Posts

BigIP LTM splunk irule High Speed Logging

The below is the splunk irule used to log to splunk using High Speed Logging, basically here we have set custom entries to send to our logging but you can see obviously how flexible you can be with this in regards to what you would like to log, this works with BigIP version 10 and version 11

Example BigIP Splunk Log entry from iRule

Change hostname on a HA Pair or Single BigIP LTM F5

Below is an exmaple of how to change hostname on a HA Pair BigIP LTM F5

This change requires the command “bigstart restart” which will restart the BIG-IP system services, so don’t run this on a live system without notice

To change this login as root and issue these commands:

BigIP F5 LTM Copying Configuration to another volume

When upgrading an F5 you use different Volumes and when doing this configuration can be lost this shows you how to copy the configuration to the upgrading volume. You can use the cpcfg utility to copy the running configuration from one installation location to another. This is a quick way to update an offline location to the latest configuration, and is useful when applying hotfixes, where the configuration and license are not applied to the target.

The operation replaces the configuration on the target. The destination for the copy operation must represent an installation location that is not currently active, and that contains a configuration older than the source.

To copy the running configuration
# On the source, log on to the command line using an account with administrative permissions.
# Type the following command:

If you do not specify a source, the operation uses the configuration from the active installation location. For example, to copy the active configuration from HD1.3 to HD1.1, if you are logged on to HD1.3, you run the following command:

reference:
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_getting_started_guide_10_1_0/bip_gs_pre_install.html

BigIP F5 LTM iRule replace pre-existing X-Forwarded-For headers

The below iRule will look for an existing HTTP Header “X-Forwarded-For”, strip it then it will insert a new one with the client IP address.

BigIP F5 LTM Check HA Serial Cable Connection

How to verify if the HA serial cable is connected:

BigIP F5 LTM €œVLAN-Keyed Connections Auto last hop

F5-vlan-key-auto-map

Please refer to the above diagram.

Server A needs to access Server B, the initial SYN packet will go to the firewall, which has a route in place to send traffic to Server B toward the F5 via the €œVIP€ segment. F5 will then route this out of its RC interface.

When Server B replies with SYN+ACK, the F5 will route this directly to Server A, through its connection to the WEB segment.

This causes a problem when Server A replies with ACK as this goes to the firewall which didnt see the SYN+ACK from server B and thus drops the connection.

Below couple of ways to solve this asymmetric routing problem:-

  • Configure a static route on Server A to use the F5 as next hop for the traffic,€“ this is not practical as really Server A represents several servers with more over time.
  • Use of SNAT on the F5 to create a local IP representing Server B on the WEB segment€“ not feasible as Server B represents several servers with more over time.
  • Enable Auto Last Hop on the F5 to have the F5 send Server B’s replies to the firewall ignoring it’s connected route out of the WEB segment.

Point 3 seems the most logical choice however we would also need to disable the setting €œVLAN-Keyed Connections€.

According to F5 documentation it does this:-

Specifies, when checked (enabled), that the system uses VLAN-keyed connections. When enabled, the system uses VLAN-keyed connections when traffic for the same connection must pass through the system several times, on multiple pairs of VLANs (or in different VLAN groups). You should disable this setting for asymmetic routing to work correctly. The default is enabled.

What does this mean in English and as it needed with or without Auto Last hop to solve the issue specified above?

Response from F5:

VLAN-keyed connections is a feature that tells the BIG IP how to handle the connections. Basically, When VLAN-keyed connections are disabled, connection flows are allowed to match any VLANs. Therefore, a connection can be matched to an existing flow and updated, regardless of the VLAN the packet was received on . This is why it is recommended to disable this feature in order to allow Asymetric routing across multiple Vlan.

Here is the solution which explains how you can set up your BIG IP to allow asymmetric routed connections across multiple VLANs:
http://support.f5.com/kb/en-us/solutions/public/10000/300/sol10346.html?sr=21315050
For your implementation , have you also considered npath Routing may be ? Here is the documentation , just in case it could be of any use
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_npath.html?sr=21315630

BigIP F5 LTM iRule Balancing Decision

Change pool based on URI

Path check match

BigIP F5 LTM iRule URI based persistence

The client requirement is to enable URI based persistence for the traffic that is going to the cms path? (eg. https://uk.domain.com/apiv2/cms/ )

BigIP LTM iRule redirect if pool servers unavailable

Redirect request if servers not available

Change pool if servers not available

BigIP F5 LTM iRule Setting HttpOnly flag on HTTP cookies

Not all cookies returned by the clients’ application have HttpOnly flag. This flag is required in order to prevent client-side scripts (i.e. javascript) to access the value of the cookies.

In order to overcome this we can configure F5 BigIP to inject ‘HttpOnly’ flag if it’s not there.

Requirements

# HTTPS/SSL offloaded to the F5
# HTTP profile applied to the HTTPS Virtual Server