser. Sessions are where web developers store bits of application relevant data that they may wish to use across requests. Shopping carts are the most ubiquitous example of session data, but there are other uses for it, especially in complex web applications like CRM (customer relationship management) or SFA (sales force automation) applications. Cookies store bits of data on the client (the browser) and are passed to the server via the HTTP header Cookie. Persisting Connections The most common data used to persist connections is SSL session id. The second most common data used to persist connections is application or server session id, like JSESSIONID or PHPSESSIONID. These IDs are automatically generated by applications and web servers, and are generally passed to the client as a cookie on the first response, and then used by the load balancer to determine to which server it should direct subsequent requests. An example of HTTP headers storing a JSESSIONID in a cookie: Cookie: JSESSIONID=9597856473431 Cache-Control: no-cache Host: 127.0.0.2:8080 Connection: Keep-Alive DevCentral: Session Management (Wikipedia) A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses. An established session is the basic requirement to perform a connection-oriented communication. 2.1 End User Diagnostics and Output Supplemental Document: EUD 11.4.0 Field Testing BIG-IP Hardware The end-user diagnostics (EUD) is a compilation of tests for checking the integrity of F5 Networks hardware. This technical note describes how to use the end-user diagnostics (EUD) to identify possible hardware problems. Warning: Before you run these tests, you should disconnect all network cables from the system. Any cables connected to the system during the tests might cause false positive results. Downloading the EUD from F5 Networks The different downloads are provided for the following uses: a) EUD CDROM ISO image, On supported systems, you can run the EUD from a USB CDROM drive. This method is useful if you cannot access the host. This method requires that you have physical access to the system so you can plug in the USB CDROM drive and reboot the system. Note that you must use a USB CDROM with an external power source. b) IM installation package. On supported systems, you can copy the IM package to the system and update the EUD. Page 18 of 91 Installing the EUD from an IM installation package # im EUD_B-11.4.0.4.0.im Loading the EUD onto a USB Mass storage device You can load a USB mass storage device from a BIG-IP system by mounting the IM file. This section describes how to create a USB mass storage device on a BIG-IP system for booting up the EUD. 1. Download the IM file to the /var directory 2. Loopback mount the IM file using the following command: # mkdir /tmp/eud; mount -o ro,loop /var/EUD_B-11.4.0.4.0.im /tmp/eud 3. Insert a USB mass storage device into the platform on which you mounted the IM file. 4. Use the following command to run the mkdisk utility: # cd /tmp/eud; ./mkdisk Running the EUD You can run the EUD only from a console connected to the BIG-IP system. You can start the EUD using the following methods: Attach a USB CDROM drive containing the bootable system CD. As the system boots up, the EUD starts. Attach a USB mass storage device drive with the EUD boot image loaded. As the system boots up, the EUD starts. While the system is booting, select the End User Diagnostics option from the boot menu. Using the EUD for most F5 Networks systems To use the EUD for the BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 3410 (C100), BIG-IP 4100 (D46), BIGIP 6400 (D63), BIG-IP 6800 (D68), BIG-IP 8400 (D84), BIG-IP 8800 (D88), Enterprise Manager 500, and Secure Access Manager 4300, you should understand the EUD menu options. The EUD menu options for most F5 Networks systems When you start the EUD, the following menu displays: 1 2 3 4 5 6 7 8 9 10 11 12 System Report Sensor Report SFP/XFP Report LED Test SCCP I2C Test PCI Test Quick System RAM test System RAM Test LCD Test Internal Packet Path Test Internal Loopback Test PVA Memory Test Page 19 of 91 13 SSL Test 14 FIPS Test 15 Compression Test 13 SMART Test 17 File System Check 18 Run all Tests (Non User Intervention, Uses Normal Ram Test) 19 * Run all Tests (User Intervention Required, Uses Quick Ram Test) 20 * Display Test Report Log 21 * Quit EUD and Reboot the System Select a Menu item # - Detalle 1 System Report 2 Sensor Report motherboard. 3 SFP/XFP Report 4 LED Test 5 SCCP I2C Test 6 PCI Test This option provides a comprehensive test of all system hardware components This test checks the switchboard CMOS Programmable Logic Device (CPLD) on the This test checks the SFPs and XFPs installed on the system. This test sets each of the possible status LED colors one at a time (Interactive) This option verifies any Inter Chip Communication Bus (I2C) devices in the system. This option runs a test that reports on and verifies the PCI devices on the PCI bus. (Peripheral Component Interconnect) 7 Quick System RAM test Use this option to verify the system RAM. The system RAM test performs an SDRAM data bus and address bus test. 8 System RAM Test Use this option to verify the system RAM. The system RAM test performs an SDRAM data bus and address bus test. 9 LCD Test Use this option to test the functionality of the LCD panel. (Interactive) 10 Internal Packet Path Test This option tests the internal packet path. 11 Internal Loopback Test This test sets the front ports into PHY or MAC loopback mode and runs packets through the path from the switch chips. 12 PVA Memory Test Use this test to display the version of the PVA installed in the system. 13 SSL Test Use this option to test the SSL hardware installed in the system. 14 FIPS Test This test runs only if the system has a FIPS module installed. 15 Compression Test This test runs only if the system has additional hardware compression installed. 13 SMART Test The self-monitoring, analysis, and reporting technology test (S.M.A.R.T.) is for testing hard disks. 17 File System Check Use this option to run fsck, the file system consistency check on all drive partitions. 18 Run all Tests (Non User Intervention, Uses Normal Ram Test) 19 * Run all Tests (User Intervention Required, Uses Quick Ram Test) 20 * Display Test Report Log 21 * Quit EUD and Reboot the System A report log is stored as the text file /shared/log/eud.log in the host file system. Determining the EUD version installed on the system [root@asm:Active] config # eud_info 12.10.0.3.0 [root@asm:Active] config # [root@asm:Active] tmp # im EUD_M-12.12.0.4.0.im Logical volume disk management detected. final update info: media has tm_install version 2.8.1, release 39.0 info: system has tm_install version 2.7.4, release 42.0 ............................................................................. 7309 blocks /var/tmp /tmp/rpmdisk.V10810 /var/tmp info: Looking for system diagnostics package. info: Testing integrity of EUD package. info: OK info: Updating system diagnostics. info: Best available EUD release is 12.12.0.4.0 info: System current EUD release is 12.10.0.3.0 Page 20 of 91 info: EUD update is necessary. info: Searching for existing EUD on hda.dat.boot info: Installing EUD release 12.12.0.4.0 info: OK ************************************************************** Update complete. For more information on this version of the EUD, please refer to the release notes available on the support web site (http://tech.f5.com). ************************************************************** [root@asm:Active] tmp # My Example: ================================================== Product: F5 Networks End User Diagnostics Build: EUD_M build 12.12.0.4.0 Platform: BIG-IP 3600 Serial Number: f5-dwwy-hchg ================================================== System Tests: 1 System Report 2 Sensor Report 3 SFP/SFP+ Report 4 I2C Test 5 PCI Test 6 ECC Status Test 7 Internal Packet Path Test 8 Internal Loopback Test 9 SSL Test 10 SMART Test 11 Power System Test 18 System RAM Test Interactive Tests: Requires access to system front panel 20 LED Test 21 LCD Test EUD Commands A Run all System Tests I Run all Interactive Tests D Display Test Report Log S Display Test Summary Q Quit EUD and Reboot the System Select a Menu Item: 2.2 LCD Warning Messages Manual Chapter: Operating the LCD Panel The liquid crystal display, or LCD panel, provides the ability to control the unit without attaching a serial or network cable. The following menus are available on the LCD panel. Information Menu, How to use the LCD, Front Panel LEDs, Port Indicators, Console and Failover serial port info System Menu, Reboot, Halt, Netboot, IP address, Netmask, Default route, Commit, Serial port Screens Menu VersionScreen, InfoScreen, DateScreen, MACscreen, SysinfoScreen, TMMCPUScreen, TMMMemoryScreen, TMMAuthScreen, TMMStatScreen Options Menu (LCD Config Menu) Heartbeat, Contrast, On Brightness, Off Brightness Pausing on a Screen - Push the Check button to toggle the LCD between Hold and Rotate modes. Powering down the unit - Hold the X button for 4 seconds to power down the unit. Rebooting the unit - Hold the Check button for 4 seconds to reboot the unit. Clearing alerts - Press the Check button to clear any alerts on the LCD screen. Page 21 of 91 SOL4263: New front panel LED indicator behavior in BIG-IP version 9.x LED indicators (V9 Platforms: 1500, 3400, 4100, 6400, 6800, 8400, and 8800) There are 4 LED indicators: Power (ON green, OFF none, POWER FAILURE red) Status (ACTIVE green, STANDBY yellow) Activity (Activity on the switch to CPU Ethernet interface – Intermittent yellow) Alarm (0 WARNING yellow, 1 ERROR blink yellow, 2 ALERT red, 3 CRITICAL red, 4 EMERGENCY blink red) LED indicators (M Platforms: 1600, 3600, 3900, 6900, and 8900) There are 4 LED indicators: Status (ACTIVE green, STANDBY yellow, POWER OFF off) Alarm (No ALARM/POWEROFF off, ERROR yellow, EMERGENCY/POWER STANDBY red) Power 1 (PRESENT/NORMAL green, PRESENT/FAILURE yellow, NOT PRESENT off) Power 2 (PRESENT/NORMAL green, PRESENT/FAILURE yellow, NOT PRESENT off) SOL10161: The Activity LED operation on 8400 platforms The Activity LED on 8400 platforms does not illuminate during normal operations. The LED illuminates while the system is power cycling, and turns off after the boot process has completed. This is expected behavior. If the Activity LED light on an 8400 platform is solid green during normal operations, the LED is not operating as expected, and may be considered defective. When this erroneous condition is present, the operation of the unit is not affected, and there is no need to remove any units that are already installed in your network. 2.3 Troubleshooting Hardware with log files Writing to and rotating custom log files Writing to … Sometimes I need to log information from iRules to debug something. So I add a simple log statement, like this: when HTTP_REQUEST { if { [HTTP::uri] equals "/secure" } { log local0. "[IP::remote_addr] attempted to access /secure" } } This is fine, but it clutters up the /var/log/ltm log file. Ideally I want to log this information into a separate log file. To accomplish this, I first change the log statement to incorporate a custom string - I chose the string "##": when HTTP_REQUEST { if { [HTTP::uri] equals "/secure" } { log local0. "##[IP::remote_addr] attempted to access /secure" } } Now I have to customize syslog to catch this string, and send it somewhere other than /var/log/ltm. I do this by customizing syslog with an include statement: tmsh modify sys syslog include '" filter f_local0 { facility(local0) and not match(\": ##\"); }; filter f_local0_customlog { facility(local0) and match(\": ##\"); }; destination d_customlog { file(\"/var/log/customlog\" create_dirs(yes)); }; log { Page 22 of 91 source(local); filter(f_local0_customlog); destination(d_customlog); }; "' save the configuration change: tmsh save / sys config and restarting the syslog-ng service: tmsh restart sys service syslog-ng The included "f_local0" filter overrides the built-in "f_local0" syslog-ng filter, since the include statement will be the last one to load. The "not match" statement is regex which will prevent any statement containing a “##” string from being written to the /var/log/ltm log. The next filter, "f_local0_customlog", catches the "##" log statement and the remaining include statements handle the job of sending them to a new destination which is a file I chose to name "/var/log/customlog". You may be asking yourself why I chose to match the string ": ##" instead of just "##". It turns out that specifying just "##" also catches AUDIT log entries which (in my configuration) are written every time an iRule with the string "##" is modified. But only the log statement from the actual iRule itself will contain the ": ##" string. This slight tweak keeps those two entries separated from each other. Rotating … So now I have a way to force my iRule logging statements to a custom log file. This is great, but how do I incorporate this custom log file into the log rotation scheme like most other log files? The answer is with a logrotate include statement: tmsh modify sys log-rotate syslog-include '" /var/log/customlog { Compress ….missingok Notifempty }"' and save the configuration change: tmsh save / sys config Logrotate is kicked off by cron, and the change should get picked up the next time it is scheduled to run. SOL13367: Managing log files on the BIG-IP system (11.x) Procedures a) Change the log rotation frequency Move the logrotate script to the appropriate crontab directory (default daily) # mv /etc/cron.daily/logrotate /etc/cron.[weekly,monthly,daily]/ The BIG-IP system will use the new setting the next time the crontab utility runs the logrotate script. b) Change the age at which log files become eligible for removal The logrotate script deletes log files older than the number of days specified by the Logrotate.LogAge database variable. By default, the variable is set to 8. # tmsh modify /sys db logrotate.logage value [0-100] # tmsh save /sys config # bigpipe db Logrotate.LogAge [0-100] (10.x) c) Change the number of archive copies that the system retains By default, the BIG-IP system is configured to retain up to a maximum of 24 archive copies of each log file. # tmsh modify /sys log-rotate common-backlogs [0-100] # tmsh save /sys config # bigpipe logrotate common backlogs [1-100] (10.x) d) Add custom options to the log rotation process For example, you can configure a certain log file to rotate only when it reaches a certain size. # tmsh # edit /sys log-rotate all-properties Replace common-include none --> common-include "/var/log/ltm { compress missingok size 1M notifempty }" :wq! Save changes? (y/n/e)y # save /sys config Page 23 of 91 2.4 Failover scenarios SOL11736: Defining network resources for BIG-IP high availability features (9.x - 10.x) BIG-IP high availability features, such as network mirroring, configuration synchronization, and network failover, allow core system services to be available on one of two BIG-IP high availability systems in the event that the peer system becomes unavailable. SOL14135: Defining network resources for BIG-IP high-availability features (11.x) BIG-IP high availability (HA) features, such as connection mirroring, configuration synchronization, and network failover, allow core system services to be available for a BIG-IP device group in the event that a particular device group member becomes unavailable. In addition, certain high availability features allow you to configure the management IP address to process the high availability traffic, while other features prohibit the use of the management IP address in certain versions. Mirroring The connection and persistence mirroring features duplicate the connection and persistence information from the active to the peer unit. In the event of a failover, the peer system can begin processing connections immediately without interruption. BIG-IP 10.x By default, network mirroring addresses are used for ConfigSync. In BIG-IP version 10.x, the network failover feature requires separate addresses. Note: F5 does not recommend configuring the management IP address as the mirroring address. You should configure a self IP address as the mirroring address. (9.x – 10.2.1) Mirroring recommendations: Configure network mirroring addresses for all high availability pairs even if mirroring is not configured on the system. Configure a dedicated VLAN and dedicated interfaces to process mirroring traffic. Directly cable network mirroring interfaces. Do not use a VLAN group for network mirroring traffic. Configure both primary and alternate mirroring addresses. ConfigSync ConfigSync is a high availability process that collects the configuration files and directories from one unit of a redundant pair into an archive file, and then transmits and installs the shared configuration data on the peer. Starting in BIG-IP 11.x, the ConfigSync feature works in combination with the device service clustering (DSC) architecture. When the device clustering components (including the ConfigSync IP address) are properly defined, the device group members establish a communication channel (CMI channel) to accommodate device group communication and synchronization. ConfigSync recommendation: Define explicit ConfigSync peer addresses for the high availability pair. If your BIG-IP system is configured to mirror a considerable amount of traffic, consider defining an explicit ConfigSync peer address for each system and move the ConfigSync traffic to a separate VLAN. (10.x) Avoid using the mgmt interface for ConfigSync/device service traffic.(11.x) Use an internal or dedicated HA VLAN (11.x) Network Failover When BIG-IP redundant systems are configured to use network failover, the systems communicate over the configured failover addresses. In BIG-IP 10.x, configuring the Peer Management Address setting is required for network failover. In BIG-IP 11.x, Configure failover unicast and multicast addresses for each device group member, and Use an internal or dedicated HA VLAN in addition to the management (MGMT) interface. Page 24 of 91 SOL13478: Overview of connection and persistence mirroring (11.x) The connection and persistence mirroring feature allows you to configure a BIG-IP system to duplicate connection and persistence information to the standby unit of a redundant pair. This setting provides higher reliability, but might affect system performance. System redundancy includes the ability to mirror connection and persistence information to a peer device to prevent interruption in service during failover. Traffic Management Microkernel (TMM) manages the state mirroring mechanism, and connection and persistence data is synchronized to the standby unit over TCP port 1028 with every packet or flow state update. The standby unit decapsulates the packets and adds them to the connection table. You can use the Configuration utility or Traffic Management Shell (tmsh) utility to configure mirroring addresses, configure connection mirroring for virtual servers and SNATs, and configure persistence mirroring. You can also view mirroring data on the active and standby BIG-IP system using the tmsh utility. To do so, refer to the following procedures: a) Choosing a VLAN for mirroring traffic If the BIG-IP system is required to mirror a high volume of connection and persistence information, F5 recommends using a dedicated VLAN and using dedicated interfaces to process mirroring traffic. b) Configuring mirroring IP addresses Mirroring addresses are the IP addresses that you want the BIG-IP system to use for connection and persistence mirroring. # tmsh modify /sys state-mirroring [secondary-]addr <prim|sec_mirror_addr> c) Configuring connection mirroring for a virtual server The BIG-IP system can mirror TCP or UDP connections for a virtual server. (Config Utility) Local Traffic -> Virtual Servers -> Connection Mirroring check box or (CLI) # tmsh modify /ltm virtual <virtual_server> mirror enabled # tmsh save /sys config d) Configuring connection mirroring for a SNAT The BIG-IP LTM system can mirror TCP or UDP connections for a SNAT. (Config Utility) Local Traffic -> SNATs -> Stateful Failover Mirror check box or (CLI) # tmsh modify /ltm snat <snat> mirror enabled # tmsh save /sys config e) Configuring mirroring for a persistence profile The BIG-IP system can mirror persistence information between peers for the following persistence profiles: Destination address affinity, Hash, Microsoft Remote Desktop, SIP, Source address affinity, SSL, Universal (Config Utility) Local Traffic -> Profiles -> Mirror Persistence check box or (CLI) # tmsh modify /ltm persistence <profile_name> mirror enabled # tmsh save /sys config f) Viewing mirrored connection data from either the active or standby unit (CLI) # tmsh show /sys connection all-properties (CLI 10.x) # bigpipe conn mirror show all g) Viewing mirrored persistence data from either the active or standby unit (CLI) # tmsh show /ltm persistence persist-records (CLI 10.x) # bigpipe persist show Recommendation Note: Only FastL4 and SNAT connections are re-mirrored after failback. Enable connection and persistence mirroring when a BIG-IP failover would cause the user's session to be lost or significantly disrupted. For example, where long-term connections, such as FTP and Telnet, are good candidates for mirroring, mirroring short-term connections, such as HTTP and UDP, is not recommended as this will cause a decrease in system performance. Configure a dedicated VLAN and dedicated interfaces to process mirroring Traffic, Directly cable network mirroring interfaces 3.1 Perform a packet capture within the context of a performance issue SOL6546: Recommended methods and limitations for running tcpdump on a BIG-IP system If you run tcpdump on a heavily loaded BIG-IP system, the packet capture process may not capture all matching traffic, and the statistical values reported by tcpdump may be inaccurate. For example, the packets received by filter statistic may not provide an accurate reporting of all matching packets in the network. And Page 25 of 91 the packets dropped by kernel statistic may not provide an accurate reporting of the real number of matching packets that have been dropped. If you run tcpdump on a heavily loaded system, F5 recommends using tcpdump filter expressions to mitigate the potential for missed packets. Running tcpdump on a VLAN When the VLAN is specified in the tcpdump syntax, tcpdump can read packets processed by TMM. # tcpdump -ni /<partition_name>/<vlan_name> (On 11.x) For systems containing a PVA ASIC, the tcpdump utility does not capture virtual server traffic that is fully accelerated by the PVA chip. You can work around this limitation by temporarily disabling PVA acceleration for the FastL4 profile. Running tcpdump on an interface When tcpdump is run on an interface, the packet is copied on a switch ingress to the SCCP or AOM, which then sends the packet to the host to be captured by tcpdump. Running tcpdump in a route domain The tcpdump utility does not capture traffic when run from a non-default route domain. For example, if you use the rdsh utility to change the shell to a non-default route domain and run the tcpdump command, no traffic will be captured. To capture traffic, use the following command to change back to the default route domain: # rdsh 0 You can then run the #tcpdump -ni 0.0 command to capture all route domain traffic. SOL9704: Capturing and viewing packets (Firepass) The capture and view packets utility allows the FirePass administrator to troubleshoot networking issues by capturing the network packets coming to and from the FirePass controller. 1. Log in to the FirePass Administrative Console. 2. Navigate to the Device Management: Maintenance: Troubleshooting tools: Network packet dump section. 3.2 Use BIG-IP tools in order to identify potential performance issues Manual: BIG-IP iHealth User Guide BIG-IP iHealth enables you to verify the proper operation of your BIG-IP and Enterprise Manager systems and ensures your hardware and software function at peak efficiency. The results provide tailored feedback about configuration issues or code defects, and provide a description of the issue, recommendations for resolution, and a link to further information in the AskF5 Knowledge Base. BIG-IP iHealth was integrated with the Enterprise Manager system starting with version 3.0.0. You can configure the Enterprise Manager system to automatically create and upload qkview files (from BIG-IP and Enterprise Manager devices) to BIG-IP iHealth. F5 recommends uploading a qkview file to the BIG-IP iHealth system at least once a month, since F5 updates the BIG-IP iHealth known issues and best practices database on a weekly basis. The default name for a qkview file is as follows: Page 26 of 91 case_number_____support_file.tar.gz Manual Chapter: Health and Performance Monitoring BIG-IP Local Traffic Manager can monitor the health or performance of either pool members or nodes. Local Traffic Manager supports these methods of monitoring: Simple monitoring, Active monitoring, Passive monitoring. Simple monitoring merely determines whether the status of a node is up or down. The system contains two types of simple monitors, ICMP and TCP_ECHO. Active monitoring checks the status of a pool member or node on an ongoing basis, at a set interval. If a pool member or node being checked does not respond within a specified timeout period, or the status of a node indicates that performance is degraded. Each type of active monitor checks the status of a particular protocol, service, or application. For example, one type of monitor is HTTP. Active monitors fall into two categories: Extended Content Verification (ECV) monitors and Extended Application Verification (EAV) monitors. Passive monitoring occurs as part of a client request. There is only one type of passive monitor, called an Inband monitor. A pre-configured monitor is an existing monitor that Local Traffic Manager provides for you, with its settings already configured. A custom monitor is a monitor that you create based on one of the allowed monitor types. Transparent and Reverse modes The Manual Resume feature The resource subsequently becomes unavailable, the resource remains offline until you manually re-enable it. The Time Until Up feature provides a way to adjust the default behavior. This feature allows the system to delay the marking of a pool member or node as up for some number of seconds after receipt of the first correct response. You can configure Dynamic Ratio load balancing for pools that consist of RealNetworks RealServer servers, Microsoft Windows servers equipped with Windows Management Instrumentation (WMI), or any server equipped with an SNMP agent such as the UC Davis SNMP agent or Windows 2000 Server SNMP agent. You must install the monitor plug-in on each server to be monitored, and you must create a performance monitor that resides on the BIG-IP system. Once you have created a monitor, the monitor communicates directly with the server plug-in. For each server type, Table 14.3 shows the required monitor plug-in and the corresponding performance monitor types. Page 27 of 91 Server Type Monitor plug-in Monitor Type RealServer Windowsserver RealServer UNIX server F5RealMon.dll Real Server Real Server Windows server with WMI f5isapi.dll or F5Isapi64.dll or F5.IsHandler.dll WMI Windows 2000 Server server SNMP agent SNMP DCA and SNMP DCA Base UNIX server UC Davis SNMP agent SNMP DCA and SNMP DCA Base f5realmon.so 4.1 Verify remote connectivity to the box in order to determine the cause of a management connectivity issue. Manual Chapter: Configuring Network Access Resources (APM 11.2.x) Creating a network access resource You configure a network access resource to allow users access to your local network through a secure VPN tunnel. 1. On the Main tab, click Access Policy > Network Access . The Network Access List screen opens. 2. Click the Create button. The New Resource screen opens. 3. In the Name field, type a name for the resource. 4. Type an optional description for the network access resource. 5. Click Finished to save the network access resource. The General Properties screen for the network access resource opens. You can configure the properties for the network access resource using the menu bar at the top of the screen. Later, you assign the network access resource to an access policy using one of the resource assign actions. Configuring properties for a network access resource Configuring network settings for a network access resource o Proxy ARP considerations. Proxy ARP is not compatible with SNAT pools. Configuring DNS and hosts for a network access resource Mapping drives for a network access resource Launching applications on a network access connection Manual Chapter: Diagnosing Network Connection Issues (GTM 11.2.x) To help you diagnose network connection issues, you can view the status of and statistics about the iQuery connections between BIG-IP Global Traffic Manager (GTM) and other BIG-IP systems on your network. iQuery connection information displays for IP addresses that are configured on BIG-IP server objects. When you want to estimate iQuery traffic throughput, following these statistics: o iQuery Reconnects o Bytes Out o Bytes Dropped o Bytes In o Backlogs Manual Chapter: Defining Connectivity Options (APM 11.2.x) About connectivity profiles In the BIG-IP Access Policy Manager, a connectivity profile is the profile that you select in a virtual server definition to define connectivity and client settings for a network access session. The connectivity profile contains: Network access connection compression settings Client settings for virtual servers and location awareness Client update settings Password caching settings Citrix client settings Mobile client settings Creating a connectivity profile Page 28 of 91 You create a connectivity profile to configure client connections for a network access tunnel and clients. o On the Main tab, click Access Policy > Secure Connectivity > Connectivity Profiles . To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server. Manual Chapter: About Network Access (APM 11.2.x) What is network access? The BIG-IP Access Policy Manager network access feature provides secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client. Using network access, employees, partners, and customers can have access to corporate resources securely, from any location. The network access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, network access does not require any pre-installed software or configuration on the remote user's computer. It is also more robust than IPsec VPN against router and firewall incompatibilities. Network access features Full access from any client.- Provides Windows, Macintosh, Linux, and Windows Mobile users with access Split tunneling of Traffic.- Provides control over exactly what traffic is sent over the network access connection to the internal network, and what is not. Client checking.- Detects operating system and browser versions, and processes, and checks files during the login process to insure that the client configuration meets the organization's security policy for remote access. Compression of transferred data.- Compresses traffic with GZIP before it is encrypted, reducing the number of bytes transferred. Routing table monitoring.- Monitors changes made in the client's IP routing table during a network access connection. Session inactivity detection.- Closes network access connections after a period below an inactivity threshold. Automatic application start.- Starts a client application automatically after establishing the network access connection. Automatic drive mapping.- Connects the user to a specific drive on the intranet. This feature simplifies user access to files. Connection-based ACLs.- Filters network traffic by controlling whether packets are allowed, discarded, or rejected, based on specific criteria. Dynamic IP address assignment.- Assigns client endpoint IP addresses dynamically from a configured pool of addresses. Traffic classification, prioritization, and marking.Provides the ability to classify and prioritize traffic to ensure levels of service to users with defined characteristics. Page 29 of 91 Network access configuration elements A network access configuration requires: A network access resource An access profile, with an access policy that assigns: o A network access resource o A network access or full webtop A lease pool that provides internal network addresses for tunnel clients A connectivity profile A virtual server that assigns the access profile 4.2 Check and interpret port lockdown settings in order to determine the cause of a management connectivity issue SOL13250: Overview of port lockdown behavior (10.x - 11.x) Port lockdown is a BIG-IP security feature that allows you to specify particular protocols and services from which the self IP address defined on the BIG-IP system can accept traffic. The port lockdown feature allows you to secure the BIG-IP system from unwanted connection attempts by controlling the level of access to each self IP address defined on the system. Port lockdown Exceptions TCP port 1028: In a redundant pair configuration, the system allows tcp:1028 for connection and persistence mirroring, regardless of the port lockdown settings. TCP port 4353: When BIG-IP 11.0.0 and later devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353, regardless of the port lockdown settings. ICMP: ICMP traffic to the self-IP address is not affected by the port lockdown list and is implicitly allowed in all cases. Page 30 of 91 Port lockdown setting definitions: Allow Default Allowed protocol Service Service definition OSPF N/A N/A TCP 4353 iQuery UDP 4353 iQuery TCP 443 HTTPS TCP 161 SNMP UDP 161 SNMP TCP 22 SSH TCP 53 DNS UDP 53 DNS UDP 520 RIP UDP 1026 network failover [root@asm] config # tmsh list net selfallow net self-allow { defaults { ospf:any tcp:domain tcp:f5-iquery tcp:https tcp:snmp tcp:ssh udp:520 udp:cap udp:domain udp:f5-iquery udp:snmp } } Allow All This option specifies that all connections to the self IP address are allowed Allow None This option specifies that no connections are allowed on the self IP address. However, ICMP traffic is always allowed. Allow Custom This option allows you to specify the protocols and services for which connections are allowed on the self IP address. However, ICMP traffic is always allowed. When creating a self IP address, the default port lockdown setting in BIG-IP 10.x is Allow Default. In BIG-IP 11.x, the default port lockdown setting is None. # tmsh modify /net self self_VLAN_Pruebas allow-service default config # tmsh save /sys SOL3475: The BIG-IP system may not respond to ICMP ping requests for a self IP address To enhance system security, a BIG-IP self IP address will not respond to an ICMP request arriving on a VLAN which the self IP is not configured. However, the BIG-IP self IP will respond to the ICMP request if any of the following conditions is met: The request arrived on the VLAN which the self IP address is configured The request arrives on the VLAN which a virtual server is configured to use the self IP address as its destination IP address Note: By default, all VLANs are enabled when a virtual server is created. For example, assume you have configured the following self IP addresses and a virtual server, enabled on the external VLAN: self 10.10.65.65 { netmask 255.255.255.0 vlan internal } self 172.16.66.66 { netmask 255.255.255.0 vlan external } virtual http_vip { pool http_pool destination 10.10.65.65:http ip protocol tcp vlans internal enable Page 31 of 91 } virtual http_vip { pool http_pool destination 172.16.66.100:http ip protocol tcp vlans external enable } The following table represents the results you can expect from the above configuration when sending ICMP requests to the self IP addresses from various network locations relative to the BIG-IP system: Origin Destination Result Comentarios 10.10.65.x (or forwarded by router on internal VLAN) 172.16.66.66 BIG-IP ignores request O i -> D e S 10.10.65.x (or forwarded by router on internal VLAN) 10.10.65.65 BIG-IP responds O i -> D i S=VS 172.16.66.x (or forwarded by router on external VLAN) 172.16.66.66 BIG-IP responds O e -> D e S 172.16.66.x (or forwarded by router on external VLAN) 10.10.65.65 BIG-IP responds O e -> D i S=VS 10.10.65.x (or forwarded by router on internal VLAN) 172.16.66.100 BIG-IP ignores request O i -> D e VS≠S 4.3 Check and interpret packet filters in order to determine the cause of a management connectivity issue. Manual Chapter: Packet Filters (11.2.x) Introduction to packet filtering Packet filters enhance network security by specifying whether a BIG-IP system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only. The primary purpose of a packet filter rule is to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a packet filter rule are: a) The source IP address of a packet b) The destination IP address of a packet c) The destination port of a packet You specify the criteria for applying packet filter rules within an expression. When creating a packet filter rule, you can instruct the BIG-IP system to build an expression for you, in which case you need only choose the criteria from predefined lists, or you can write your own expression text, using the syntax of the tcpdump utility. BIG-IP Configuration utility, and on the Main tab, expand Network, and click Packet Filters Global settings Properties Packet filter enabling. The default setting for packet filtering is Disabled. Control of unhandled packets. Specifies the action that the BIG-IP system should take when the packet does not match packet filter rule criteria. Possible values for this setting are Accept (def), Discard, and Reject. Other options: a) Filter established connections, b) Send ICMP error on packet reject Global exemptions There are a number of exemptions you can set for packet filtering. When filtering packets, the BIG-IP system always applies these exemptions, effectively overriding certain criteria you might have previously set within an individual packet filter rule. Protocols: Always accept ARP Always accept important ICMP MAC addresses: Always Accept, None IP addresses: Always Accept, None Page 32 of 91 VLANs: Always Accept, None Packet filter rules Packet filter rules are criteria statements that the BIG-IP system uses for filtering packets. The BIG-IP system attempts to match packet filter rules with an incoming packet, and if a match exists, determines whether or not to accept or reject the packet. When you create a packet filter rule, you configure several settings, and then you define the criteria that you want the BIG-IP system to use to filter the traffic. Configuring settings for packet filter rules a) Name b) Order of packet filter rules: First, Last, After c) Action: Accept, Discard, Reject, Continue d) Rate class assignment: None e) VLAN/Tunnel: * ALL f) Logging: Enabled, Disabled g) Creating a filter expression: To match incoming packets, the BIG-IP system must use a filter expression. A filter expression specifies the criteria that you want the BIG-IP system to use when filtering packets. My Example: [root@asm:Active:Standalone] config # tmsh list net packet-filter-trusted net packet-filter-trusted { ip-addresses { 10.2.0.13 } } [root@asm:Active:Standalone] config # tmsh list net packet-filter net packet-filter reglapf1_https_configutil_accept { action accept logging enabled order 5 rule "( src host 10.2.0.13 )" } net packet-filter reglapf2_https_configutil_discard { action discard logging enabled order 10 rule "( dst host 10.3.1.153 or dst host 10.3.2.216 ) and ( dst port 443 )" } [root@asm:Active:Standalone] config # Page 33 of 91 Manual Chapter: Configuring Packet Filters (v9.x) Lo mismo que el anterior en versión 9.x Manual Chapter: Setting Up Packet Filtering (v10.x) By setting up some basic IP routing and configuring packet filtering, specific hosts on the internal VLAN can connect to the internal VLANs self IP address. These hosts can also use common Internet services such as HTTP, HTTPS, DNS, FTP, and SSH. Traffic from all other hosts in the internal VLAN is rejected. To configure this implementation, you must: Create a SNAT [automap , Vlan Enabled on=Internal & External] Create a pool of routers (also known as a gateway pool). Create a forwarding virtual server. [Type=Network, Address=0.0.0.0, Mask=0.0.0.0, Service Port= * All Ports, Vlan Enabled on=Internal, Default Pool= Gateway Pool] Create a packet filter rule.[Action=Reject, Vlan=Internal, Enter Expression Test] not dst port 80 and not dst port 443 and not dst port 53 and no dst port 22 and not dst port 20 and not dst port 21 and not dst host <internal self IP address> Note: The BIG-IP system contains an implementation of IP filters. The syntax for a filter expression is based on libpcap and is synonymous with the tcpdump utility syntax. The system applies packet filters to self IP addresses and virtual servers, but does not apply them to the management interface. The system stores packet filters in the bigip.conf file, and shares them with any existing failover peer in a redundant system configuration. Page 34 of 91 4.4 Given the use of a remote authentication server, verify proper DNS settings in order to diagnose a connectivity issue. Manual Chapter: Remote Server Authentication (LTM 11.2.0) A significant feature of BIG-IP Local Traffic Manager is its ability to support Pluggable Authentication Module (PAM) technology. PAM technology allows you to choose from a number of different authentication and authorization schemes to use to authenticate or authorize network traffic. The goal of PAM technology is to separate an application, such as the BIG-IP system, from its underlying authentication technology. This means that you can dictate the particular authentication/authorization technology that you want the BIG-IP system to use to authenticate application traffic coming into the BIG-IP system. To this end, Local Traffic Manager offers several authentication schemes, known as authentication modules. These authentication modules allow you to use a remote system to authenticate or authorize application requests that pass through the BIG-IP system. Note: The BIG-IP system normally routes remote authentication traffic through a Traffic Management Microkernel (TMM) switch interface (that is, an interface associated with a VLAN and a self IP address), rather than through the management interface. Therefore, if the TMM service has been stopped for any reason, remote authentication is not available until the service is running again. BIG-IP system authentication modules Local Traffic Manager authentication modules that you can implement for remote authentication are: Lightweight Directory Access Protocol (LDAP) Remote Authentication Dial-In User Service (RADIUS) TACACS+ SSL client certificate LDAP Online Certificate Status Protocol (OCSP) Certificate Revocation List Distribution Point (CRLDP) Kerberos Delegation The LDAP authentication module An LDAP authentication module is a mechanism for authenticating or authorizing client connections passing through a BIG-IP system. This module is useful when your authentication or authorization data is stored on a remote LDAP server or a Microsoft Windows Active Directory server, and you want the client credentials to be based on basic HTTP authentication (that is, user name and password). Additionally, the system can take some action based on certain information that the server returns in the LDAP query response. For example, LDAP response information can indicate the users group membership, or it can indicate that the users password has expired. To configure Local Traffic Manager to return specific data in an LDAP response, you can write an iRule, using the commands AUTH::subscribe, AUTH::unsubscribe, and AUTH::response_data. LDAP configuration object settings Remote LDAP Tree Specifies the search base distinguished name. Hosts Lists the addresses of the LDAP servers that the BIG-IP system uses to obtain authentication data. Service Port Specifies the port number for the LDAP service. 389 (non-SSL), 636 (SSL-enabled) LDAP Version Specifies the version number of the LDAP application. 3 Bind DN Specifies the distinguished name of an account to which to bind, in order to perform searches. The admin account can be used as the search account. SSL Allowed values are: Enabled, Disabled, and Start TLS. Note that when enabled, the BIG-IP system changes the service port number from 389 to 636. (def. Disabled) LDAP profile configuration settings Mode [Enabled, Auto, Disabled] Configuration Specifies an existing LDAP configuration object. This setting is required. Rule _sys_auth_ldap Idle Timeout [Specify… 300 seconds | Indefinite] Page 35 of 91 My Example: [root@asm:Active:Standalone] config # tmsh list /ltm auth ltm auth ldap Mi_LDAPconfig { search-base-dn "CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM" servers { 10.1.1.243 } } ltm auth profile Mi_LDAPprofile { app-service none configuration Mi_LDAPconfig credential-source http-basic-auth defaults-from ldap type ldap } The RADIUS authentication module A RADIUS authentication module is a mechanism for authenticating client connections passing through a BIG-IP system. You use this module when your authentication data is stored on a remote RADIUS server. In this case, client credentials are based on basic HTTP authentication (that is, user name and password). RADIUS server object configuration settings Host Specifies a host name or IP address for the RADIUS server. This setting is required. Service Port Specifies the port for RADIUS authentication traffic. 1812 Secret Sets the secret key used to encrypt and decrypt packets sent or received from the server. Timeout Specifies a timeout value. 3 RADIUS configuration object settings RADIUS Servers authentication data. Client ID Lists the IP addresses of the RADUIS servers that the BIG-IP system will use to obtain Sends a NAS-Identifier RADIUS attribute with string bar. If you do not specify a value for the Client ID setting, the PAM service type is used instead. Specifies the number of authentication retries that the BIG-IP system allows before authentication fails. 3RADIUS profile configuration settings Mode Specifies whether the profile is enabled (def) or disabled or auto. Configuration Specifies an existing RADIUS configuration object. Rule _sys_auth_radius Idle Timeout [Specify… 300 seconds | Indefinite] My Example: [root@asm:Active:Standalone] config # tmsh list /ltm auth The TACACS+ authentication moduleA TACACS+ authentication module is a mechanism for authenticating client connections passing through a BIG-IP system. You use this module when your authentication data is stored on a remote TACACS+ server. In this case, client credentials are based on basic HTTP authentication (that is, user name and password).TACACS+ configuration object settingsServers Specifies a host name or IP address for the TACACS++ server. Secret Sets the secret key used to encrypt and decrypt packets sent or received from the server. Encryption Enables or disables encryption of TACACS+ packets. (def. Enabled) Service Name Specifies the name of the service that the user is requesting to be authorized to use. You can use following values: slip, ppp, arap, shell, tty-daemon, connection, system, and firewall. Protocol Name Specifies the protocol associated with the value specified in the Service Name setting. Authentication Possible values are: Authenticate to first server or Authenticate to each server until successAccounting Information Possible values are Send to first available server or Send to all servers.TACACS+ profile configuration settings Mode Specifies whether the profile is enabled (def) or disabled or auto. Configuration Specifies an existing TACACS+ configuration object. Rule _sys_auth_tacacs Idle Timeout [Specify… 300 seconds | Indefinite] [root@asm:Active:Standalone] config # tmsh list /ltm auth The SSL client certificate LDAP authentication module Page 36 of 91 An SSL client certificate LDAP authentication module is a mechanism for authorizing client connections passing through a BIG-IP system. With the SSL client certificate LDAP authentication module, you can use a remote LDAP server to impose access control on application traffic. The module bases this access control on SSL certificates, as well as user groups and roles that you specify. SSL client certificate authorization Before you can implement an SSL client certificate LDAP module, you must understand the two different types of credentials that the BIG-IP system uses to authorize application traffic using data on a remote LDAP server. These two types of credentials are: SSL certificates Groups and roles With SSL client certificate LDAP authorization, Local Traffic Manager can authorize clients based on signed client certificates issued by trusted CAs. Then, to further enhance the ability of the system to authorize client requests, you can also specify groups and roles. Basing authorization on certificates as well as groups and roles provides the flexibility you need to control client access to system resources. SSL certificates for LDAP authorization During the process of authorizing a client, Local Traffic Manager must search the LDAP database. When using certificate-based authorization, the system can search the LDAP database in three ways: User. If certificates are not stored in the LDAP database, you can configure the system to extract a user name from the certificate presented as part of the incoming client request. The system then checks to see if an entry for the user exists in the LDAP database. This scenario is a good choice for a company that acts as its own Certificate Authority, where the company is assured that if the certificate is verified, then the user is authorized. Certificate Map. If you create an object and class that map certificates to users in the LDAP database, you can then configure the system to search for a certificate in the map, and retrieve a user from that map. The system then checks to ensure that the user in the LDAP database is a valid user. Certificate. Many LDAP server environments already incorporate certificates into the user information stored in the LDAP database. One way of configuring authorization in LDAP server environments is to configure the system to compare an incoming certificate to the certificate stored in the LDAP database for the user associated with the client request. If the certificate is found in the users LDAP profile, access is granted to the user, and the request is granted.Groups and roles for LDAP authorizationIn addition to enabling certificate-based authorization, you can also configure authorization based on groups and roles. Groups. Because LDAP servers already have the concept and structure of groups built into them, Local Traffic Manager can include groups in its authorization feature. To enable the use of groups for authorization purposes, you must indicate the base and scope under which the system will search for groups in the LDAP database. Also, you must specify setting values for a group name and a member name. Once you have completed these tasks, the system can search through the list of valid groups until a group is found that has the current user as a member.Unlike a group, a role is a setting directly associated with a user. Any rolebased authorization that Local Traffic Manager performs depends on the LDAP database having the concept of roles built into it. To determine if a user should be granted access to a resource, Local Traffic Manager searches through the roles assigned to the user and attempts to match that role to a valid role defined by the administrator.SSL client certificate LDAP configuration object settingsHosts Lists the IP addresses, including port numbers, of the LDAP servers that the BIG-IP system will use to obtain authorization data. Search Type Specifies the certificate-based authorization method that the system uses when searching the LDAP database (User, Certificate Map, CertificateUser Base DNSpecifies the search base for the subtree used by the User and Certificate search types. A typical search base is:ou=people,dc=company,dc=com. User Key Specifies the name of the attribute in the LDAP database that specifies a user ID. Used by the User and Certificate search type. A typical example of a user key value is uid. SSL client certificate LDAP authorization profile settings Mode Specifies whether the profile is enabled (def) or disabled or auto. Configuration Specifies an existing SSL client certificate LDAP configuration object. Rule _sys_auth_ssl_cc_ldap Idle Timeout [Specify… 300 seconds | Indefinite] Page 37 of 91 My Example: ltm auth profile Mi_SSLclientCertificate_LDAP_profile { app-service none configuration Mi_SSLclientCertificateLDAP_config credential-source http-basic-auth defaults-from ssl_cc_ldap type ssl-cc-ldap } ltm auth ssl-cc-ldap Mi_SSLclientCertificateLDAP_config { servers { 10.3.3.2:389 } user-base ou=people,dc=it-solutions,dc=com user-key uid } The SSL OCSP authentication module An SSL OCSP authentication module is a mechanism for authenticating client connections passing through a BIG-IP system. More specifically, an SSL OCSP authentication module checks the revocation status of an SSL certificate, as part of authenticating that certificate.Online Certificate Status Protocol (OCSP) is a thirdparty software application and industry-standard protocol that offers an alternative to a certificate revocation list (CRL) when using public-key technology. A CRL is a list of revoked client certificates, which a server system can check during the process of verifying a client certificate. You implement an SSL OCSP authentication module when you want to use OCSP instead of a CRL as the mechanism for checking the revocation status of SSL certificates. Local Traffic Manager supports both CRLs and the OCSP protocol. If you want to use CRLs instead of OCSP, you configure an SSL profile. The benefits of OCSP OCSP ensures that Local Traffic Manager always obtains real-time revocation status during the certificate verification process. OCSP is based on a client/server model, where a client system requests revocation status of a certificate, and a server system sends the response. Thus, when you implement the SSL OCSP authentication module, the BIG-IP system acts as the OCSP client, and an external system, known as an OCSP responder, acts as the OCSP server. An OCSP responder is therefore an external server that sends certificate revocation status, upon request, to the BIG-IP system. How does OCSP work? In general, after receiving an SSL certificate from a client application, the BIG-IP system (acting as an OCSP client) requests certificate revocation status from an OCSP responder, and then blocks the connection until it receives status from that responder. If the status from the responder shows that the certificate has been revoked, Local Traffic Manager rejects the certificate and denies the connection. If the status from the responder shows that the certificate is still valid, Local Traffic Manager continues with its normal certificate verification process to authenticate the client application. OCSP responder object configuration settings URL Specifies the URL used to contact the OCSP service on the responder. Certificate Authority File Specifies the name of the file containing trusted CA certificates used to verify the signature on the OCSP response. SSL OCSP configuration object settingsType Specifies the type of authentication module you want to implement. SSL OCSP Responders Specifies the OCSP responders that you want to use for checking that revocation status of SSL certificates.SSL OCSP profile configuration settings Mode Specifies whether the profile is enabled (def) or disabled or auto. Configuration Specifies an existing OCSP configuration object. Rule _sys_auth_ssl_ocsp Idle Timeout [Specify… 300 seconds | Indefinite] The CRLDP authentication moduleA CRLDP authentication module is a mechanism for authenticating client connections passing through a BIG-IP system. You implement a CRLDP authentication module when you want the BIG-IP system to use CRL distribution points as the mechanism for checking the revocation status of SSL certificates.This CRLDP authentication feature is based on a technology known as Certificate Revocation List Distribution Points (CRLDP). CRLDP is an industry-standard protocol that offers an alternative method for checking a standard certificate revocation list (CRL) to determine revocation status. CRLDP is also an alternative to using Online Certificate Status Protocol (OCSP).CRLDP configuration object settingsConnection Timeout 15 Page 38 of 91 Update Interval 0 Use Issuer Indicates whether the CRL distribution point should be extracted from the certificate of the client certificate issuer. Disabled CRLDP Servers Lists the IP addresses of the CRLDP servers that the BIG-IP system will use to obtain authentication data. CRLDP profile settingsMode Specifies whether the profile is enabled (def) or disabled or auto. Configuration Specifies an existing CRLDP configuration object. Rule _sys_auth_ssl_crldp Idle Timeout [Specify… 300 seconds | Indefinite] The Kerberos Delegation authentication moduleA Kerberos Delegation authentication module is a mechanism for authenticating client connections passing through a BIG-IP system. You can use this module when you are using Microsoft Windows Integrated Authentication to authenticate application traffic. The Kerberos Delegation module obtains delegated Kerberos credentials for the client principal, and then retrieves Kerberos credentials for the server-side principal. The Kerberos Delegation module essentially acts as a proxy for Kerberos credentials. That is, when connecting to a server that is inside its domain, the browser client fetches Kerberos credentials. These credentials, known as delegated credentials, are passed to the BIG-IP system, which in turn retrieves credentials for the real server that is on the back end, and passes those credentials back to the client. Kerberos Delegation configuration object settingsClient Principal Name Specifies the name of the client principal, using the format HTTP/<fqdn>, where fqdn is the fully-qualified domain name of the virtual server you create.Server Principal Name Specifies the name of the principal of the back-end web server, using the format HTTP/<fqdn>, where fqdn is the fully-qualified domain name of the web server in the pool.Kerberos Delegation profile settingsMode Specifies whether the profile is enabled (def) or disabled or auto. Configuration Specifies an existing Kerberos Delegation configuration object. Rule _sys_auth_krbdelegate Idle Timeout [Specify… 300 seconds | Indefinite] Cookie Name Specifies a unique name for the cookie that you want to associate with this profile. Cookie Key Specifies an encryption key, in the form of a strong password, for encrypting cookie data f5auth abc123 Manual Chapter: Configuring Remote User Authentication and Authorization (11.2.0) The BIG-IP system includes a comprehensive solution for managing BIG-IP administrative accounts on your network. With this solution, you can: Use a remote server to store BIG-IP system user accounts. The BIG-IP system includes support for using a remote authentication server to store BIG-IP system user accounts. After creating BIG-IP system accounts on the remote server (using the server vendor's instructions), you can configure the BIG-IP system to use remote user authentication and authorization (access control) for that server type. Assign group-based access. The BIG-IP system includes an optional feature known as remote role groups. With the remote role groups feature, you can use existing group definitions on the remote server to define the access control properties for users in a group. This feature not only provides more granularity in assigning user privileges, but also removes any need to duplicate remote user accounts on the BIG-IP system for the purpose of assigning those privileges. Propagate a set of authorization data to multiple BIG-IP systems. Page 39 of 91 The BIG-IP system includes a tool for propagating BIG-IP system configuration data to multiple BIGIP devices on the network. This tool is known as the Single Configuration File (SCF) feature. Page 40 of 91 You can configure the BIG-IP system to authorize user accounts that are stored on a remote authentication server. Specifying LDAP or Active Directory server information Before you begin: Verify that the BIG-IP system user accounts have been created on the remote authentication server. Verify that the appropriate user groups, if any, are defined on the remote authentication server. If you want to verify the certificate of the authentication server, import one or more SSL certificates. You can configure the BIG-IP system to use an LDAP or Microsoft Windows Active Directory server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT). Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remote role group. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. On the Main tab, click System > Users. On the menu bar, click Authentication. Click Change. From the User Directory list, select Remote - LDAP or Remote - Active Directory. In the Host field, type the IP address of the remote server. For the Port setting, retain the default port number (389) or type a new port number. In the Remote Directory Tree field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server. At minimum, you must specify a domain component (that is, dc=[value]). For the Scope setting, retain the default value (Sub) or select a new value. This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication. For the Bind setting, specify a user ID login for the remote server: 1. In the DN field, type the distinguished name for the remote user ID. 2. In the Password field, type the password for the remote user ID. 3. In the Confirm field, re-type the password that you typed in the Password field. To enable SSL-based authentication, from the SSL list select Enabled and, if necessary, configure these settings: 1. From the SSL CA Certificate list, select the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server. 2. From the SSL Client Key list, select the name of the client SSL key. Use this setting only when the remote server requires that the client present a certificate. 3. From the SSL Client Certificate list, select the name of the client SSL certificate. Use this setting only if the remote server requires that the client present a certificate. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP user accounts authenticated on the remote server: From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP user accounts can access. From the Terminal Access list, select one of the following as the default terminal access for remotelyauthenticated user accounts: Disabled, tmsh, Advanced shell Click Finished. Specifying client certificate LDAP server information Verify that the required user accounts for the BIG-IP system exist on the remote authentication server. For authenticating BIG-IP system user accounts (that is, traffic that passes through the management interface [MGMT]), you can configure the BIG-IP system to authenticate certificates issued by a certificate authority's Online Certificate Status Protocol (OCSP) responder. 1. 2. 3. 4. 5. 6. 7. On the Main tab, click System > File Management > Apache Certificate List > Import, browse for the certificate file to import, type a name, and click Import. The certificate will be added to the Apache Certificate list. On the Main tab, click System > Users. On the menu bar, click Authentication. Click Change. From the User Directory list, select Remote - ClientCert LDAP. In the Host field, type the IP address of the remote server. For the Port setting, retain the default port number (389) or type a new port number. This number represents the port number that the BIG-IP system uses to access the remote server. Page 41 of 91 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. In the Remote Directory Tree field, type the file location (tree) of the user authentication database on the client certificate server. At minimum, you must specify a domain component (that is, dc=[value]). For the Scope setting, retain the default value (Sub) or select a new value. This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication. For the Bind setting, specify a user ID login for the remote server: a. In the DN field, type the distinguished name for the remote user ID. b. In the Password field, type the password for the remote user ID. c. In the Confirm field, re-type the password that you typed in the Password field. To enable SSL-based authentication, from the SSL list select Enabled and, if necessary, configure these settings: a. From the SSL CA Certificate list, select the name of a chain certificate; that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server. b. From the SSL Client Key list, select the name of the client SSL key. Use this setting only when the remote server requires that the client present a certificate. c. From the SSL Client Certificate list, select the name of the client SSL certificate. Use this setting only if the remote server requires that the client present a certificate. In the CA Certificate field, type the absolute folder path of apache-ssl-cert fileobject for the CA signing authority. The absolute folder path is /Common/<folder path>/<certificate name>. To determine the absolute folder path of the apache-ssl-cert fileobject, click System > File Management > Apache Certificate List and note the target certificate's partition and path. Important: Apache certificates can only be stored within /Common. /> In the Login Name field, type an LDAP search prefix that will contain the distinguished name (DN) from the user certificate, such as CN. This specifies the LDAP attribute to be used as a login name. The default is disabled. In the Login LDAP Attribute field, type the account name for the LDAP server. The value for this option is normally the user ID. However, if the server is a Microsoft Windows Active Directory server, the value must be the account name sAMAccountName (case-sensitive). The default value is none. In the Login Filter field, type the LDAP attribute that contains the short name of the user. This specifies the filter to be applied on the common name (CN) of the client certificate and usually this is the user ID or sAMAccountName. The filter is a regular expression used to extract required information from the CN of the client certificate that is matched against the LDAP search results. The default is disabled. For the Depth setting, retain the default value (10) or type a new value for verification depth. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access. From the Terminal Access list, select either of these as the default terminal access option for remotelyauthenticated user accounts: Disabled, tmsh Click Finished. Specifying RADIUS server information Prerrequisites: Verify that the BIG-IP system user accounts have been created on the remote authentication server. Verify that the appropriate user groups, if any, are defined on the remote authentication server. You can configure the BIG-IP system to use a RADIUS server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT). 1. 2. 3. 4. 5. 6. 7. 8. On the Main tab, click System > Users. On the menu bar, click Authentication. Click Change. From the User Directory list, select Remote - RADIUS. From the Server Configuration list, select one of the following options: a. Primary Only: Specifies that you are using a single RADIUS server only for user authentication. b. Primary and Secondary: Specifies that you are using a primary RADIUS server plus a secondary RADIUS server, in case the primary server becomes unavailable. For the Primary setting: 1. In the Host field, type the name of the primary RADIUS server. 2. In the Secret field, type the password for access to the primary RADIUS server. 3. In the Confirm field, re-type the RADIUS secret. If you set the Server Configuration setting to Primary and Secondary, then for the Secondary setting: 1. In the Host field, type the name of the secondary RADIUS server. 2. In the Secret field, type the password for access to the secondary RADIUS server. 3. In the Confirm field, re-type the RADIUS secret. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP user accounts stored on the remote server: Page 42 of 91 9. From the Partition Access list, select the administrative partition that all remotely-authenticated BIG-IP user accounts can access. 10. From the Terminal Access list, select one of the following options as the default terminal access for remotelyauthenticated user accounts: Disabled, tmsh, Advanced Shell. 11. Click Finished. Specifying TACACS+ server information Prerrequisites: Verify that the BIG-IP system user accounts have been created on the remote authentication server. Verify that the appropriate user groups, if any, are defined on the remote authentication server. You can configure the BIG-IP system to use a TACACS+ server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT). 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. On the Main tab, click System > Users. On the menu bar, click Authentication. Click Change. From the User Directory list, select Remote - TACACS+. For the Servers setting, type an IP address for the remote TACACS+ server. The route domain to which this address pertains must be route domain 0. Click Add. The IP address for the remote TACACS+ server appears in the Servers list. In the Secret field, type the password for access to the TACACS+ server. In the Confirm Secret field, re-type the TACACS+ secret. From the Encryption list, select an encryption option: Enabled, or Disabled. In the Service Name field, type the name of the service that the user is requesting to be authenticated to use (usually ppp). Specifying the service causes the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are: ppp, slip, arap, shell, tty-daemon, connection, system, and firewall. In the Protocol Name field, type the name of the protocol associated with the value specified in the Service Namefield. This value is usually ip. Examples of protocol names that you can specify are: ip, lcp, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP user accounts stored on the remote server: From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP user accounts can access. From the Terminal Access list, select one of the following options as the default terminal access for remotelyauthenticated user accounts: Disabled, tmsh, Advanced shell. Click Finished. Assigning access control properties to user groups On the BIG-IP system, you can configure access control properties (privileges) for existing user groups that are defined on a remote authentication server. For example, if the configuration of a remote LDAP authentication server includes the attribute string memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net, you can assign a specific set of access control properties to all user accounts in the group BigIPOperatorsGroup. 1. 2. 3. 4. On the Main tab, click System > Users. On the menu bar, click Remote Role Groups. Click Create. In the Group Name field, type the group name that is defined on the remote authentication server. An example of a group name is BigIPOperatorsGroup. 5. In the Line Order field, type a number. An example of a line order is 1. 6. In the Attribute String field, type an attribute. An example of an attribute string is member OF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net. The BIG-IP system attempts to match this attribute with an attribute on the remote authentication server. On finding a match, the BIG-IP system applies the access control settings defined here to the users in that group. If a match is not found, the system applies the default access control settings to all remotely-stored user accounts (excluding any user account for which access control settings are individually configured). 7. From the Remote Access list, select a value. Enabled, or Disabled. 8. From the Assigned Role list, select a user role for the remote user group. 9. From the Partition Access list, select an administrative partition value. 10. From the Terminal Access list, select the type of command-line access you want to grant users in the group, if any. 11. Click Finished. Page 43 of 91 Saving access control settings to a file You can save the running configuration of the system, including all settings for remote user authentication and authorization, in a flat, text file with a specified name and the extension .scf. (Single Configuration File) 1. 2. 3. On the BIG-IP system, access a command-line prompt. At the prompt, open the Traffic Management Shell by typing the command tmsh. Type: root@(asm)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config file MiConfig.scf Saving running configuration... /var/local/scf/MiConfig.scf /var/local/scf/MiConfig.scf.tar root@(asm)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config file /config/MiConfig Saving running configuration... /config/MiConfig /config/MiConfig.tar You can now import this file onto other BIG-IP devices on the network. Importing BIG-IP configuration data onto other BIG-IP systems 1. 2. 3. 4. 5. On the BIG-IP system on which you created the SCF, access a command-line prompt. Copy the SCF that you previously created to a location on your network that you can access from the system that you want to configure. Edit the SCF to reflect the management routing and special passwords of the BIG-IP system that you want to configure: a. Open the SCF in an editor. b. Where necessary, change the values of the management IP address, network mask, management default route, self IP addresses, virtual server IP addresses, routes, default routes, and host name fields to the values for the new system. c. If necessary, change the passwords for the root and admin accounts. d. Save the edited SCF. On the BIG-IP system that you want to configure, open the Traffic Management Shell by typing the command tmsh. Type # load sys config myConfiguration053107.scf saves a backup of the running configuration in the /var/local/scf directory, and then resets the running configuration with the configuration contained in the SCF you are loading. 5.1 Identify the appropriate supporting components and severity levels for an F5Support ticket. SOL2633: Instructions for submitting a support case to F5 Important: To open a support case with F5 Technical Support, or to register for access to the WebSupport portal, you must have an active support contract, and you must be authorized to open support cases against that contract. Only authorized contacts can open technical support cases with F5 Technical Support. a) Contacting F5 Technical support by telephone a. Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435) b) Contacting F5 Technical support online You can also contact F5 Technical Support online at the WebSupport Portal. To do so, you must first register for access to the WebSupport portal. To register for access to the WebSupport portal, perform the following procedure: a) Log in to https://login.f5.com. b) Under the Other Sites You May Apply For heading, in the WebSupport section, click the <click here> link. c) Complete the registration page. You will be notified by email within 24 hours that your account has been enabled with WebSupport portal access. Product-Specific Information For BIG-IP WebAccelerator Page 44 of 91 Provide an explanation of the BIG-IP WebAccelerator deployment topology (asymmetrical or symmetrical including number of accelerators). A Visio network diagram is preferable. Provide an XML export of any relevant policies. Policies can be exported individually from the Polices page of the Admin Tool Web UI. If the WebAccelerator pvac (v9.x/v10.x) or wamd (v11.x) daemon is experiencing performance issues, provide the result of a continuous top command. Type the following command, and provide the file produced: # top -cbn 10 -d 1 > /var/tmp/top_output.sol6705.txt For BIG-IP APM BIG-IP APM access profiles should also be provided to F5 Technical Support when troubleshooting BIGIP APM issues. Exported access profiles are saved as files with the .conf extension. Client specific information. The remaining items are needed if the issue is specific to a particular client: Operating system, version and patch level, Browser type and version, SSL VPN client log file information For BIG-IP ASM Exported Security Policy. You should export the active security policy so F5 Technical Support can review it. The asm_snapshot file. If the BIG-IP ASM system is running as a standalone system, you can run the asmqkview script to generate an asm_snapshot file. The asm_snapshot file contains the configuration files that F5 Technical Support most frequently needs when troubleshooting a BIG-IP ASM issue. An asm_snapshot file is produced by the asmqkview utility. SOL135: Information required when opening a support case for BIG-IP LTM, AFM, GTM, Link Controller, and PEM F5 Technical Support can help resolve issues more quickly when you provide a full description of the issue and the details of your configuration. To help you gather all the required information, use the following guidelines to prepare for opening a case: General Information Provide the following information when you open a case with F5 Technical Support: A full description of the issue, including the following details: o The symptoms of the issue o The approximate time the issue first occurred o The number of times the issue has recurred o Any error output provided by the system o Steps to reproduce the issue o Any changes you made to the system before the issue first occurred o Any steps you have attempted to resolve the issue A description of the impact the issue is having on your site, using the following definitions: o Site Down All network traffic has ceased, causing a critical impact to your business. o Site at Risk Primary unit has failed resulting in no redundancy. Site is at risk of going down. o Performance Degraded Network traffic is partially functional causing some applications to be unreachable. o General Assistance Questions regarding configurations. Troubleshooting non-critical issue or request for product functionality that is not part of the current product feature set. The hours that you are available to work on the issue and any alternative contacts that can work on the issue if you are not available. Remote access information, if possible. Product specific information Collect the following information from the affected systems and provide the information when you open the case. A tech.out file contains the configuration files that F5 Technical Support most frequently needs when troubleshooting an issue. A tech.out file is produced by the qkview utility and the terms tech.out and qkview may be used interchangeably. The tech.out file contains the log files for the last day. If the issue has existed for more than a day, provide all the log files on the system by performing the following procedure: Page 45 of 91 1. Create a tar archive named logfiles.tar.gz in the /var/tmp directory which contains all the files in the /var/log directory, by typing the following command: # tar -czpf /var/tmp/logfiles.tar.gz /var/log/* Packet traces. If the issue involves the network, perform a packet trace while the issue is occurring and provide the packet trace when you open the case. UCS archive. If you cannot give F5 Technical Support remote access to your system, you must provide a UCS archive of the current configuration. Core files. Core files contain the contents of the system memory at the time a crash occurred. If the system has been configured to save core files, they will be located in /var/core directory (BIG-IP versions 9.3 and later). Provide any existing core files when you open the case. SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x) Purpose You want to verify the proper operation of your BIG-IP system by uploading the qkview diagnostic data to BIG-IP iHealth. You want to provide diagnostic data to F5 Technical Support to aid in troubleshooting an issue with a BIG-IP or Enterprise Manager system. Starting in BIG-IP 10.0.0, the qkview utility is an executable program that generates machine-readable (XML) diagnostic data from the BIG-IP or Enterprise Manager system and combines the data into a single compressed tar file. The diagnostic file can then be uploaded to BIG-IP iHealth, or given to F5 Technical Support to aid in troubleshooting. [root@asm:Active:Standalone] config # qkview Gathering System Diagnostics: Please wait ... Core files found are being included. Diagnostic information has been saved in: /var/tmp/asm.appdeliver.com.tgz Please send this file to F5 support. In BIG-IP 10.1.0 and later, you may also run qkview by using tmsh. [root@asm:Active:Standalone] config # tmsh run /util qkview Gathering System Diagnostics: Please wait ... Core files found are being included. Diagnostic information has been saved in: /var/tmp/asm.appdeliver.com.tgz Please send this file to F5 support. SOL13066: Information required when opening a support case for BIG-IP Analytics La misma informacion general y de Producto Específico que en SOL135. Severity Levels and Response Times listed in the WBT F5 Networks Technical Support Overview F5’s technical support centers are strategically located in Seattle and Spokane, Washington; Lowell, Massachussetts; London; Singapore; Tokyo and Beijing. Page 46 of 91 Severity Definitions When a case is opened, you, set the severity level for the issue. Site Down (Sev 1) denotes that hardware or software conditions on your F5 device are preventing the execution of critical business activities. The device will not power up or is not passing traffic. Site at Risk (Sev 2) cases denote that software or hardware conditions on your F5 device are preventing or significantly impairing high-level commerce or business activities. The device is in a degraded state that places your network or commerce at risk. A severity of performance degraded (Sev 3) denotes a degraded service or functionality for normal business or commerce activities. Network traffic through the device is causing some applications to be unreachable, or operate in a diminished capacity. Finally, General Assistance (Sev 4) issues pertain to questions regarding configuration “how-to’s,” troubleshooting non-critical issues, or a request for product functionality that is not part of the current product feature set. F5 Online Resources Ask F5 http://www.askf5.com Houses product manuals, release notes, how-to advice, known-issue resolutions, general solutions, policy documents, hot fix info, security advisories, firmware info, etc. F5 University http://university.f5.com Dev CentralIs a global user community that helps you get the most from F5 technologies; in addition, allows you to access blogs and forums on various F5 topics, receive TechTips and view podcasts. iHealth https://ihealth.f5.com 5.2 Assessing issue severity SUPPORT IT Your experience with F5 is just beginning when you purchase a product. F5’s support, training, certification, and consulting services are there to ensure you get the greatest value possible from your investment, immediately and long-term. Free self-service tools give you 24x7 access to a wealth of knowledge and technical support is on hand to help you fix issues fast. Whether it’s providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure you get the most from your F5 technology Guidelines and Policies Scope of Support Maintenance agreements: All F5 products come with a one-year manufacturer’s hardware warranty and a 90day software media warranty. Technical support is limited to F5 products with active support contracts. Contract support levels: Annual support agreements are available for Standard hours, which includes 5 x 10 Page 47 of 91 support, or Premium hours, which includes 7 x 24 support. Expedited RMA Services and Maintenance AddOn Packages are also available. iRules and iApps support: Standard and Premium support include iRules scripting language and F5 iApps template assistance. Standard iRules and iApps support provides basic troubleshooting help for customers with active Standard support maintenance contracts. In addition to Standard iRules and iApps support, Premium support includes validation, troubleshooting, and functional analysis of scripted iRules and iApps Templates. Installation: For comprehensive installation assistance, you can purchase on-site installation services through F5 Professional Services or your local authorized F5 reseller. F5 Technical Support does not provide remote installation services. Professional Services offerings: For assistance with planning, design, deployments, upgrades, migrations, optimization, and application verification, contact F5 Professional Services. A consultant will provide a SOW iRules OnDemand and Consulting OnDemand are available in North America only. 5.3 Assembling accurate problem description SOL2633: Instructions for submitting a support case to F5 (tema ya revisado) 5.4 F5 escalation method Working with F5 Support F5 Technical Support Remote technical support is available for all F5 customers with eligible support contracts. Annual support services can be purchased from your F5 authorized reseller. iRules Support iRules are officially supported by F5 through F5 Support Services only F5 will provide basic support for existing iRules o Check iRule syntax o Assist in troubleshooting iRules o Validate iRule logic against functional requirements to F5’s reasonable effort RAPID-RMA 4-Hour Onsite F5 customers can upgrade the RMA service levels on their existing Standard, Premium, or Premium Plus maintenance contract to 4-Hour onsite service for business-critical hardware. This option is only available to customers whose F5 products are deployed within the 4-Hour RMA availability area (i.e., no more than 50 miles from an F5 authorized RMA Depot). Customers outside of the 4-Hour RMA availability area have alternative options. 6.1 Network Map WBT Course LTM Essentials Module 2. Processing Traffic BIG-IP is a default deny device. Therefore, it is important to realize that without configuring a listener, such as a Virtual Server, BIG-IP processes NO client traffic. 6.2 Dashboard (v10.1) BIG-IP Dashboard: Cpu, Memory, Connections (Open, New, SSL, Combined View), Throughput (Throughput, Compression, Combined View) Monitoring the BIG-IP System Introducing the dashboard The BIG-IP system provides a dashboard that you can use to monitor overall system performance and performance of specific modules. The dashboard displays system statistics graphically, showing gauges and graphs, and you can view the same statistics in a table view. Information is updated every three seconds. Viewing BIG-IP system information Page 48 of 91 You can view CPU usage, memory usage, connection types, and throughput statistics for the BIG-IP system on the dashboard. (on V10.x) Overview -> Performance -> Dashboard (on V11.x) Statistics -> Dashboard Viewing statistics for other modules If you have licensed and provisioned other modules on the BIG-IP system that support the dashboard, you can view statistics specific to the module (for example, the WAN Optimization Module). 6.3 Review log files SOL13317: Configuring the level of information that syslog-ng sends to log files (11.x) You should consider using this procedure to change the level of information that the syslog-ng utility delivers to the BIG-IP log files. Page 49 of 91 The BIG-IP system uses the standard UNIX logging utility, syslog-ng, to deliver system messages to log files. You can configure the level of information that syslog-ng delivers to log files. Note: Log messages for events related to Traffic Management Microkernel (TMM) are controlled by the alertd process. Syslog-ng uses facilities and levels to describe system messages. Facilities describe the specific element of the system generating the message. Levels describe the severity of the message. Facilities The following facilities are available on the BIG-IP system. Each facility handles messages for specific elements of the system, as described in the following table: Facility Description Default log file local0 BIG-IP specific messages /var/log/ltm local1 EM specific messages APM specific messages /var/log/em /var/log/apm local2 GTM and Link Controller specific messages /var/log/gtm local3 ASM specific messages /var/log/asm local4 ITCM portal and server (iControl) specific messages /var/log/ltm local5 Packet Filtering specific messages /var/log/pktfilter local6 HTTPD specific messages /var/log/httpd/httpd_errors local7 Linux specific boot messages /var/log/boot.log cron Messages related to the cron daemon /var/log/cron daemon Messages related to system daemons (including named and ntpd) /var/log/daemon.log kern Kernel messages /var/log/kern.log mail Mail system messages /var/log/maillog auth User authentication messages that do not contain sensitive information /var/log/secure authpriv User authentication messages that contain sensitive information /var/log/secure ftp Unused, messages for FTP are reported under daemon N/A lpr Unused, printing support is not provided N/A mark A facility that produces time-stamps at regular intervals N/A news Unused, news server support is not provided N/A ntp Unused, messages for ntpd are reported under daemon N/A user Messages related to user processes /var/log/user.log uucp Unused None Levels The following levels are available for each facility, as described in the following table. The facilities are listed in order of the severity of the messages they handle. Generally, higher levels contain all the messages for lower levels. For example, the alert level will generally also report all messages from the emerg level; and the debug level will generally also report all messages for all levels. Level Description Verbosity emerg Emergency system panic messages Minimum alert Serious errors that require administrator intervention Low crit Critical errors, including hardware and filesystem failures Low err Non-critical, but possibly very important, error messages Low warning Warning messages that should at least be logged for review Medium notice Messages that contain useful information, but may be ignored Medium info Messages that contain useful information, but may be ignored High debug Messages that are only necessary for troubleshooting Maximum Page 50 of 91 Displaying the level of information that syslog-ng sends to log files [root@training:Active:Standalone] config # tmsh list /sys syslog all-properties sys syslog { auth-priv-from notice auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include none iso-date disabled kern-from notice kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers none user-log-from notice user-log-to emerg } Configuring the level of information that syslog-ng sends to log file [root@training:Active:Standalone] config # tmsh modify /sys syslog auth-priv-from warning [root@training:Active:Standalone] config # tmsh save /sys config /var/run/config/syslog-ng.conf 6.4 iApps Analytics Setting Up Application Statistics Collection What is Analytics? Analytics (also called Application Visibility and Reporting) is a module on the BIG-IP system that lets you analyze performance of web applications. It provides detailed metrics such as transactions per second, server and client latency, request and response throughput, and sessions. You can view metrics for applications, virtual servers, pool members, URLs, specific countries, and additional detailed statistics about application traffic running through the BIG-IP system. The Analytics module also provides remote logging capabilities so that your company can consolidate statistics gathered from multiple BIG-IP appliances onto syslog servers or SIEM devices, such as Splunk. About Analytics profiles An Analytics profile is a set of definitions that determines the circumstances under which the system gathers, logs, notifies, and graphically displays information regarding traffic to an application. The BIG-IP system includes a default Analytics profile called analytics. It is a minimal profile that internally logs application statistics for server latency, throughput, response codes, and methods. You can create custom Analytics profiles for each application if you want to track different data for each one. Overview: Setting up application statistics collection You can collect application statistics for one or more virtual servers or for an iApps application service. If virtual servers are already configured, you can specify them when setting up statistics collection. If you want to collect statistics for an iApps application service, you should first set up statistics collection, creating an Analytics profile, and then create the application service. Page 51 of 91 The system can send alerts regarding the statistics when thresholds are exceeded, and when they cross back into the normal range. You can customize the threshold values for transactions per second, latency, page load time, and throughput. Setting up local application statistics collection You need to provision the Application Visibility and Reporting (AVR) module: System > Resource Provisioning; before you can set up local application statistics collection. You must have Adobe Flash Player installed on the computer where you plan to view Analytics statistics. You can configure the BIG-IP system to collect specific application statistics locally. 1. On the Main tab, click Local Traffic > Profiles > Analytics. The Analytics screen opens and lists all Analytics profiles that are on the system, including a default profile called analytics. 2. Click Create. For the Statistics Logging Type setting, verify that Internal is selected. Selecting Internal causes the system to store statistics locally, and you can view the charts on the system by clicking Overview > Statistics > Analytics. 3. Review the Transaction Sampling Ratio value and consider it if suits the networking environment, a higher sampling rate (such as 1 of every 99) is less precise but requires fewer resources. If you need to change the value, you can do it later by editing the default analytics profile. 4. In the Included Objects area, specify the virtual servers for which to capture performance statistics. Note: You need to have previously configured the virtual servers (with an HTTP profile) for them to appear in the list. 5. In the Statistics Gathering Configuration, for Collected Metrics, select the statistics you want the system to collect: Server Latency, Page Load Time, Throughput, User Sessions. 6. For Collected Entities, select the entities for which you want the system to collect statistics: URLs, Countries, Client IP Addresses, Response Codes, User Agents, Methods. 7. In the Capture Filter area, adjust the settings to specify criteria to determine what application traffic to capture. If you want to monitor statistics for an iApps application, create the iApps application service, enable Analytics on the template, and specify the Analytics profile you just created. The BIG-IP system then collects statistics for the application service, and the application name appears in the Analytics charts. Setting up remote application statistics collection You need to provision the Application Visibility and Reporting (AVR) module: System > Resource Provisioning before you can set up remote application statistics collection. You also need the IP address and port number for the remote logging server. 1. On the Main tab, click Local Traffic > Profiles > Analytics. The Analytics screen opens and lists all Analytics profiles that are on the system, including a default profile called analytics. 2. Click Create. 3. To the right of the General Configuration area, click the Custom check box. The settings in the area become available for modification. 4. For the Statistics Logging Type setting, click External. 5. For the Remote Server IP Address field, type the IP address of the external logging server. 6. For the Remote Server Port field, type the port used for the external logging server. 7. From the Remote Server Facility list, select the facility category of the logged traffic. The possible values are LOG_LOCAL0 through LOG_LOCAL7. 8. In the Included Objects area, specify the virtual servers for which to capture performance statistics. 9. In the Statistics Gathering Configuration, for Collected Metrics, select the statistics you want the system to collect: Server Latency, Page Load Time, Throughput, User Sessions. 10. For Collected Entities, select the entities for which you want the system to collect statistics: URLs, Countries, Client IP Addresses, Response Codes, User Agents, Methods. 11. In the Capture Filter area, adjust the settings to specify criteria to determine what application traffic to capture. Page 52 of 91 Page 53 of 91 Configuring application performance alerts Before you can configure the system to send alerts concerning statistics, you need to have created an Analytics profile to collect application statistics locally. You can configure the BIG-IP system to send alerts concerning local application statistics based on threshold values that you set. The system sends notifications when threshold values are breached, and when they return to normal. Therefore, it is a good idea to get familiar with the typical statistics for the web application before attempting to set up alerts and notifications. When you understand the typical values, you can configure the system to alert you of limiting system situations, such as system overload. 1. On the Main tab, click Local Traffic > Profiles > Analytics. 2. Click the name of a previously created Analytics profile, or create a new one. 3. For the Statistics Logging Type, ensure that the Internal check box is selected. 4. For the Notification Type setting, select the appropriate check boxes to determine the type of notification and where you want to receive it To Send Alerts Like This Local BIG-IP syslog (System > file. Logs > Local Traffic) Remote syslog server server on SNMP traps sent to an external after you SNMP receiver Do This Select Syslog. The alerts are logged in the /var/log/ltm Select Syslog. You must configure the remote syslog the BIG-IP system. Select SNMP. If you need to configure SNMP, wait until finish creating alerts. The system selects both Syslog and SNMP. E-mail Select E-mail. The system selects Syslog, SNMP, and E-mail. To send email alerts, you need to configure the BIG-IP system to communicate with a mail exchange server. 5. In the Alerts and Notifications Configuration area, for the Add New Rule setting, define the rules that determine when the system sends alerts. Note that you cannot add overlapping rules, for example, two rules that request an alert when average TPS is above 100 and 50 for 200 seconds. a) For Alert when, select the condition under which you want to send an alert. b) Select below or above, type an integer that represents the threshold value, and type the number of seconds (an integer) that the rule has to apply. c) Select the granularity level to which the threshold applies: traffic sent to an Application, a Virtual Server, or a Pool Member. d) Click Add. The rule is added to the list of Active Rules. Continue to add as many rules as you want to specify conditions under which you want to be alerted. 6. Click Update. 7. If SNMP is not configured on the BIG-IP system and you want to send SNMP traps or e-mail notifications, configure it now: a) In the General Configuration area, for the Notification Type setting, next to SNMP, click the link. The SNMP Traps Destination screen opens. b) Click Create. c) Configure the version, community name, destination IP address, and port. d) Click Finished. Based on the rules you configured and the notification type, the system sends an alert when thresholds are breached and when they cross back from the threshold. Examining Application Statistics Before you can look at the application statistics, you need to have created an Analytics profile so that the system is capturing the application statistics internally on the BIG-IP system. You must associate the Analytics profile with one or more virtual servers (in the Analytics profile or in the virtual server). If you created an iApp application service, the template provided allows you to associate the virtual server. To view Page 54 of 91 Analytics statistics properly, Adobe Flash Player must be installed on the computer where you plan to view them. The system recalculates the Analytics statistics and updates the data every five minutes. Continue to review the collected metrics on the system viewing transactions, latency, throughput, and sessions. As a result, you will get more familiar with the system, applications, resource utilization, and more, and you can view the statistics in clear graphical charts, and troubleshoot the system as needed. Investigating Server Latency Issues Before you can investigate server latency, you need to have created an Analytics profile that is logging statistics internally on the BIG-IP system. In the profile, the statistics gathering configuration must have Server Latency selected as one of the collected metrics. The Analytics profile must be associated with one or more virtual servers, or an iApps application service. To view Analytics statistics properly, Adobe Flash Player must be installed on the computer where you plan to view them. You can review statistics concerning server latency on the Analytics charts. Server latency is how long it takes (in milliseconds ) from the time a request reaches the BIG-IP system, for it to proceed to the web application server, and return a response to the BIG-IP system. 1. On the Main tab, click Statistics > Analytics. The Analytics Overview screen opens and shows a summary of the most active application traffic, such as the top URLs, top virtual servers, top pool members, top response codes, and top countries in recent times. Settings in the associated Analytics profile govern what you see on this screen. 2. From the Latency menu, click Server Latency. A chart shows the server latency for all applications and virtual servers associated with all Analytics profiles. 3. If further investigation is needed, in the View By setting, select other entities to view charts that show latency for other collected entities included in the Analytics profile, for example, specific pool members, URLs, countries, or client IP addresses. Viewing Application Page Load Times Note: The system can collect page load times only for clients using browsers that meet the following requirements: • Supports Navigation Timing by W3C • Accepts cookies from visited application sites • Enables JavaScript for the visited application sites Before you can view application page load times, you need to have created an Analytics profile that is logging statistics internally on the BIG-IP system. In the profile, the statistics-gathering configuration must have Page Load Time selected as one of the collected metrics. The Analytics profile also needs to be associated with one or more virtual servers, or an iApps application service. You can view page load times on the Analytics charts. Page load time is how long (in milliseconds) it takes from the time an end user makes a request, until the web page response from the application server finishes loading on the end user's system. 1. On the Main tab, click Statistics > Analytics. 2. From the Latency menu, choose Page Load Time. Charts show the average page load times in milliseconds for all applications and virtual servers associated with all Analytics profiles. 3. To view page load time for a specific virtual server: a) Click Expand Advanced Filters. b) For Virtual Servers choose Custom. c) Click Add and select the virtual server whose page load times you want to view. The charts show page load times for the selected virtual server. Troubleshooting Applications by Capturing Traffic Capturing traffic for troubleshooting You can configure the BIG-IP system to capture application traffic locally or remotely (on syslog servers or SIEM devices, such as Splunk). To do this, you create an Analytics profile designed for capturing traffic. The profile instructs the BIG-IP system to collect a portion of application traffic using the Application Visibility and Reporting module. Page 55 of 91 1. On the Main tab, click Local Traffic > Profiles > Analytics. 2. Click Create. 3. In the Capture Filter area, from the Capture Requests and Capture Responses lists, select the options that indicate the part of the traffic to capture. Option Description None Specifies that the system does not capture request (or response) data. Headers Specifies that the system captures request (or response) header data only. Body Specifies that the system captures the body of requests (or responses) only. All Specifies that the system captures all request (or response) data. 4. Depending on the application, customize the remaining filter settings to capture the portion of traffic to use for troubleshooting. The BIG-IP system captures the application traffic described by the Analytics profile for 1000 transactions (or until system limits are reached). Note: System performance is affected when traffic is being captured. Page 56 of 91 7.1 Create and restore a UCS archive under the appropriate circumstances Manual Chapter: Creating and Managing Archives (10.x) What is an archive? Before you replace a version of the BIG-IP system with a newer version, you should always create an archive, which is a backup copy of the configuration data. This archive is in the form of a user configuration set, or UCS. Then, if you need to recover that data later, you can restore the data from the archive that you created. A UCS contains the following types of BIG-IP system configuration data: System-specific configuration files Product licenses User accounts and password information Domain Name Service (DNS) zone files Installed SSL keys and certificates Important: To create, delete, upload, or download an archive, you must have either the Administrator or Resource Administrator role assigned to your user account. By default, the system stores all archives in the directory /var/local/ucs. You can specify a different location, but in this case, the Configuration utility does not display the UCS files when you view the list of archives Important: Any UCS file that you create includes the host name of the BIG-IP system as part of the data stored in that file. When you later specify this UCS file during the process of restoring configuration data to a BIG-IP system, the host name stored in this UCS file must match the host name of the system to which you are restoring the configuration data. Otherwise, the system does not fully restore the data. Important: If your configuration data includes SSL keys and certificates, be sure to store the archive file in a secure environment. Note, too, that when you synchronize configuration data for a redundant system, the BIG-IP system automatically creates a backup archive, named cs_backup.ucs, immediately prior to performing the synchronization. This ensures that you always have a copy of the most recent configuration data in the event that a system event occurs during the synchronization process. Managing archives You can create, store, and access archives, on both the BIG-IP system and a remote system. You can also view any existing archive files and their properties, as well as delete archives that you no longer need. Specifically, you can use the Configuration utility to: View a list of existing archives Create a new archive and save it on the BIG-IP system View the properties of an existing archive Restore data from a BIG-IP system archive Download a copy of an archive to another system Upload a copy of an archive that you previously saved to another system Delete an existing archive from the BIG-IP system Viewing archive properties Using the Configuration utility, you can view the properties of an archive that you previously created. Note that you cannot modify the properties of an archive. If you want to modify an archive, you must delete the archive you want to change and then create a new one. The properties of an archive that you can view are: The name of the archive, The version of the BIG-IP system on which the archive was created, The encryption state of the archive, The date that the archive was created, The size of the archive, in kilobytes. Restoring data from a BIG-IP system archive In the unlikely event that the BIG-IP system configuration data becomes corrupted, you can restore the data from the archive that is currently stored in the directory /var/local/ucs. If no archive exists in that directory, then you cannot restore configuration data. Page 57 of 91 Manual Chapter: Archives (11.2.x) On any BIG-IP system, you have a set of data that you created when you initially configured the system, using the Setup utility and the Configuration utility or tmsh. This data consists of traffic management elements such as virtual servers, pools, and profiles. Configuration data also consists of system and network definitions such as interface properties, self IP addresses, VLANs, and more. Once you have created the configuration data for the BIG-IP system, you can replicate all of this set of data in a separate file. You can then use this replicated data later, for these reasons: As an archive for disaster recovery Using the Archives feature, you can back up the current configuration data, and if necessary, restore the data at a later time. We highly recommend that you use this feature to mitigate the potential loss of BIG-IP system configuration data. To create an archive, you can use the Configuration utility, which stores the configuration data in a special file known as a user configuration set, or UCS file. You can then use the UCS file to recover from any loss of data, in the unlikely event that you need to do so. For more information about creating and managing archives, see the remainder of this chapter. As a way to propagate data to other systems Using the single configuration file feature, you can easily and quickly propagate the exact configuration of the BIG-IP system to other BIG-IP systems. To create a single configuration file, you export the configuration data to a special file known as an .scf file. You can then use the .scf file to configure another system in one simple operation. To configure and manage archives, log in to the BIG-IP Configuration utility, and on the Main tab, expand System, and click Archives. SOL4423: Overview of UCS archives Exceptions to UCS archive file on VIPRION systems The BIG-IP VIPRION system is unique among BIG-IP hardware because it allows you to combine all blades within the chassis to increase processing ability. This functionality, referred to as clustering, is unique and is written to a special file in the /shared/db directory called cluster.conf. Additionally, the system saves a copy as cluster.conf.<chassis SN>, where <chassis SN> is the unique serial number of the chassis. The blade maintains the *.<chassis SN> files and copies them to cluster.conf when the blade starts in a chassis that it has encountered before. The cluster.conf file consists of each blade's copy of the cluster configuration. The file contains the management addresses for the cluster and for each blade within the cluster, as well as other cluster-specific information. Since this information is specific and unique to the chassis, the information is not included within a UCS archive. If you load a UCS archive, the archive does not overwrite the current cluster.conf file and does not restore a previous cluster configuration. If you reconfigure the cluster, you must manually rebuild the cluster.conf file in the following circumstances: A blade starts as the primary blade in the chassis, and the cluster.conf file does not contain the serial number of the chassis. You have replaced the chassis. (The chassis serial number must match the chassis serial number in the cluster.conf file.) Viewing the list of files saved within a UCS archive To view the files that have been saved in a UCS archive, use the following command syntax: # tar -ztf backup_file_bigip1.ucs Viewing the contents of a file saved within a UCS archive To view a single file from a UCS archive on a terminal screen (standard output) # tar –zxOf myconfig.ucs config/bigip.conf Extracting files from the UCS archive # tar -zxf myconfig.ucs config/bigip.conf This command extracts the files and puts them in the current directory. It creates a subdirectory to match the directory in which the configuration file is normally stored. For example, if you extract config/bigip.conf, a config directory is created. # tar -zxf myconfig.ucs Page 58 of 91 This command extracts the files and puts them in the current directory. It creates subdirectories to match the directories in which the configuration files are normally stored. For example, a config directory is created and contains all the files that are normally contained in the /config directory. SOL13132: Backing up and restoring BIG-IP configuration files (11.x) Licensing The BIG-IP license is associated with a specific hardware serial number. The UCS archive contains the license of the file from which the configuration was saved. To successfully install a UCS archive file on a BIGIP system, you must perform one of the following actions: Restore the UCS archive to the same system from which it was saved. Have the license associated with the serial number of a new system. To do so, contact F5 Technical Support. Note: F5 Technical Support will associate a license file with a new serial number only on an asneeded basis, in the event of a Return Materials Authorization (RMA). Relicense the BIG-IP system after restoring the UCS archive. Save the license file prior to restoring the configuration from another system, and then copy the license file back. Install the UCS archive by using the tmsh no-license option. SSL private keys with passphrases If you are restoring on a new system, a UCS archive that includes SSL private keys with encrypted passphrases cannot be decrypted by the new system. This format is an intentional security measure. If you are restoring a backup that contains SSL private key passphrases after reinstalling the operating system, replacing a failed system with a new system, or otherwise moving an existing configuration to a new system, the encrypted passphrases for SSL private keys used in the configuration cannot be decrypted. An error message similar to the following example appears: BIGpipe client SSL profile creation error: 01070937:3: Master Key decrypt failure - decrypt failure If you receive this error message when installing the UCS archive, refer to SOL9420: Installing a UCS file containing an encrypted passphrase before proceeding. vCMP considerations For a Virtual Clustered Multiprocessing (vCMP) host, the UCS configuration archive contains only the necessary files that are required to restore the vCMP host configuration, but does not include the vCMP guest virtual disk. For a vCMP guest, the UCS configuration archive contains all of the files that are specific to the vCMP guest, including the configuration files, local user accounts, and SSL certificate and key pairs. Backing up your BIG-IP system configuration (XUI) Optional: If you want to encrypt the UCS archive file, from the Encryption menu, select Enabled and enter a passphrase. You must supply the passphrase to restore the encrypted UCS archive file. Optional: If you want to exclude SSL private keys from the UCS archive, from the Private Keys menu, select Exclude. (CLI) [root@training:Active] config # tmsh save /sys ucs /var/tmp/MiRespaldo.ucs Saving active configuration... /var/tmp/MiRespaldo.ucs is saved. [root@training:Active] config # tmsh save /sys ucs /var/tmp/MiRespaldoSeguro.ucs passphrase 123456 Saving active configuration... /var/tmp/MiRespaldoSeguro.ucs is saved. [root@training:Active] config # tmsh save /sys ucs /var/tmp/MiRespaldoSinSSLkeys.ucs noprivate-key Saving active configuration... /var/tmp/MiRespaldoSinSSLkeys.ucs is saved. Please note that UCS files saved with the no-private-key option may load with validation errors. [root@training:Active] config # ls -l /var/tmp/MiR* -rw-r--r-- 1 root root 4187980 Sep 9 11:46 /var/tmp/MiRespaldoSeguro.ucs Page 59 of 91 -rw-r--r-- 1 root root 3089464 Sep -rw-r--r-- 1 root root 3092349 Sep 9 11:47 /var/tmp/MiRespaldoSinSSLkeys.ucs 9 11:45 /var/tmp/MiRespaldo.ucs Restoring your BIG-IP system configuration (XUI) Click System. -> Archives. Click the name of the UCS archive you want to restore. If the UCS archive is encrypted, type the passphrase for the encrypted UCS archive file in the Restore Passphrase field. If the UCS archive is not encrypted, you can skip this step. To initiate the UCS archive restore process, click Restore. After relicensing the system, restart the system to ensure that the configuration is fully loaded. To restart the system, navigate to System > Configuration, and then click Reboot. (CLI) [root@training:Active] config # tmsh load /sys ucs /var/tmp/MiRespaldoSeguro.ucs Saving active configuration... Current configuration backed up to /var/local/ucs/cs_backup.ucs. Product : BIG-IP Platform: Mercury Version : 11.2.0 Hostname: training.appdelivery.com Installing --full-- configuration on host training.appdelivery.com Installing configuration... Installing the license file... Post-processing... Reloading License and configuration - this may take a few minutes... Full configuration has been loaded successfully. /var/tmp/MiRespaldoSeguro.ucs is loaded. If you are running BIG-IP on a 6400, 6800, 8400, or 8800 hardware platform, type the following command to switch to the bash shell: (tmsh) # run /util bash Type the following command to verify that the new or replaced secure shell (SSH) keys from the UCS file are synchronized between the BIG-IP system and the Switch Card Control Processor (SCCP): (tmsh) # keyswap.sh sccp Type the following command to switch back to tmsh: (tmsh) # exit [root@training:Active:Standalone] config # reboot Restoring configuration data on a replacement RMA unit F5 recommends that you use the following procedure when you restore the archive on a different device than the system on which the backup was created, such as an RMA system. If you do not use this procedure when restoring the archive on a different device, the configuration load may fail and the mcpd process generates an error message that appears similar to the following example to both stdout and the /var/log/ltm file: mcpd[2395]: 01070608:0: License is not operational(expired or digital signature does not match contents) [root@training:Active] license config # tmsh load /sys ucs /var/tmp/MiRespaldoSeguro.ucs no- Restoring UCS archives on BIG-IP systems running later software versions F5 recommends that the BIG-IP system run the same version of the BIG-IP software from which it was backed up. However, in some cases, it is possible to restore a UCS archive that was obtained from an earlier software version on a target BIG-IP system running a later software version. For example, if you saved a UCS archive on a system running BIG-IP 10.2.3, it is possible to restore the version BIG-IP 10.2.3 archive file on a BIG-IP system running 11.x. To restore a UCS archive on a BIG-IP system running a later software version, perform the following procedure: 1. Verify that a supported upgrade path exists between the software version from which the UCS archive was obtained and the software version running on the target system. For example, there is a supported upgrade path between BIG-IP 10.x and BIG-IP 11.x. As a result, you can successfully restore a BIG-IP 10.x UCS archive file on a BIG-IP system running 11.x. Page 60 of 91 However, there is no supported upgrade path between BIG-IP 9.x and BIG-IP 11.x. As a result, you cannot restore a BIG-IP 9.x UCS archive file on a BIG-IP system running 11.x. 2. Manually copy the UCS archive file to the /var/local/ucs/ directory on the target system. 3. Restore the UCS archive on the BIG-IP system: o If you are restoring the archive on a different device than the system on which the backup was created, follow the Restoring configuration data on a replacement RMA unit procedure. o If you are restoring the archive on a different device than the system on which the backup was created, follow the Restoring configuration data from the command line by using the tmsh utility procedure. SOL11318: Backing up and restoring BIG-IP configuration files (10.x) Backing up configuration data from the command line using the bigpipe utility # bigpipe config save respaldo1.ucs [passphrase 123456] Important: If a file by the same name already exists, the system overwrites the existing file without warning. Note: F5 recommends that you include the BIG-IP hostname and current timestamp as part of the filename for ease of identification. Restoring configuration data from the command line using the bigpipe utility # # # # cp /config/bigip.license /var/tmp bigpipe config install respaldo1.ucs keyswap.sh sccp {If you are running BIG-IP on a 1500, 3400, 4100, 6400, 6800, or 8400 hardware Platform} reboot Important: If you are restoring the backup on a different device from the system where the backup was created, such as an RMA system, the configuration load may fail with a license error. As a result, a BigDB.dat load error message that appears similar to the following example displays: mcpd[2395]: 01070608:0: License is not operational(expired or digital signature does not match contents). Loading the new /config/BigDB.dat failed. 01080023:3: Error return while getting reply from mcpd: 0x1070370, 01070370:3: Failover (redundant mode) is not licensed. After updating your local /config/BigDB.dat.cs license, run loaddb - The previous error message is expected, and is corrected by re-licensing the system later in the procedure. Restoring configuration data on a replacement RMA unit (BIG-IP 10.1.0 or later) # tmsh (TMSH) # load /sys ucs /var/tmp/MiRespaldo.ucs rma (TMSH) # run /util bash {If you are running BIG-IP on a 6400, 6800, 8400, or 8800 hardware platform} # keyswap.sh sccp # exit # reboot Restoring UCS archives obtained from an earlier software version onto BIG-IP systems running later software versions F5 recommends that the BIG-IP system runs the same version of the BIG-IP software from which it was backed up. However, in some cases it is possible to restore a UCS archive that was obtained from an earlier software version on a target BIG-IP system that is running a later software version. For example, if you saved a UCS archive on a system running BIG-IP 9.4.8, it is possible to restore the archive file on a BIG-IP system running version 10.x. To restore a UCS archive on a BIG-IP system running a later software version, perform the following procedure: 1. Verify that a supported upgrade path exists between the software version from which the UCS archive was obtained and the software version running on the target system. For example, there is a supported upgrade path between BIG-IP 9.4.x and 10.x. As a result, you can successfully restore a BIG-IP 9.4.x UCS archive file on a BIG-IP system running version 10.x. However, there is no supported upgrade path between BIG-IP 9.2.x and 10.x. As a result, you cannot restore a BIG-IP 9.2.x UCS archive file on a BIG-IP system running version 10.x. 2. Manually copy the UCS archive file to the /var/local/ucs/ directory on the target system. 3. Restore the UCS archive file using the bigpipe utility, by typing the following command, replacing <filename> with the name of your UCS archive file: # bigpipe config install all <filename> Page 61 of 91 4. Reboot the system. SOL3499: Backing up and restoring BIG-IP 9.x configuration files Backing up configuration data from the command line # bigpipe config save <filename> # bigpipe config save <filename> passphrase <passphrase> Restoring the configuration data for a system that is currently running system software a. # cp /config/bigip.license /var/tmp b. Copy the UCS archive file you want to restore to the BIG-IP filesystem. c. Set the host name of the system to match the host name of the system where the UCS archive was created, by typing one of the following commands: BIG-IP system 9.4.2 and later: bigpipe system hostname <hostname> BIG-IP system 9.4.1 and earlier: hostname <hostname> d. Restore the configuration from the UCS archive by typing the following command # bigpipe config install <filename> e. If you are running BIG-IP 9.x software on a 1500, 3400, 4100, 6400, 6800, or 8400 hardware platform # keyswap.sh sccp f. # reboot g. Relicense the system. h. Finish loading the BigDB.dat information # loaddb -local /config/BigDB.dat.cs i. Synchronize the BIG-IP system clock with the restored time zone configuration # tw_activate_keys ntp.timezone SOL13136: The UCS configuration archive cannot be restored on a platform other than the one on which the archive was created (v11.0) You cannot restore the UCS configuration archive on a platform other than the one on which you created the archive. This issue occurs when the following condition is met: You attempt to restore a UCS configuration archive on a different BIG-IP platform than the one on which the archive was created. For example, you attempt to restore a UCS archive on a BIG-IP 8900 platform that was created on a BIG-IP 1600 platform. The BIG-IP system reports a message in the status page when you attempt to perform the restoration from the Configuration utility or from the tmsh shell. The message appears similar to the following example: ERROR: The platform on the system is different from the platform in the UCS. Can't install the UCS. Workaround Impact of workaround: None To work around this issue, you can disable the platform check by modifying the UCS installation Perl script. To do so, perform the following procedure: 1. 2. 3. 4. 5. Log in to the command line. Back up a copy of the UCS installation /usr/local/bin/install_ucs.pm Perl script by typing the following command: # cp -p /usr/local/bin/install_ucs.pm /var/tmp/install_ucs.pm.sol13136 Remount the /usr filesystem in read-write mode by typing the following command: # mount -o remount,rw /usr Edit the /usr/local/bin/install_ucs.pm file using a text editor of your choice. Locate the following line: &Exit(1, "ERROR: The platform on the system is different from the platform in the UCS. Can't install the UCS.\n"); 6. Comment out the line by inserting a # in front of the line, as shown in the following example: #&Exit(1, "ERROR: The platform on the system is different from the platform in the UCS. Can't install the UCS.\n"); 7. 8. Save the modifications and exit the text editor. Remount the /usr filesystem in read-only mode by typing the following command: # mount -o remount,ro /usr SOL9420: Installing a UCS file containing an encrypted passphrase Page 62 of 91 Beginning in BIG-IP LTM 9.4.5, passphrases for SSL private keys are stored in the configuration file in encrypted form. The BIG-IP system uses a hardware-key encrypted master SSL key to encrypt and decrypt SSL key passphrases in the configuration file. When attempting to install a UCS file containing encrypted SSL passphrases on a system with a different master key, such as restoring the configuration after reinstalling the operating system, replacing a failed system with a new system, or otherwise moving an existing configuration to a new system, the passphrases cannot be decrypted with the new key, and the system generates a message that appears similar to one of the following examples: 0107102b:3: Master Key decrypt failure - decrypt failure - final BIGpipe client SSL profile creation error: 01070937:3: Master Key decrypt failure - decrypt failure Since the original master key used to encrypt the passphrase does not exist on the system, the encrypted passphrase cannot be decrypted. This is an intentional design decision that follows security best practices regarding SSL private key management. When replacing one system of a failover pair, instead of restoring the configuration by installing the UCS archive, F5 recommends that you configure basic networking on the replacement unit and synchronize the configuration from its peer. Since the master key is shared between units of a redundant pair, the configuration synchronization process will synchronize the original master key to the newly-installed device. If you cannot synchronize the original master key to the new system from its peer, but you know the original unencrypted passphrases, you can install the UCS file to restore the configuration, modify the affected SSL profiles to replace the encrypted passphrases with the unencrypted versions, and save the resulting configuration. Note: Saving the configuration automatically re-encrypts any configured passphrases prior to saving them in the configuration file. Recovering a restored UCS archive that contained SSL private key passphrases (If you know the passphrases for your SSL private keys) If you know the passphrases for your SSL private keys, you can recover a restored UCS archive that contained SSL key passphrases. To do so, perform one of the following two procedures: BIG-IP 11.x {10.x} 1. After restoring the UCS file, open the /config/bigip.conf file with a text editor. 2. Edit each SSL profile containing an SSL private key passphrase, replacing each encrypted passphrase with the unencrypted version. 3. To load the new configuration into memory, type the following command: tmsh load /sys config {bigpipe load} 4. To save the running configuration with the encrypted passphrases in the bigip.conf file, type the following command: tmsh save /sys config {bigpipe save} Recovering a restored UCS archive that contained SSL private key passphrases (If you do not know the passphrases for your SSL private keys) BIG-IP 11.x If you do not know the original unencrypted passphrases for your SSL private keys, you can manually copy the master key from the peer system, and then install the UCS file to restore the configuration. To do so, refer to the following procedure: 1. Log in to the peer BIG-IP system command line. 2. From the active peer BIG-IP system, obtain the master key by entering the following command: # f5mku -K The command output appears similar to the following example: oruIVCHfmVBnwGaSR/+MAA== 3. Copy the output. Note: The output is the master key that you will install on the RMA BIG-IP system. 4. Log in to the RMA BIG-IP system command line. 5. Install the master key that you copied in Step 3 to the RMA BIG-IP system by entering the following command: Page 63 of 91 6. 7. 8. 9. # f5mku -r <key_value> For example: # f5mku -r oruIVCHfmVBnwGaSR/+MAA== Restore the UCS file to the RMA BIG-IP system by entering the following command: # tmsh load sys ucs <filename>.ucs Verify that the master key is the same on the active peer BIG-IP system and the RMA BIG-IP system by entering the following command from the command lines of both systems: # f5mku -K To save and load the configuration, and to ensure no errors, enter the following commands from the RMA BIG-IP system command line: tmsh save /sys config tmsh load /sys config Set the active peer BIG-IP system as the sync leader by entering the following command: tmsh modify cm device-group <device_group> devices modify { <Active peer BIG-IP> { set-sync-leader } } In this command, note the following: o <device_group> is the name of the device group for the active peer system and the RMA BIG-IP system o <Active peer BIG-IP> is the hostname of the active peer BIG-IP system 10. To sync the configuration to the RMA BIG-IP system, enter the following command from the active peer BIG-IP system command line: # tmsh run cm config-sync to-group <device_group> Note: This command can take up to a full minute to initialize the new configuration on the RMA device. 11. Verify the sync status by entering the following command: # tmsh show cm sync-status Manual Chapter: Preparing the System for Installation (10.x) Summarizing 10.x installation and upgrade All BIG-IP systems include the local traffic management components. You can also obtain the following optional modules: Global Traffic Manager, Link Controller, Application Security Manager, Protocol Security Module, WebAccelerator system, and WAN Optimization Module. The license you have determines which modules you can use. Warning: If the system you plan to upgrade has WAN Optimization Module, WebAccelerator, or Application Security Manager already provisioned or if you have a number of volumes with software installed, you might experience an upgrade failure due to insufficient space. Before you proceed, set the module provisioning to Minimal, or remove unneeded volumes and reboot the system. After installation is complete, you can set the provisioning back to its original setting. If the alternate network is present on the LAN, 192.168.245.0/24, or if the node address 192.168.1.245 is in use, then the BIG-IP software assigns the alternate IP address 192.168.245.245 to the management interface instead. Activating the software license To install new versions of BIG-IP system software, you must have an active and updated license. An active and updated license contains a valid service check date for the system software release you plan to install and run. During installation and initialization, the system verifies the software release check date in the software against the service check date in the license file on your system. To activate the license for the system, you must have a base registration key. The base registration key is a 27character string that lets the license server know which F5 products you are entitled to license. The base registration key is preinstalled on your system. Performing optional tasks If you have a BIG-IP system that is already configured with elements such as profiles and monitors, self IP addresses, VLANs, and so on, you can preserve that configuration when you install or upgrade. This is called rolling forward a configuration. When you install, the system uses the previously archived user configuration set (UCS) file in the /var/local/ucs directory on the source installation location to update the configuration on the installation destination. Page 64 of 91 Understanding configuration file differences BIG-IP system software has a feature called the single configuration file (SCF). A single configuration file (SCF) is a flat, text file that contains a series of bigpipe commands, and the attributes and values of those commands, that reflect the entire configuration of one BIG-IP system. Specifically, the SCF contains the local traffic management and operating system configuration of the BIG-IP system. An SCF is useful when you want to transfer a configuration from one BIG-IP system to another. Typically, this involves using the bigpipe export command to create an SCF of one systems configuration, and then using the bigpipe import command to install the configuration on another system. In this way, you can propagate the exact configuration of one BIG-IP system to other BIG-IP systems. The SCF file is not the same as the user configuration set (UCS) archive. A UCS archive is a compressed file that contains all the configuration files (*.conf) that make up a single systems configuration. You use the SCF strictly to manually transfer configuration information to new or different BIG-IP hardware. You create a UCS for archival purposes, and to preserve a configuration for software upgrade. Copying the configuration You can use the cpcfg utility to copy the running configuration from one installation location to another. This is a quick way to update an offline location to the latest configuration, and is useful when applying hotfixes, where the configuration and license are not applied to the target. The operation replaces the configuration on the target. The destination for the copy operation must represent an installation location that is not currently active, and that contains a configuration older than the source. To copy the running configuration 1.On the source, log on to the command line using an account with administrative permissions. 2.Type the following command: # cpcfg source=<source> <destination> If you do not specify a source, the operation uses the configuration from the active installation location. For example, to copy the active configuration from HD1.3 to HD1.1, if you are logged on to HD1.3, you run the following command: # cpcfg HD1.1 SOL13294: Installing a UCS configuration archive now restores the full configuration (v11.x) Old Behavior Prior to BIG-IP 11.0.0, the BIG-IP system restored the configuration either in full or only partially, depending on the host name of the unit on which you installed the UCS configuration archive. If the host name of the unit matches the host name stored in the UCS archive, the BIG-IP system restores the full configuration, including self IP addresses and VLANs. If the host name of the unit does not match the host name stored in the UCS archive, the BIG-IP system restores only the shared configuration, such as virtual servers, pools, and profiles. New Behavior Beginning in BIG-IP 11.0.0, when installing a UCS configuration archive, the BIG-IP system restores the full configuration. Due to an architectural change in BIG-IP 11.0.0, the UCS configuration archive is intended for complete configuration backup and restore usage only. Page 65 of 91 7.2 Identify the components and methods associated with automating and scheduling tasks with the Enterprise Manager Enterprise Manager Getting Started Guide Version 2.3 Enterprise Manager is an appliance that helps you streamline the administrative tasks associated with managing multiple network devices. These administrative tasks include: performance monitoring, software installation and upgrades, configuration archival and restoration, certificate monitoring, security policy management, software image storage, and user account management. You can use Enterprise Manager to manage networks with devices running the following software. • BIG-IP system version 9.3 and later • BIG-IP Local Traffic Manager Virtual Edition (VE) version 10.2 and later • BIG-IP Secure Access Manager version 8.0 and later • WANJet version 5.0 and later • Enterprise Manager version 1.0 and later Understanding how to incorporate Enterprise Manager into your network Tiered network, BIG-IP Local Traffic Manager performs address translation Tiered network, a SNAT performs network translation About interfaces used for communication Management (MGMT) interface F5 devices use the management (MGMT) interface port exclusively for administrative traffic and for the Always-On Management (AOM) subsystem and do not forward user application traffic. TMM interfaces For each of the following processes, you must dedicate a TMM interface to perform: Application traffic and load balancing, Communication between Enterprise Manager and managed devices, Communication between systems in a high availability configuration (for both static and floating self IP address support). Ports required for two-way communication 443 4353 3306 Communication between managed devices and the EM system Communication between EM and a managed device's big3d agent Communication between EM and a remote statistics database Device management Collecting statistics Storing and reporting statistics on a remote db About device management through the management (MGMT) interface When you use the management (MGMT) interface for enterprise management communication, you do not have to dedicate a TMM switch interface for device management, and less configuration is required when you add new devices on the same subnet. Using the management interface on Enterprise Manager and managed devices for communication is preferable. Attention: The only exception is for high availability configurations. Peer devices in a high availability configuration must use a floating self IP address to communicate with the active device. If you have a high availability configuration, use the TMM switch port on each device because it can support floating self IP addresses. Overview of initial setup tasks Activating the Enterprise Manager license Specifying initial configuration settings Configuring a basic network Activate, The End User License Agreement (EULA) displays, Accept The purpose of Enterprise Manager's high availability feature is to provide access to a current backup of the active Enterprise Manager system's configuration. Device Discovery and Importation Before you can use Enterprise Manager™ to manage devices in your network, you must add the devices. For BIG-IP devices in your network, you can use the discovery method to search specific IP addresses or IP subnets in your network, and add those devices to Enterprise Manager. Page 66 of 91 1. On the Main tab, click Enterprise Management > Devices. The Device List screen opens. 2. Click the Discover button located on the upper right-side of the screen. The Discover Device(s) screen opens. 3. For the Scan Type setting, select one of the following options: • Address List • Subnet The screen refreshes to display settings specific to the selected option. 4. If you selected the Address List option, perform the following steps: a) In the User Name and Password fields, type a user name and password to use to log on to the discovered device. b) Click Add. 5. If you selected the Subnet, option perform the following steps: a) In the IP Address field, type the device IP address. b) In the Network Mask field, type the netmask that you want Enterprise Manager to use when searching the network. You can search by class B or C network. c) In the User Name and Password fields, type a user name and password to use to log on to each device discovered in the subnet. 6. Click the Discover button. Importing non-BIG-IP devices (v2.3) For non-BIG-IP devices, such as WANJet systems, you must create a comma-separated value (CSV) file on your local system and import the file into the device list. 1. Create a .csv file on your local system that contains each non-BIG-IP device's IP address, user name, and password on a separate line in the following format: <device IP address>, <username>, <password> For example: 10.10.10.1,admin,pass001 10.10.10.2,admin,pass002 10.10.10.3,admin,pass003 2. On the Main tab, click Enterprise Management > Devices. The Device List screen opens. 3. Click the Discover button located on the upper right-side of the screen. The Discover Device(s) screen opens. 4. Click the Import From File button. The Import Address List screen opens. 5. Click Import. The screen refreshes to display the import status. When the importation finishes, the Device Discover screen opens and a list of imported IP addresses and user names appears in the Address List field. 6. Click Start Task to add the devices in the Address List field to the device list. Custom Lists (v3.0) A custom list is a collection of selected network objects that can span multiple devices in your network. Creating custom lists allows you to monitor a group of objects from one screen, without restricting the view to an associated device. There are two types of custom network object lists that you can create: static lists and dynamic lists. A static list is a fixed selection of network objects. A dynamic list is a selection of network objects, which match characteristics that you define in the list's rules. Optional Configuration About UCS archive storage. A benefit of using Enterprise Manager is the ability to store, or archive, the user configuration set (UCS) for each managed device in your network. Creating a rotating UCS archive schedule About the health and performance monitoring database When statistics data collection is enabled, Enterprise Manager stores the following information in its statistics database for each managed device on which the Data Collection Agent is installed: • Specifics about the managed devices, such as host name, IP address, and software version Page 67 of 91 • Details, such as object type and name, about any enabled network objects associated with a managed device • Performance and health data for managed devices and associated network objects. You can use the collected statistics to display standardized reports about the health and performance of managed devices in your network. This helps you identify any systems that are not performing at full capacity and assists you in determining when you should add new devices. Important: Enterprise Manager collects statistics only from devices that have BIG-IP Local Traffic Manager licensed and provisioned. Starting with Enterprise Manager version 2.3, Enterprise Manager can also collect statistics from devices licensed and provisioned for BIG-IP Global Traffic Manager. Installing the Data Collection Agent When data collection is enabled, Enterprise Manager collects health and performance monitoring statistics data for each managed device in your network on which the most current version of the Data Collection Agent is installed. About alert management You can configure Enterprise Manager to manage alerts in these ways: • Send SNMP traps to a remote SNMP server • Send email alerts to a specific recipient Understanding user roles Enterprise Manager classifies the permissions for the user roles as either non-restricted or restricted. These user roles are defined as: Administrator This role (non-restricted) can perform all management functions available to Enterprise Manager, including managing other user accounts and roles. Operator and Application Editor By default, these roles (restricted) perform fewer management tasks than the Administrator. You can customize each role by specifying the tasks that the role is allowed to perform. Manual: Enterprise Manager Administrator Guide 1. Performing basic tasks on managed devices Once you add devices to the Device List screen, you can remotely perform basic management tasks, such as: • Verifying and testing device communication • Rebooting devices (Boot Location) • Specifying device refresh interval (By default, EM collects information once every 60 minutes) • Deleting devices Enterprise Manager provides the following basic management for high availability redundant systems. • Manage a high availability device’s failover state • Synchronize peer configurations Other Tasks: Collecting information for F5 support (and sent it) Maintaining and replacing devices Enabling or disabling maintenance mode for a device. Maintenance mode does not disable communications on the managed device itself. Maintenance mode only disables communication between EM and a managed device. Using the device replacement checklist 2. User Roles and Authentication Adding new users Modifying user authentication source By default, Enterprise Manager uses a local database to authenticate users. Enterprise Manager maintains a local authentication list of users, but you can choose to use a remote LDAP, Active Directory, RADIUS, or TACACS+ authentication source. 3. Managing UCS Archives Enterprise Manager can create and store UCS archives for managed devices on demand, or at regularly scheduled intervals using rotating archives. Rotating archives are UCS archives created at a regular interval according to a schedule that you set in Enterprise Manager. Page 68 of 91 By default, Enterprise Manager stores up to 10 rotating device archives and 10 saved, or pinned, archives per device in its database. Enterprise Manager deletes the oldest archive in the rotating archive list. Conversely, you must manually delete pinned archives. Comparing multiple versions of archives When you manage multiple versions of UCS archives, you may encounter situations where you need to compare the differences between device configuration archives. When you compare archives, Enterprise Manager highlights the differences between two archives so that you can easily identify configuration changes. Examining these changes can help you troubleshoot issues related to restoring archives or upgrading software. Creating configuration archives You have two main options for creating a UCS archive. Basic A basic UCS archive contains configuration data specific to a device. To create a basic UCS archive, you add an Enterprise Manager device to a rotating archive schedule (in the same way that you do for any managed device) and store basic UCS archives on an Enterprise Manager system. Advanced An advanced UCS archive includes the device configuration information as well as all imported data, including UCS information, and managed device UCS archives. To create an advanced UCS Enterprise Manager archive a) At the command line, log in as root. b) At the command prompt, type the following command: # em-backup <archive_name>.ucs The em-backup script begins archiving all configuration and imported data stored on the Enterprise Manager system. c) To restore: # em-restore <archive_name>.ucs The em-restore script begins the process of restoring all configuration and imported data stored on the Enterprise Manager system. 4. Using Templates and Changesets to Manage Device Configurations Enterprise Manager offers two versatile options that you can use to simultaneously manage multiple device configurations: templates and changesets. A template is a tool that you use to create and deploy new configurations based on an existing device configuration. A changeset is a collection of user-defined configuration data that you create and save for any managed device in your network and distribute to other managed devices. Publishing templates When you create a custom template, it is available only for you to deploy and use. To make the template available for others, you must publish it. Importing and exporting templates Templates are a flexible method for changing device configurations. You can share templates among Enterprise Manager devices in your network, or with other users through the F5 developer community DevCentral by importing and exporting them. Page 69 of 91 5. Managing Software Images • Downloading and managing software images To add an image to the software repository On the Main tab, expand Enterprise Management, click Repository, and select one of the following: ASM Attack Signature List, Hotfix Image List, Software Image List. Click on Import. • Copying and installing software to managed devices Software Image Copy and Installation wizard (10.x and EM 2.x) Legacy Software Image Installation wizard (9.x and EM 1.x) • Viewing installation task progress 6. Managing User Account Data • Managing user accounts • Copying user access configuration information • Changing user account passwords 7. Monitoring Object and Device Performance • Collecting performance data and health statistics The Enterprise Manager system uses its Data Collection Agent, big3d, to gather this information. The statistics collection feature is disabled by default. When you enable statistics collection, Enterprise Manager checks each managed device to verify that it has a compatible version of the Data Collection Agent. If a device requires a more recent version, Enterprise Manager marks that device as Impaired on the Device List screen, and displays a message indicating that an upgrade is required. • Using custom statistic profiles Choosing a statistics profile o Standard statistics profiles: The default data collected is: Device Global, Device Chassis, Device CPU, Device Disk Space, Device UDP, Device TCP, Device HTTP, Device Client SSL, LTM Virtual Server, LTM Pool, LTM Pool Member, and LTM Node. o Custom statistics profiles These are profiles that you create and for which you define metrics and optional threshold values. • Viewing device statistics • Managing storage for statistics Enterprise Manager stores statistical data until the system reaches the storage capacity that you define. When that capacity is met, the oldest data in the system is replaced with new data, up to the storage limit you set. The Enterprise Manager system’s default value of 1 GB for statistics data storage is intentionally low, allowing you to establish a reasonable value based on your environment. Enterprise Manager provides information about the amount of space available for the storage of statistics, the amount of space currently in use for statistics data, and the estimated number of days of storage with the current data allocation. To determine the allocation of resources on the drive, as well as estimate the storage capacity, you can recalculate the estimated days of storage without committing the change. When you have determined that you are satisfied with the storage space value, you can opt to save the changes. • Backing up and restoring the statistics database The Enterprise Manager system offers the following options to back up the statistic database. • Backing up and restoring the statistics database from the command line # em-backup-extern <user@host.com>:/<full_file_path_for_backup_file> The default file name is f5em_extern-<date stamp> # em-restore-extern <user@host.com>:/f5em_extern-<date stamp> • Scheduling remote backups of the statistics database You also have the option configure the Enterprise Manager system to allow remote access to the statistics database (MySQL database) from a third-party database browsing or editing tool, and then schedule a regular backup interval. The MySQL database listens on port 3306 of your Enterprise Manager system when data collection is enabled To successfully query the MySQL database, you use the following credentials: • Username: f5em_client • Password: default • Database name: f5em_extern Page 70 of 91 If the Enterprise Manager system is configured as a high availability system, you can back up your system’s monitoring information by regularly running the ConfigSync task. 8. Using Alerts • Overview of alerts Enterprise Manager can take actions on a wide variety of alerts that you can use in managing your F5 Networks devices. The alerts that you can set include: o Statistical data thresholds exceeded. Statistical data threshold alerts are available only for statistics stored locally on the Enterprise Manager system. o Device status change o Certificate expired or near-expiration o Completed software, hotfix, or attack signature image installations o Failed software, hotfix, or attack signature image installations o Clock skew between the Enterprise Manager and managed devices o Failed rotating archive creation • Setting alert default options When you create alerts, you can specify delivery options for that alert. You can also set a certain recipient’s email address, or a remote syslog server, to receive notifications for all alerts by default. Once these are set, Enterprise Manager sends alert notifications to the default email address you specified, or to the remote syslog server, unless the alert is configured to notify another recipient. • Creating alerts for Enterprise Manager To help maintain the health of the Enterprise Manager device, you can create system alerts to notify you when CPU, disk, or memory usage meets or exceeds a particular threshold. • Creating, modifying, and deleting alerts for devices 9. Managing Device Certificates • Monitoring device certificates Certificate monitoring is enabled by default for all managed devices. • Creating a device certificate alert 10. Auditing Enterprise Manager System Events • Reviewing the different event logging options So that you can review valuable information about pertinent events, Enterprise Manager provides access to a comprehensive set of logs. The types of logs you can view are: o System events: System event messages are based on Linux events, and are not specific to the Enterprise Manager system. o Local traffic events: Local-traffic event messages pertain specifically to the local EM system. o Audit events: Audit event messages are logged when changes are made to the Enterprise Manager system configuration. The Enterprise Manager system logs the messages for these events in the file /var/log/em. Logging audit events is optional. Enterprise Manager and BIG-IP systems use the Linux utility, syslog-ng, to log events. • Auditing events for Enterprise Manager The Enterprise Manager system features seven processes that enable the system to manage other F5 Networks devices in the network. The processes are briefly described here: discoveryd, emadmind (ConfigSync), emalertd, emdeviced, emfiled, emreportd, swimd • Searching the audit log 11. Working with Application Security Manager Policies and Attack Signatures • Staging and deploying Application Security Manager Policies Starting with BIG-IP Application Security Manager (ASM) version 10.0.1, Enterprise Manager helps you to easily manage security policies and ASM attack signature files among multiple devices. Staging and deploying security policies to your Application Security Policy devices using the Stage Security Policy Changeset wizard involves three main procedures. • Selecting a security policy to stage and deploy to a device • Selecting a target device on which to install the security policy • Verifying, staging, and deploying the security policy • Managing ASM attack signatures for Application Security Manager Page 71 of 91 Manual: Enterprise Manager: Monitoring Network Health and Activity (v3.0) C1. Using iHealth for configuration collection and diagnostics When you create a task to gather iHealth diagnostics, Enterprise Manager captures a snapshot of the specified device in the form of a qkview file. The iHealth service compares the device's information to an F5 database containing known issues, common configuration errors, and F5 published best practices. Scheduling Enterprise Manager to perform a weekly data collection of iHealth diagnostics data ensures that your managed devices are working at peak efficiency and you are apprised of any upcoming system events. C2. Using Alerts You can configure Enterprise Manager to manage alerts in these ways: • Send SNMP traps to a remote SNMP server • Send email alerts to a specific recipient using SMTP Before configuring SMTP email notification alerts, you must configure DNS resolution and create an SMTP server configuration. SMTP port 25, for SSL encryption, port 465. C3. Managing Traffic and System Certificates The information that displays on the certificate list screen provides a summary of: • Certificate expiration status • Certificate and organization name • Device on which the certificate is configured Certificate expiration status flag definitions Red, This certificate has expired. Yellow, This certificate will expire in 30 days or less. Green, This certificate is valid and will remain valid for 30 days. C4. Logging and Auditing Enterprise Manager creates separate audit and system event logs specific to: • Enterprise Manager activities associated with device management events • System events for Enterprise Manager itself, not related to device management C5. Customizing Views for Network Objects You can view activity in a summary and detailed graph format. This information ensures that your network is performing efficiently and helps you to troubleshoot potential issues. Viewing C6. Collecting Statistics When statistics data collection is enabled, Enterprise Manager stores the following information in its statistics database for each managed device on which the Data Collection Agent is installed: • Specifics about the managed devices, such as host name, IP address, and software version • Details, such as object type and name, about any enabled network objects associated with a managed device • Performance and health data for managed devices and associated network objects Page 72 of 91 Tip: If Enterprise Manager is managing devices that are part of a BIG-IP Global Traffic Manager synchronization group, Enterprise Manager temporarily disrupts communication between GTM and remote BIG-IP objects while it verifies the version of the big3d agent on GTM. To reduce the impact to production traffic relying on the BIG-IP GTM infrastructure, we recommend that you enable statistics data collection during a maintenance window. C7. Using Statistics Profiles Statistics data collected for the standard statistics profiles When statistics collection is enabled, Enterprise Manager collects the following statistics data to create standard reports. Report name Statistics data collected for this report Certificate Inventory None Device Inventory None Capacity Planning • Device CPU - Processor Utilization (%) • Device Global Memory Utilization (%) • Device Global Client: Bits In (/Sec) • Device Global Client: Bits Out (/Sec) Flapping Node None Flapping Pool Member None GTM Object Activity • GTM Virtual Server Bits In (Ave per Sec) • GTM Virtual Server Bits Out (Ave per Sec) • GTM Virtual Server Connections (Ave per Sec) LTM Node Inventory None SSL TPS Usage • Device Client SSL Native Connections (per Sec) • Device Client SSL Compat-mode Connections (per Sec) LTM Object Activity • LTM Node Bits In (per Sec) • LTM Node Bits Out (per Sec) • LTM Pool Member Bits In (per Sec) • LTM Pool Bits In (per Sec) • LTM Pool Bits Out (per Sec) • LTM Virtual Server Bits In (per Sec) • LTM Virtual Server Bits Out (per Sec) LTM Unused Object • LTM Node Bits In (per Sec) • LTM Node Bits Out (per Sec) • LTM Pool Member Bits In (per Sec) • LTM Pool Bits In (per Sec) • LTM Pool Bits Out (per Sec) • LTM Virtual Server Bits In (per Sec) • LTM Virtual Server Bits Out (per Sec) C8. Storing Statistics Enterprise Manager stores statistical data until the system reaches the storage capacity, which is by default, 1 GB stored locally. By default, Enterprise Manager stores health and performance monitoring statistics data in the database located on its hard drive. You have the option of configuring Enterprise Manager to store these statistics on a hard drive that is separate (external) from the Enterprise Manager system. Storing statistics on an external database clears space on Enterprise Manager for more storage of archives, images, configuration files, and so forth. A space dedicated only to health and performance monitoring statistic data can also provide you with more historical data storage. To use an external database for health and performance monitoring statistics storage, you must create the external database and then configure Enterprise Manager to store data on that database. Before configuring Enterprise Manager to store statistics data on an external database, you must create an external database on a system that is running Oracle MySQL version 5.1 with patch 52 or later. C9. Understanding and Using Reports You can use Enterprise Manager reports to retrieve and view information about the devices and BIG-IP Local Traffic Manager (LTM) and BIG-IP Global Traffic Manager (GTM) objects in your network. To create a report, you define parameters, the devices from which to collect the data, and the object types you want to include. You can collect data and view the report immediately, or you can schedule the report to run in the future either once, or at regular intervals. Depending on the report type, completed reports are presented in Adobe portable document format (PDF) or comma-separated value (CSV) text, which you can export to a spreadsheet, such as Microsoft Excel. The Capacity Planning report also supports an interactive HTML format. Page 73 of 91 C10. Viewing Application Statistics for Multiple Devices You can use Enterprise Manager to view reports for managed devices that are provisioned to use Analytics, also referred to as Application Visibility and Reporting (AVR). The Enterprise Manager device must have an AVR centralized reporting license. You can display the Analytics reports for a single BIG-IP device or aggregated reports for a group of devices. In this way, Enterprise Manager provides centralized Analytics reporting. C11. Health and Performance Monitoring Database Schema You also have the option use this collected data to create your own queries and customized graphs and reports using the details provided in the following sections in conjunction with any MySQL Connector, 7.4: Manage software images Manual: BIG-IP Redundant Systems Configuration Guide (v11.0) C1. Introducing BIG-IP System Redundancy The Traffic Management Operation System (TMOS) within the BIG-IP system includes an underlying architecture that allows you to create a redundant system configuration, known as device service clustering (DSC), for multiple BIG-IP devices on a network. This redundant system architecture provides both synchronization of BIGIP configuration data and high availability at user-defined levels of granularity. Configuration components Devices. A device is a physical or virtual BIG-IP system, as well as a member of a local trust domain and a device group. Each device member has a set of unique identification properties that the BIG-IP system generates. Device groups. A device group is a collection of BIG-IP devices that trust each other and can synchronize, and sometimes fail over, their BIG-IP configuration data. You can create two types of devices groups: Sync-Failover. A Sync-Failover device group contains devices that synchronize configuration data and support traffic groups for failover purposes when a device becomes unavailable. Devices in a Sync-Failover device group must match with respect to hardware platform, product licensing, and module provisioning. Sync-Only. A Sync-Only device group contains devices that synchronize configuration data, such as policy data, but do not synchronize failover objects. A BIG-IP device can be a member of only one Sync-Failover group. However, a device can be a member of both a Sync-Failover device group and a Sync-Only device group. Traffic groups. A traffic group is a collection of related configuration objects (such as a virtual IP address and a self IP address) that run on a BIG-IP device and process a particular type of application traffic. Device trust and trust domains. Device trust establishes trust relationships between BIG-IP devices on the network, through mutual certificate-based authentication. A trust domain is a collection of BIG-IP devices that trust one another and can therefore synchronize and fail over their BIG-IP configuration data, as well as exchange status and failover messages on a regular basis. A local trust domain is a trust domain that includes the local device, that is, the device you are currently logged in to. Folders and sub folders. Folders and sub-folders are containers for the configuration objects on a BIG-IP device. For every administrative partition on the BIG-IP system, there is a high-level folder. At the highest level of the folder hierarchy is a folder named root. Configuration overview for failover To set up failover, you perform these tasks: • Add the local device as a member of the local trust domain. • Specify on the local device the IP addresses that you want the system to use for configuration synchronization, failover, and mirroring. • Add the local device as a member of a Sync-Failover device group. • If needed, create a custom traffic group. • Assign the relevant traffic group to the folder that you want to fail over (either the root folder or a sub-folder). Serial and network failover Note: You can use serial failover only when the device group contains a maximum of two devices. For a group with more than two devices, network failover is required. Also, if the hardware platform is a VIPRION platform, you must use network failover. Page 74 of 91 C2. Understanding Devices IP addresses for config sync, failover, and mirroring Each trust domain member contains device connectivity information, that is, the IP addresses that you define on a device for configuration synchronization (config sync), failover, and connection mirroring. Config sync IP address This is the IP address that you want the BIG-IP system to use when synchronizing configuration objects to the local device. By default, the system uses the self IP address of VLAN internal. Important: A self IP address is the only type of BIG-IP system address that encrypts the data during synchronization. For this reason, you cannot use a management IP address for config sync. Failover IP addresses These are the IP addresses that you want the BIG-IP system to use when another device in the device group fails over to the local device. You can specify two types of addresses: unicast and multicast. For appliance platforms, specifying two unicast addresses should suffice. For VIPRION platforms, you should also retain the default multicast address that the BIG-IP system provides. The recommended unicast addresses for failover are: • The self IP address that you configured for either VLAN HA or VLAN internal. If you created VLAN HA when you initially ran the Setup utility on the local device, F5 recommends that you use the self IP address for that VLAN. Otherwise, use the self IP address for VLAN internal. • The IP address for the local management port. Mirroring IP addresses These are the IP addresses that you want the BIG-IP system to use for connection mirroring. You specify both a primary addresses, as well as a secondary address for the system to use if the primary address is unavailable. If you configured VLAN HA, the system uses the associated self IP address as the default address for mirroring. If you did not configure VLAN HA, the system uses the self IP address of VLAN internal. About device status Active Forced offline Offline Standby Unknown A minimum of one floating traffic group is currently active on the device. This status applies to Sync-Failover device groups only. An administrator has intentionally made the device unavailable for processing traffic. The device is unavailable for processing traffic. The device is available for processing traffic, but all traffic groups on the device are in a standby state. This status applies to Sync-Failover device groups only. The status of the device is unknown. Page 75 of 91 C3. Understanding Device Trust Before any BIG-IP devices on a local network can synchronize configuration data or fail over to one another, they must establish a trust relationship known as device trust. Device trust between any two BIG-IP devices on the network is based on mutual authentication through the signing and exchange of x509 certificates. Within a local trust domain, in order to establish device trust, you designate each BIG-IP device as either a certificate signing authority or a subordinate non-authority. For each device, you also specify peer authorities. Certificate signing authorities A certificate signing authority can sign x509 certificates for another BIG-IP device that is in the local trust domain. Subordinate non-authorities A subordinate non-authority device is a device for which a certificate signing authority device signs its certificate. Peer authorities A peer authority is another device in the local trust domain that can sign certificates if the certificate signing authority is not available. When a BIG-IP device joins the local trust domain and establishes a trust relationship with peer devices, the device and its peers exchange their device properties and device connectivity information. This exchange of device properties and IP addresses is known as device discovery. By default, each BIG-IP device on the local network is a member of a one-member local trust domain. Use this procedure to log into any BIG-IP device on the network and add one or more devices to the local system's local trust domain. C4. Understanding Folders For every administrative partition on the BIG-IP system, the BIG-IP system creates an equivalent folder with the same name. In the context of the BIG-IP system, a folder is a container for BIG-IP system objects. Folders resemble standard UNIX directories, in that the system includes a hierarchy of folders and includes a root folder (represented by the / symbol) that is the parent for all other folders on the system. By default, the BIG-IP system assigns a Sync-Failover device group and a traffic group to the root folder. All folders and sub-folders under the root folder inherit these default assignments. C5. Understanding Device Groups You can create two types of devices groups: Sync-Failover. A Sync-Failover device group contains devices that synchronize configuration data and support traffic groups for failover purposes when a device becomes unavailable. A maximum of eight devices is supported in a Sync-Failover device group. Sync-Only. A Sync-Only device group contains devices that synchronize configuration data, such as policy data, but do not synchronize failover objects. A maximum of 32 devices is supported in a Sync-Only device group. A BIG-IP device can be a member of only one Sync-Failover group. However, a device can be a member of both a Sync-Failover device group and a Sync-Only device group. A typical use of a Sync-Only device group is one in which you configure a device to synchronize the contents of a specific folder to a different device group than to the device group to which the other folders are synchronized. For Sync-Only device groups, you can choose to either automatically or manually synchronize configuration data in a device group. When enabled, this feature causes any BIG-IP device in the device group to synchronize its configuration data to the other members of the device group whenever that data changes. Note: For Sync-Failover device groups, the BIG-IP system supports manual synchronization only. The most common reason to use a Sync-Only device group is to synchronize a specific folder containing policy data that you want to share across all BIG-IP devices in a local trust domain, while setting up a Sync-Failover device group to fail over the remaining configuration objects to a subset of devices in the domain. In this configuration, you are using a Sync-Only device group attribute on the policy folder to override the inherited Sync-Failover device group Page 76 of 91 attribute. Note that in this configuration, Bigip1 and Bigip2 are members of both the Sync-Only and the SyncFailover groups. C6. Understanding Traffic Groups When a BIG-IP device becomes unavailable, a traffic group floats (that is, fails over) to another device in a device group to ensure that application traffic continues to be processed with little to no interruption in service. Important: Although a specific traffic group can be active on only one device in a device group, the traffic group actually resides and is in a standby state on all other device group members, due to configuration synchronization. Only certain types of configuration objects can belong to a traffic group. Examples of traffic group objects are self IP addresses and virtual IP addresses. Note: A Sync-Failover device group can support a maximum of 15 traffic groups. Default traffic groups on the system When you initially run the Setup utility on a device or upgrade from a previous BIG-IP version, the system creates two default traffic groups: A default traffic group named traffic-group-1 initially contains the floating self IP addresses that you configured for VLANs internal and external, as well as any iApps application services, virtual IP addresses, NATs, or SNAT translation addresses that you have configured on the device. A default non-floating traffic group named traffic-group-local-only contains the static self IP addresses that you configured for VLANs internal and external. Because the device is not a member of device group, the traffic group never fails over to another device. A MAC masquerade address is a unique, floating Media Access Control (MAC) address that you create and control. You can assign one MAC masquerade address to each traffic group on a BIG-IP device. By assigning a MAC masquerade address to a traffic group, you indirectly associate that address with any floating IP addresses (services) associated with that traffic group. A primary purpose of a MAC masquerade address is to minimize ARP communications or dropped packets as a result of a failover event. A MAC masquerade address ensures that any traffic destined for the relevant traffic group reaches an available device after failover has occurred, because the MAC masquerade address floats to the available device along with the traffic group. Without a MAC masquerade address, on failover the sending host must relearn the MAC address for the newly-active device, either by sending an ARP request for the IP address for the traffic or by relying on the gratuitous ARP from the newly-active device to refresh its stale ARP entry. Note: When you assign a MAC masquerade address to a traffic group, the BIG-IP system sends a gratuitous ARP to notify other hosts on the network of the new address. Page 77 of 91 The types of configuration objects that you can associate with a floating traffic group are: • iApps application services • Virtual IP addresses • NATs • SNAT translation addresses • Self IP addresses C7. Working with Folders System -> Platform C8. Understanding Fast Failover The BIG-IP system includes a feature known as fast failover. Fast failover is a feature that is based on the concept of an HA group. An HA group is a set of trunks, pools, or clusters (or any combination of these) that you want the BIG-IP system to use to calculate an overall health score for a device in a redundant system configuration. The fast failover feature is designed for a redundant configuration that contains a maximum of two devices in a device group, with one active traffic group. A health score is based on the number of members that are currently available for any trunks, pools, and clusters in the HA group, combined with a weight that you assign to each trunk, pool, and cluster. The device that has the best overall score at any given time becomes or remains the active device. SOL8086: Replacing a BIG-IP system in a redundant pair without interrupting service Important: As a result of an issue affecting BIG-IP 9.x through 11.x, you must disable connection mirroring or persistence mirroring prior to powering down the standby unit When you have verified that the restored configuration loads without errors, perform one of the following steps: o If the BIG-IP systems use serial cable failover, connect all of the network cables. o If the BIG-IP systems use network failover, power down the replacement system, connect all of the network cables, and then power the replacement system back on. This extra step reduces the likelihood of IP conflicts in the network until network failover traffic is restored between the two units. BIG-IP System: Upgrading Active-Standby Systems (v11.0) Upgrading BIG-IP Active-Standby Systems to Version 11.0 An upgrade of BIG-IP active-standby systems to version 11.x involves the following tasks. a) Preparing Device A (the active mode BIG-IP 1 system) and Device B (the standby mode BIG-IP 2 system) b) Upgrading Device B (the standby mode BIG-IP 2 system) c) Upgrading Device A (the standby mode BIG-IP 1 system) d) Verifying the upgrade e) Configuring module-specific settings Preparing BIG-IP modules for an upgrade from version 10.x to version 11.0 Access Policy Manager system does not require specific preparation. Post-upgrade activities: Sessions, Authentication agents and SSO methods, iRule for processing URI, OAM Support, Citrix support functionality, Reporting functionality. Application Security Manager system does not require specific preparation. Global Traffic Manager systems do not require any preparation. Link Controller system does not require specific preparation. Local Traffic Manager system does not require specific preparation Protocol Security Module does not require specific preparation WebAccelerator systems require specific preparation tasks and changes: Page 78 of 91 Preparation activities: Symmetric deployment, Unpublished policies, Signed policies, Configuration files, Debug Options Post-upgrade activities: Web acceleration, Compression, Request logging, Policy logging, URL normalization, iControl backward compatibility WAN Optimization Manager systems do not require specific preparation Preparing BIG-IP active-standby systems for an upgrade 1. Examine the Release Notes for specific configuration requirements, and reconfigure the systems, as necessary. 2. From the device that is running the latest configuration, synchronize the configuration to the peer unit 3. For each device, reactivate the license. 4. For each device, click System > High Availability > Redundancy, and, from the Redundancy State Preference list, select None. 5. For each device, create a backup file. 6. Download the BIG-IP version 11.x .iso file from the AskF5 downloads web site 7. Import the version 11.x software image file to each device. Upgrading the standby BIG-IP 2 system 1. Select a location to install the image, and click Install. 2. Reboot the device to the location of the installed version 11.x software image. System > Software Management > Boot Locations -> Activate Upgrading the active BIG-IP 1 system 1. Select a location to install the image, and click Install. 2. Force the BIG-IP device (Device A) to standby mode. 3. Reboot the BIG-IP device (Device A) to the location of the installed version 11.x software image. 1. System > Software Management > Boot Locations -> Activate 4. Synchronize the configuration. Verifying a BIG-IP active-standby upgrade BIG-IP System: Upgrading Active-Active Systems (v11.1) Upgrading BIG-IP Active-Active Systems to Version 11.X An upgrade of BIG-IP active-active systems to version 11.x involves the following tasks. a) Preparing Device A (active mode on the BIG-IP 1 system) and Device B (active mode on the BIG-IP 2 system) b) Forcing Device B to standby mode c) Upgrading Device B (the standby mode BIG-IP 2 system) d) Upgrading Device A (the standby mode BIG-IP 1 system) e) Verifying the upgrade f) Configuring module-specific settings Preparing BIG-IP modules for an upgrade from version 10.x to version 11.0 -- Los mismos que el anterior Preparing BIG-IP active-active systems for an upgrade Prerequisites: • The BIG-IP systems (Device A and Device B) are configured as an active-active pair. • Each BIG-IP device is running the same version of 10.x software. • The BIG-IP active-active devices are the same model of hardware. 1. Examine the Release Notes for specific configuration requirements, and reconfigure the systems, as necessary. 2. For each device, synchronize the configuration. 3. For each device, reactivate the license. 4. For each device, disable the VLAN Fail-safe setting. System > High Availability > Fail-safe > VLANs. > Remove Page 79 of 91 5. For each device, disable the Gateway Fail-safe setting. System > High Availability > Fail-safe > VLANs. > Remove 6. For each device, click System > High Availability > Redundancy , and, from the Redundancy State Preference list, select None. 7. For each device, create a backup file. 8. Download the BIG-IP version 11.x .iso and .md5 files from the AskF5 downloads web site 9. Import the version 11.x software image and MD5 files to each device. 10. Force Device B (the BIG-IP 2 device) into standby mode. System > High Availability > Redundancy > Force to Standby 11. Do one of the following steps to disconnect Device B (the standby BIG-IP 2 device) from the network. Disconnect all network cables, except for the management interface cable. Shut down the interfaces on the upstream device. Upgrading the standby BIG-IP 2 system Prerequisites: Device A (the active BIG-IP 1 system) and Device B (the standby BIG-IP 2 system) must be prepared to upgrade Device B with version 11.x software. 1. Select a location to install the image, and click Install. 2. Reboot the device to the location of the installed version 11.x software image. System > Software Management > Boot Locations -> Activate 3. Do one of the following steps to disconnect Device A (the version 10.x active BIG-IP 1 device) from the network. • Disconnect all network cables, except for the management interface cable. • Shut down the interfaces on the upstream device. 4. Do one of the following steps to connect Device B (the version 11.x BIG-IP with traffic-group-1) to the network. • Reconnect all network cables. • Enable the interfaces on the upstream device. 5. Flush the Level 2 databases on the upstream devices to start passing traffic to the Device B traffic-group1 in active state. Upgrading the standby BIG-IP 1 system Prerequisites: Device A (the version 10.x BIG-IP 1 system) must be prepared to upgrade the software to version 11.x. and Device A is in standby mode. and Device B has version 11.x installed with traffic-group-1 and traffic-group-2 in active state. 1. Select a location to install the image, and click Install. 2. Reboot the BIG-IP device (Device A) to the location of the installed version 11.x software image. 1. System > Software Management > Boot Locations -> Activate 3. Stop the services on the device. # tmsh , (tmsh) # stop sys service all 4. Do one of the following steps to connect Device A to the network. • Reconnect all network cables. • Enable the interfaces on the upstream device. 5. Start the services on Device A. # tmsh , (tmsh) # start sys service all Device A restarts, with traffic-group-2 in active state and traffic-group-1 in standby state. 6. For each device, create the VLAN Fail-safe setting. 7. For each device, create the Gateway Fail-safe setting. Verifying a BIG-IP system active-active upgrade Page 80 of 91 SOL13123: Managing BIG-IP product hotfixes (11.x) Hotfixes must be installed on an inactive boot location. The configuration and license from the current boot location is copied to the target installation location. For Virtual Clustered Multiprocessing (vCMP) systems, hotfixes are managed from the vCMP Guest. The Software Management interface automatically installs the hotfix file to the image library (the /shared/images/ directory) on the BIG-IP system. Verifying the MD5 checksum of the hotfix image: # cd /shared/images # md5sum --check Hotfix-BIGIP-11.0.0-8120.0-HF1.iso.md5 Hotfix-BIGIP-11.0.0-8120.0-HF1.iso: OK Installing a hotfix image using the tmsh utility # tmsh (tmsh) # install sys software hotfix Hotfix-BIGIP-11.0.0-1234.0-HF1.iso volume HD1.1 (tmsh) # show sys software status Manual Chapter: Preparing the System for Installation (v10.x) Important: You cannot upgrade and roll forward a configuration directly to this version from versions 9.2.x or earlier. If you have a configuration from version 9.2.x or earlier, you must upgrade to version 9.3.x or 9.4.x, and then upgrade to version 10.x. Performing prerequisite tasks Configuring the management interface. (config command) Establishing a connection to the system. Setting the active volume. Making sure the license is active and updated. This version of the BIG-IP system software uses the volumes disk-formatting scheme. A specific section of a hard drive is called a volume. Also called logical volume management (LVM), this feature supports all platforms and modules available for the BIG-IP system. SOL4178: Restarting the BIG-IP system in single-user mode (GRUB 0.97) GRUB 0.97 (9.x – 11.4.1) GRUB2 (11.3.0 – 11.4.1) Displaying part of the GRUB configuration (title = 0.97, menuentry = 2) [root@training:Active:Standalone] config # grub_default -d | grep -A6 "TMOS maintenance" title TMOS maintenance root (hd1,0) kernel /vmlinuz.mos root=/dev/ram0 rw console=ttyS0 ramdisk_size=224707.5 skip_media initrd /initrd.img.mos # TIC_STATIC_KEY: st.mos # TIC_STATIC_VERSION: 2.8.1-44.0 PROCEDURE 1. Connect a terminal to the BIG-IP serial console port. 2. Restart the BIG-IP system. While restarting, the BIG-IP system displays the GRUB menu and counts down before continuing the start process. 3. Before the countdown expires, use the Up Arrow and Down Arrow keys to select the appropriate start image. Note: Alternately, press Shift+6 (^) to move up, and press the V key to move down. Page 81 of 91 4. Press the E key to edit the start options. A new GRUB menu screen displays. 5. Use the Up Arrow and Down Arrow keys to select the line that begins with kernel /boot/vmlinuz. Note: Alternately, press Shift+6 (^) to move up, and press the V key to move down. 6. Press the E key to edit the line. 7. Type the word single at the end of the kernel /boot/vmlinuz line, and then press Enter. For example: kernel /boot/vmlinuz single Depending on the platform, the kernel operative syntax may appear similar to the following example: kernel /boot/1/vmlinuz ro root=UUID=2c3f024c-ff84-499b-8466-0a189963c55d console=ttyS0 panic=1 platform=Mercury quiet single The previous menu screen appears, and the system shows the new start command. 8. Press the B key to start the system using the modified options. A prompt displays. You have now started the system in single-user mode. 9. When you are finished using single-user mode, type exit or reboot to return the BIG-IP system to normal operating mode. Page 82 of 91 SOL13117: Performing a clean installation of BIG-IP 11.x or Enterprise Manager 3.x On rare occasions, you may be required to perform a clean installation of BIG-IP 11.x or Enterprise Manager 3.x. During a clean installation, all mass-storage devices are wiped, therefore restoring the BIG-IP system or Enterprise Manager to its factory defaults. In addition, a clean installation allows you to reinstall a BIG-IP unit that no longer boots from any of its boot locations. 1. You have booted the F5 system from a USB removable media containing a BIG-IP 11.0.0 image, but you want to perform a custom installation using the diskinit and image2disk utilities. 2. You have booted the F5 system from a PXE server. Otherwise, to reinstall the system according to the manufacturing installation plan displayed in the output, press Enter and skip to step 10. To wipe all mass-storage devices inside the BIG-IP system, type the following command: # diskinit --style volumes Note: BIG-IP 11.x cannot be installed on a CompactFlash media drive; you must use boot locations on the system’s hard drive. SOL13127: Restoring the BIG-IP configuration to factory default settings (11.x) You may occasionally need to remove the current BIG-IP configuration and restore the system to the factory default setting. To do so, you can use the tmsh load sys config default command. The tmsh load sys config default command saves the currently-running configuration to the /var/local/scf/backup.scf file, and then loads the /defaults/defaults.scf file to restore the configuration to factory default settings. When you restore the BIG-IP configuration to factory default settings, the system performs the following tasks: Removes all BIG-IP local traffic configuration objects Removes all BIG-IP network configuration objects Removes all non-system maintenance user accounts Retains the management IP address Removes system maintenance user account passwords (root and admin) Retains the BIG-IP license file Retains files in the /shared partition Retains manually-modified bigdb database variables (tmsh) # load sys config default (tmsh) # save sys config partitions all SOL10449: Upgrading the software version or applying a hotfix to BIG-IP GTM Beginning in BIG-IP GTM 9.3.0, changes were made regarding how BIG-IP GTM devices communicate. The change includes a version field in the message packets that is used to communicate between BIG-IP GTM devices. This version field alleviates the need to remove BIG-IP GTM devices from a synchronization group. If a BIG-IP GTM device receives a message packet with a version that does not match, no changes are allowed by the device. Installing the upgrade software 1. Log in to the command line of the BIG-IP GTM system you are going to upgrade. 2. Stop the named process by typing the following command: Note: Stopping the named process prevents the BIG-IP GTM system from answering DNS requests that fall back to BIND. bigstart shutdown named 3. Stop the big3d process by typing the following command: Note: Stopping the big3d process prevents the BIG-IP GTM system from communicating with other BIGIP devices. bigstart shutdown big3d 4. Stop the gtmd process by typing the following command: Note: Stopping the gtmd process prevents the BIG-IP GTM system from answering DNS requests. bigstart shutdown gtmd 5. Install the upgrade software Page 83 of 91 6. Reboot the BIG-IP GTM once the hotfix has finished installing by typing the following command: /usr/bin/full_box_reboot Manual Chapter: Upgrading the VIPRION System When you perform an upgrade, the system upgrades the open boot location of each blade of the cluster concurrently. Note that the term open boot location refers to the boot location to which the system is not currently booted. 8.1: Modify and manage virtual servers SOL8018: Overview of the BIG-IP HTTP class traffic flow An HTTP class provides a method for matching HTTP requests to specific patterns and defining the action that should be applied to that traffic. An HTTP class may be configured to match HTTP requests based on the following attributes: Hosts URI Paths Headers Cookies The HTTP class must then define the actions to be applied to matching requests. An HTTP class may be configured to define the following actions: Send matching requests to the pool specified by the HTTP class. Send matching requests to the virtual server default pool. Redirect matching requests to a specified URL. Rewrite the request URI for matching requests to a specified URI without sending an HTTP redirect to the client. The following table illustrates the manner in which requests are handled, depending on the HTTP class and virtual server pool configuration: Ensuring that all traffic is accounted for The ability to configure various filter and pool configuration combinations allows for several options to control traffic flow and provides flexibility in designing solutions. Evaluate the HTTP class configurations carefully, in order to ensure that all traffic is accounted for. Possible methods to ensure that all requests are matched: Create an HTTP class, with no filters, that redirects requests to the site homepage; apply the HTTP class as the virtual server’s last HTTP class. Create an HTTP class with no filter that rewrites the request to a specific page on the server; apply the HTTP class as the virtual server's last HTTP class. Ordering HTTP classes for the virtual server You can configure a virtual server to use multiple HTTP classes. The order of the HTTP classes determines how the request is evaluated. When a request matches an HTTP class, the request is processed and is not evaluated against any subsequent HTTP classes. If a request does not match any of the HTTP classes, the virtual servers default pool will be used; if the virtual server does not have a default pool configured, the request will be dropped. Logging unmatched requests When the configuration results in a dropped request, the drop will not be logged, which is the desired behavior in most situations. However, you might want to ensure that all traffic is accounted for. Page 84 of 91 SOL10640: Pool member reselection options On a BIG-IP system, in the event that a pool member fails, the default behavior is for connection attempts to that pool member to continue until the pool member is marked down by its assigned monitor(s). This behavior may cause the BIG-IP system to load balance new connections to a pool member that has just failed, but whose monitor has not yet timed out. You can improve the behavior outlined in the above example by performing the following actions: Selecting a new pool member as soon as the BIG-IP system detects that the pool member to which it is attempting to connect has become unresponsive. Immediately marking the unresponsive pool member down to avoid further connections being load balanced to that pool member. To perform the aforementioned actions, you can either write an iRule, or beginning in BIG-IP version 10.0.0, you can use features readily available within the Configuration utility of the BIG-IP system. You can improve the default behavior with an iRule similar to the following example: when LB_FAILED { if { [active_members [LB::server pool]] > 0 } { catch { LB::down } LB::mode rr LB::reselect } } This iRule allows a client-side connection to remain open after a pool member has become unresponsive. For example, if the pool member failed to complete a TCP handshake or respond to an ARP request. Using the LB::reselect iRule command, the client request is then load balanced to a different pool member, or even to a different pool, once the LB_FAILED event fires. The time between the initial connection attempt and LB_FAILED is dependent on profile parameters. For example, in regards to TCP, the profile parameters that affect SYN retransmission. The LB::down iRule command causes the pool member to be marked down upon the LB_FAILED event rather than wait for its monitor(s) to time out and limit the number of client connections affected. More complex iRules can be written to defer LB::down until a number of failures have occurred to allow a margin of error. Improving the default behavior using the Inband monitor feature (10.x or later) Beginning in BIG-IP 10.x, the Inband monitor type was introduced. The Inband monitor determines the availability of a pool member based on a specified number of failed connection attempts or data request attempts within a specified time interval. This monitor works in parallel with regular monitors, and can be used instead of the LB::down iRule command. SOL13675: Overview of the stateless virtual server A stateless virtual server provides improved UDP performance over a standard virtual server in specific scenarios, but with limited feature support. A stateless virtual server accepts traffic that matches the virtual server address and load balances the packet to the pool members without attempting to match the packet to a pre-existing connection in the connection table. Any new connection entry is immediately removed from the connection table. This behavior addresses the requirements for one-way UDP traffic that needs to be processed at very high throughput levels. As such, a stateless virtual server is not be suitable for processing traffic that requires stateful tracking, such as TCP traffic. The stateless virtual server does not support the following features: iRules Persistence Connection mirroring Rate shaping SNAT automap (tmsh) # create ltm virtual <vs name> stateless ip-protocol udp pool <pool name> destination <IP:Port> (tmsh) # create ltm virtual myIngressStatelessvs stateless ip-protocol udp pool myDNSpool destination 30.30.30.234:53 (tmsh) # save sys config Page 85 of 91 SOL12272: Overview of BIG-IP virtual server types (10.x) The following table lists the virtual server type options and defines each virtual server type: Virtual server Description of virtual server type type Standard A Standard virtual server directs client traffic to a load balancing pool and is the most basic type of virtual server. It is a general purpose virtual server that does everything not expressly provided by the other type of virtual servers. Forwarding (Layer 2) A Forwarding (Layer 2) virtual server typically shares the same IP address as a node in an associated VLAN. A Forwarding (Layer 2) virtual server is used in conjunction with a VLAN group. Forwarding (IP) A Forwarding (IP) virtual server forwards packets directly to the destination IP address specified in the client request. A Forwarding (IP) virtual server has no pool members to load balance. Performance (Layer 4) A Performance (Layer 4) virtual server has a FastL4 profile associated with it. A Performance (Layer 4) virtual server increases the speed at which the virtual server processes packets. Performance (HTTP) A Performance (HTTP) virtual server has a FastHTTP profile associated with it. The Performance (HTTP) virtual server and related profile increase the speed at which the virtual server processes HTTP requests. Stateless A Stateless virtual server improves the performance of UDP traffic in specific scenarios. (10.2.2 and later) Reject A Reject virtual server rejects any traffic destined for the virtual server IP address. HTTP Basics I Web Based Training Course In this presentation, we will discuss the general format of HTTP messages and specific information about HTTP requests and typical headers in those requests. In HTTP Basics II, we will focus on HTTP responses and two examples where various HTTP headers are key to managing HTTP communication. HTTP is the fundamental means of communication used by the World Wide Web. It defines a formal syntax that allows user-agents, such as browsers, to interact with web servers. HTTP is one of many protocols designed to allow clients to store and retrieve files from servers. Other examples include File Transfer Protocol (FTP), Common Internet File System (CIFS) or Network File System (NFS). Each has unique capabilities; HTTP has been designed specifically for the needs of the World Wide Web. For example, an HTTP request can specify the language the browser would like to see in a page as well as information about how the data is encoded. A very simple client-server interaction in HTTP includes 4 steps: First, the client opens a Transmission Control Protocol (TCP) connection. Next, the client sends an HTTP request, such as “GET /index.html”. Then, the server sends an HTTP response, including a status and the requested object. Finally, the TCP connection is ended. This is a simplified example; actual HTTP transactions are more complex. There are multiple versions of HTTP, though almost all clients and server support version 1.1. The earliest version in common use was 0.9. Version 1.0 added improvements, but almost all clients and servers support version 1.1 today. Version 1.1 improved performance for clients and defined interactions with proxies and caches more completely. HTTP messages are either requests (from clients) or responses (from servers.) Initially, each request-response pair used a separate TCP connection. Clients opened a connection, sent a request, server’s sent a response, and the server ended the connection. In the example, the client opens the first connection and sends the first request. Then the server sends it’s response and then ends the connection. If another object was needed, the client would open another connection and send another response. Page 86 of 91 This was a simple protocol; for each object transfer, another TCP connection was opened, used to transfer the object, then closed. But as web pages became more sophisticated and clients needed to request more and more objects, the overhead of opening and closing TCP connections impacted performance. These type of issues lead to innovation. In this case, it led to Keep-Alives. “Keep-Alives” were an early update to HTTP. With keep-alives, the client can re-use existing TCP connections to request additional objects. With keep-alives, the server must indicate the amount of data it will send in response to each client request. After sending that data, the client can send another request across the existing TCP connection. Once the client has all the objects it needs, the client can close the connection. Once again, the client opens the TCP connection and sends a request. However, once the first response is received, the client is free to send another request. Once the client’s last request is fulfilled, the client will end the TCP connection. In HTTP version 1.0, Keep-Alives were supported but were disabled by default. In version 1.1, Keep-Alives are enabled by default. Version 1.1 also added support for “Pipelining.” With pipelining, clients can send multiple requests across the TCP connection before the first response has been received. Pipelining is not supported widely. HTTP clients use Universal Resource Locators (URL) to interact with resources. The format of a URL is dependent upon the scheme, but for HTTP, the URL is composed of the scheme, the host, the port, the path, and the query. When the URL is used by browsers, HTTP messages do not contain the complete URL. The scheme is implied by the fact that it is an HTTP message. In HTTP 1.0, the host was not always included in HTTP messages, but in HTTP 1.1, it is included in the HOST header. The port is used by TCP, not HTTP and is assumed to be 80 if it is not included. Finally, the path and query together are contained in the request start line. A browser’s address window would display a complete formatted string. In the example, the scheme is “http“, the host “www.f5.com”, the port “80”, the path “/path/time.jsp”, and the query “h=13&m=48”. Some portions of the URL are case sensitive and others are not. In the scheme and hostname of the URL, case does not matter. However, in the path and query, case can be significant depending on the implementation on the server. HTTP is only one layer of the communication between browsers and web servers. While not required, almost all implementations use Ethernet and TCP/IP. Within the TCP data, HTTP messages include three parts: the initial line of the message, HTTP headers, and HTTP data. The HTTP data can contain many object types. Common examples include HTML, the Hypertext Markup Language and image files. Each HTTP message is either a request or a response. For both, the first line has a distinct format. It may also contain headers, which are used to refine the request or explain the response more fully. When data is passed in the message, it will follow a blank line after the headers. The data can contain multiple lines, including blank lines. The first line of a request is made up of three space-separated parts: the Method, the Universal Resource Indicator or “URI”, and the Version. All methods MUST be in all upper case and define the action desired by the client. In most cases, the URI is composed of the path and an optional query. If no query or explicit path is included, the URI will typically be a single slash. Finally, the HTTP version is indicated. Some older browsers may not include the HTTP version and some servers may refuse to respond to a request that does not include the version. Page 87 of 91 Next, requests usually include many HTTP headers that define such things as the preferred language, the browser’s ability to decompress data, the browser’s version and the host name for the request. Version 1.1 requests MUST contain a host header, but no other headers are required. HTTP headers follow the initial line. Headers are included, one per line, and each will appear in the format Header-Name: Header Value. Header names do not contain spaces and are followed by a colon and a space. Header values can be a single value or a space separated list of values. The examples show typical headers that are seen in requests. The example request headers indicate the host of the content, the compression types that the client supports, and the language that the client prefers. This example shows an actual HTTP request. It is a GET request for the default page of the web server named www.f5.com. This is a typical request and includes the initial line, headers, but no data. In the example, two of the headers, Accept and User-Agent, are longer than one line. We have looked at the overall process, now let us look at some specifics – starting with HTTP methods. RFC 2616, defining HTTP 1.1 describes eight methods. However, only a few are used frequently and the RFC only defines 2 as “safe” – GET and HEAD. Briefly, here is what features the methods provide. GET is used to retrieve a resource from a server. When HEAD is used, the headers in the request and response will be the same as when a GET is used, but the server will not return any data. This allows a client to check for the existence or size of a resource without actually retrieving it. POST is used to pass information to the server. POST allows clients to send messages to forums or update databases. The OPTIONS method is used to determine communications options that are available between the client and the server. The PUT method tells the server to replace the Requested URI with the data contained in this message. If the resource does not exist, the server will create it. The DELETE method deletes the resource specified by the Request-URI. The TRACE method is used to send test messages to servers. If successful, the server should respond with a 200 OK. The CONNECT method is reserved for use with proxies. HTTP headers are grouped into four categories: General, Request, Response and Entity. This course will show examples of HTTP headers typically seen in HTTP requests - general and request headers. The HTTP Basics II course will show examples of HTTP headers typically used in HTTP responses. General headers have to do with the message and the method of communication rather than the data that is being transferred. In the example request, we see two general headers: Connection: Keep-Alive and Pragma: no-cache. The connection header indicates the client would like to send multiple HTTP requests across the existing TCP connection. The pragma header indicates the client would like to get the data from the origin server rather than a cache or proxy. Request Headers apply either to the request or to the client. For example, they can indicate the type of data that the client would like to receive. In the example request, there are multiple “accept” headers that tell the server about the format of data the client would like to receive. First, the Accept header indicates what file types the client can manage. The Accept-Language header shows that the client prefers US formatted English. The Accept-Encoding header shows what type of compression the client understands. Finally, Host is the hostname portion of the URL. Page 88 of 91 We hope that this has given you a good introduction to HTTP. While it may seem a simple process – open a connection, send a request, process a response – there are many options within those few steps that can greatly improve the user experience, but will certainly add in the protocols complexity. We hope this course has given you a foundation to work from in understanding all that is HTTP. HTTP Basics II Web Based Training Course In this presentation, we will continue the discussion begun in HTTP Basics I. That presentation focuses on the general format of HTTP messages and specific information about HTTP requests and typical headers in those requests. This presentation focuses on HTTP responses and two examples where various HTTP headers are key to managing HTTP communication. As a reminder, both HTTP requests and responses are made up of an initial line, headers, and optional data. The first line of a response is made up of three space-separated parts: the Version, the Status, and a Reason Phrase. The version format is the same as in the request. Status codes are used to describe the results of the request. The Reason-Phrase is a brief explanation of the status code. Next, responses usually include many HTTP headers describing things such as the content length, content type, content compression method, caching directives, and server information. Finally, if the response includes the object, the body of the content will be included after a blank line. Request and response headers have the same format. One header per line including the header name and its value. The examples show typical headers that are seen in responses. In this case, the response headers indicate the date and time of the response, the length of the object, and the type of object that is being sent to the client. HTTP messages, especially responses, often contain data. If an HTTP message contains any data, it will be after the first blank line of the messages, this is usually after the headers. The Content-Type header is typically used to define the format of the data. The data can contain blank lines. Here we see a small sample of HTML, which could be the data of an HTTP message, and how it is processed by Internet Explorer. This shows an HTTP response. The initial line indicates the object was available and is being transmitted. The headers show information about the server and the type of data stored by the object. After the headers, a blank line is seen and then the data begins. Most of the data is not shown. Page 89 of 91 The initial line of all responses includes a server status code. These are three-digit codes grouped into five categories. The 100 series codes are informational only and do not indicate either success or failure. There are only two 100 series codes: 100 - Continue will be returned if a client is sending a multi-part request and the server is ready for the next piece. 101 – Switching Protocols will be returned if the server has accepted the client’s request to change protocols. The 200 series codes indicate success. Code 200 means OK, the request succeeded. Code 206 indicates Partial Content, which means the request is succeeding but this response does not contain all the data and more is coming. There are seven different 200 series codes defined in HTTP 1.1. 300 series codes indicate that the resource is available, but it is somewhere else. There are eight different 300 series codes defined in HTTP 1.1. For example, 301 – Moved Permanently tells the client the resource should always be retrieved from the location specified in the response. Other 300 series codes indicate that the redirection is temporary. 400 series codes indicate the server thinks the client has made an error. For example, 400 Bad Request indicates the client’s message is formatted incorrectly. 404 – File Not Found is seen frequently and indicates that the server does not have the requested object. There are 18 status codes in the 400 range. Finally, 500 series codes deal with errors on the server. For example, 500 Internal Server Error is a generic error message and 505 HTTP Version Unsupported indicates the client’s requested HTTP version is not supported by the server. There are six status codes in the 500 range. HTTP headers are grouped into four categories: General, Request, Response and Entity. will describe the purpose and show typical examples of each. The following slides General headers have to do with the message and the method of communication rather than the data that is being transferred. In the example response, we see two general headers: Date: and Transfer-Encoding: chunked. The date indicates the date and universal time when the message was sent and Transfer-Encoding tells the client about the format of the data. Response headers typically contain information about the server, the format of the message, and the object itself. For example, caches may include an Age header indicating how long the object has been in the cache. In the example response, the Accept-Ranges header indicates the server could send the object in byte ranges rather than the entire object. The Vary header indicates that while the content is cacheable, the object could vary if the requesting client’s Accept-Encoding or User-Agent fields were different. Other potential response codes include Etag, a digital fingerprint of the object so the client can determine whether the object has changed, and Location, used to specify the new resource in redirect messages. Finally, Entity headers describe the content itself. For example, the Content-Length field is used to tell the client the length of the object. In the example response, the Content-Type header indicates the object is a text file containing HTML. The Content-Encoding header indicates the object is compressed using gzip. Page 90 of 91 Now that we have discussed many individual components of the HTTP protocol, we are going to briefly look at some HTTP transactions and see how the headers indicate what is happening and why. The HTTP protocol uses it’s methods, response codes and various headers to manage both caching and the ways used to tell clients that entire objects have been received. The first time an object is requested, the origin server will typically send a response with a 200 status code and the data. The next time the object is requested, it could be served by the origin server or it could be served from a cache. When the content has not changed, serving from cache decreases the load on the server and the response time to the client. However, if the content has changed, serving from cache will result in the client viewing out of date, or stale, content. The HTTP protocol is designed to help manage this process and supports caching on clients and intermediary devices such as proxies and dedicated caches. Caching is performed through two models: the “Expiration” model and the “Validation” model. Which model is used by the given request-response pair varies based on the information the server provides about an object and the information the client has about an object. The expiration model hopes to reduce the overall number of HTTP requests that reach the server by eliminating requests for resources that are already in the cache. This can be done if the server returns content marked in such a way that the caching device has confidence that the original object is still valid. For example, the server may return an object with a Cache-Control: max-age header set to 3600. The client knows that that object is valid for 3600 seconds or one hour. If the object is needed again before the hour ends, the object will be served from cache. Alternately, the server may return an object with an Expires: header set to an explicit date. In this case, the client knows the object can be served until that date arrives. Interaction with intermediary caches can vary from these examples. Often, the server’s first response does not include an explicit period that the object is good. In those cases, it may include headers that allow the client to verify that the object hasn’t changed before serving it from cache. In this case, the client still needs to send a request and the server still needs to respond, but often the object itself does not have to be present. If the server includes an Etag header in its initial response, the client can send requests with a If-None-Match header, set to the Etag value. When the server sees that the client already has the object, it can respond with a 304 Not-Modified status code and not send any data in the response. Similarly, if the original response includes a Last-Modified header, the client’s subsequent request can include a IfModified-Since header with the same date. Again, when the server sees the client has the correct version of the object, it can respond with a 304 and the client can present the object from its cache. HTTP uses multiple techniques to let client’s know when an entire object has been received. Prior to HTTP 1.0, each request used a separate connection, so it was simple for the server to indicate the transfer was complete: it closed the TCP connection. However, Keep-Alives support meant the client needed other ways to know when the transfer was finished. The most common method used today involves the Content-Length header. When the server’s response includes this header, the value of the header is the length of the object in bytes. Once that number of bytes have been received, the client knows the entire object has been transmitted. Another alternative is for the server to not support Keep-Alives and revert to sending one object per connection. In HTTP 1.1, Keep-Alives are enabled by default, so the server must explictly tell the client that it will not support Keep-Alives. This is accomplished with a Connection: Close header. A third method involves chunking. At times, the server must dynamically generate the content that will become the response. And rather than caching all the components on the server, it may wish to begin sending parts of the response as they are generated. When servers choose this option, they will send the data in chunks and indicate this with a Tranfer-Encoding: chunked header. When the client sees this, it knows to expect a series of length-field – data-field pairs and eventually receive a length field of zero, indicating the server has completed the transfer. We hope that this has given you a good introduction to HTTP. While it may seem a simple process – open a connection, send a request, process a response – there are many options within those few steps that can greatly improve the user experience, but will certainly add in the protocols complexity. We hope this course has given you a foundation to work from in understanding all that is HTTP. Page 91 of 91