Posts

BIG-IP F5 Modify records per screen UI via tmsh

So I needed a way to update the number of records on the web UI on BIG-IP F5, you can see why this is a pain with the default of 10 records:

BIP-IP UI Record limit

BIP-IP UI Record limit

As you can see from the above it can get annoying so as we build many F5;s i needed a way to update this value at build via cli, in order to do this you can do it via the BIG-IP GUI very easily as below:

BIG-IP F5 update records per screen

BIG-IP F5 update records per screen

To update the Number of records on the BIG-IP F5 GUI with tmsh you can simply do the below:

BigIP LTM splunk irule High Speed Logging

The below is the splunk irule used to log to splunk using High Speed Logging, basically here we have set custom entries to send to our logging but you can see obviously how flexible you can be with this in regards to what you would like to log, this works with BigIP version 10 and version 11

Example BigIP Splunk Log entry from iRule

BIGIP f5 How to get all pools and members or VIP address port in CSV format

Recently I had a requirement where i needed extract information from bigip f5 to get pools and members in csv, there didn’t seem like any easy way from the F5 so I looked into pyControl and came up with the following script which can log on to the f5 using pyControl and download the data i need into a csv file, see example:

f5-talker.py usage

f5-talker.py source code

download script here

Change hostname on a HA Pair or Single BigIP LTM F5

Below is an exmaple of how to change hostname on a HA Pair BigIP LTM F5

This change requires the command “bigstart restart” which will restart the BIG-IP system services, so don’t run this on a live system without notice

To change this login as root and issue these commands:

BigIP F5 LTM Copying Configuration to another volume

When upgrading an F5 you use different Volumes and when doing this configuration can be lost this shows you how to copy the configuration to the upgrading volume. You can use the cpcfg utility to copy the running configuration from one installation location to another. This is a quick way to update an offline location to the latest configuration, and is useful when applying hotfixes, where the configuration and license are not applied to the target.

The operation replaces the configuration on the target. The destination for the copy operation must represent an installation location that is not currently active, and that contains a configuration older than the source.

To copy the running configuration
# On the source, log on to the command line using an account with administrative permissions.
# Type the following command:

If you do not specify a source, the operation uses the configuration from the active installation location. For example, to copy the active configuration from HD1.3 to HD1.1, if you are logged on to HD1.3, you run the following command:

reference:
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_getting_started_guide_10_1_0/bip_gs_pre_install.html

BigIP F5 LTM iRule replace pre-existing X-Forwarded-For headers

The below iRule will look for an existing HTTP Header “X-Forwarded-For”, strip it then it will insert a new one with the client IP address.

BigIP F5 LTM Check HA Serial Cable Connection

How to verify if the HA serial cable is connected:

F5 LTM – Packet Sniffing HTTP Headers

To confirm that an F5 is adding HTTP headers you can use the following command (via the shell) using tcpdump you can sniff the HTTP Headers

BigIP F5 LTM €œVLAN-Keyed Connections Auto last hop

F5-vlan-key-auto-map

Please refer to the above diagram.

Server A needs to access Server B, the initial SYN packet will go to the firewall, which has a route in place to send traffic to Server B toward the F5 via the €œVIP€ segment. F5 will then route this out of its RC interface.

When Server B replies with SYN+ACK, the F5 will route this directly to Server A, through its connection to the WEB segment.

This causes a problem when Server A replies with ACK as this goes to the firewall which didnt see the SYN+ACK from server B and thus drops the connection.

Below couple of ways to solve this asymmetric routing problem:-

  • Configure a static route on Server A to use the F5 as next hop for the traffic,€“ this is not practical as really Server A represents several servers with more over time.
  • Use of SNAT on the F5 to create a local IP representing Server B on the WEB segment€“ not feasible as Server B represents several servers with more over time.
  • Enable Auto Last Hop on the F5 to have the F5 send Server B’s replies to the firewall ignoring it’s connected route out of the WEB segment.

Point 3 seems the most logical choice however we would also need to disable the setting €œVLAN-Keyed Connections€.

According to F5 documentation it does this:-

Specifies, when checked (enabled), that the system uses VLAN-keyed connections. When enabled, the system uses VLAN-keyed connections when traffic for the same connection must pass through the system several times, on multiple pairs of VLANs (or in different VLAN groups). You should disable this setting for asymmetic routing to work correctly. The default is enabled.

What does this mean in English and as it needed with or without Auto Last hop to solve the issue specified above?

Response from F5:

VLAN-keyed connections is a feature that tells the BIG IP how to handle the connections. Basically, When VLAN-keyed connections are disabled, connection flows are allowed to match any VLANs. Therefore, a connection can be matched to an existing flow and updated, regardless of the VLAN the packet was received on . This is why it is recommended to disable this feature in order to allow Asymetric routing across multiple Vlan.

Here is the solution which explains how you can set up your BIG IP to allow asymmetric routed connections across multiple VLANs:
http://support.f5.com/kb/en-us/solutions/public/10000/300/sol10346.html?sr=21315050
For your implementation , have you also considered npath Routing may be ? Here is the documentation , just in case it could be of any use
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_npath.html?sr=21315630

BigIP F5 LTM iRule Balancing Decision

Change pool based on URI

Path check match