Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

F5 - License Issue or Config Issue?

Posted on 2011-10-14
9
Medium Priority
?
727 Views
Last Modified: 2012-05-12
Just purchased an f5 BIG-IP 5100 4.5.10 licensed load balancer from ebay, from very
reputable seller, Andover (been buying from them for over 10yrs).

The f5 unit is activated, and seems to be in good working order.  Checked the status of the license
from f5's site, got this:

# Base Key for F5 Product BIG-IP 4.x for S90806
#-------------------------------------------------------------------
  Base RegKey           : XXXXX (Locked) Product Code: HA
  F5 Platform           : D51
  First Activation Date : 12-05-2005
  Last Activation Date  : 08-23-2011
  License Time Limit    : N/A

QUESTION 1:  Are any of you guys f5 masters?  What does (Locked) mean?
This is my first load balancer from f5 - flyin' in the dark here.

QUESTION2:  Regarding config and inability to browse website:

2 webservers - 192.168.250.220 and 192.168.250.221.  Can browse website on each server individually, so IIS is working properly.

Absolutely most basic config on the f5.

One-arm config.  The "internal" and "external" vlans are grouped together and have a
self-IP of 192.168.250.225

The two webserver nodes are in a pool with default parameters.

Virtual Server is 192.168.250.226:80

Nodes are UP, monitor checking port 80 is UP

Attempt to browse through VIP times out.

The Virtual Server Statistics show a connection, show packets in, but no packets out.

I followed the config instructions from f5 manual.  The instructions don't seem to indicate that there's any more magic required.

What am I missing?

THANK YOU FOR TAKING THE TIME TO CONSIDER THIS ISSUE.
0
Comment
Question by:willdsn
  • 5
  • 4
9 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 36974802
"locked" means activated on a soecific system

I will look at the rest of your question Monday

Stevr
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 36981855
Im not sure what you are referring to when you say the VLANs are grouped. Typically, you'd have an external VLAN (associated with a NIC facing the Internet) and an internal VLAN (associated with a NIC facing the internal network.) For example, in a CRUDE config, your F5 would have an interface with a public IP address in the external VLAN and a an interface with a private IP address in the internal VLAN.

Does that make sense? If not I can post a working bigip_base.conf and a bigip.conf . . .maybe that would help.

Good luck,
Steve
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 36982058
Here's a bigip_base.conf with an internal (vlan 493) and external (vlan 102) vlan defined. Also an internal and external self IP address has been defined.

BIGIP_BASE.CONF

mgmt 192.168.1.245 {
   netmask 255.255.255.0
}
vlan external {
   tag 102
   interfaces 1.1
}
vlan internal {
   tag 493
   interfaces 1.2
}
stp instance 0 {
   vlans
      external
      internal
   interfaces
      1.1
         external path cost 20K
         internal path cost 20K
      1.2
         external path cost 20K
         internal path cost 20K
}
self allow {
   default
      tcp any
      udp any
}
self 10.7.0.70 {
   netmask 255.255.255.248
   vlan external
}
self 10.7.0.99 {
   netmask 255.255.255.248
   vlan internal
}
shell write partition Common
system {
   gui setup disable
   hostname "ltm01.net.org"
}

Here's a config file with 2 pools defined and VIPs defined for each pool. There's also a default gateway (toward the external network) defined.

BIGIP.CONF
partition Common {
   description "Repository for system objects and shared objects."
}
user root {
   password crypt "$1$qmI4IWPM$.iCFXAoiL0Tv.tJo2ivkL1"
}
route default inet {
   gateway 10.7.0.68
   static
}
snat IPSEC_SNAT {
   translation 10.7.0.10
   origins
      10.7.0.98
      10.7.0.101
}
shell write partition Common
user admin {
   password crypt "$1$TBLlXUBq$lE2baBM338qoBWtps6TOE."
   description "admin_for_configsync"
   id 0
   group 500
   home "/home/admin"
   shell "/bin/false"
   role administrator in all
}
user f5emsvr {
   password crypt "!!"
   description "F5 EM Service Account"
   id 975
   group 975
   home "/root"
   shell "/bin/false"
   role guest in all
}
profile fastL4 fastl4_loose_close {
   defaults from fastL4
   tcp close timeout 51
   loose initiation enable
   loose close enable
}
profile persist acrossvirtuals {
   defaults from source_addr
   mode source addr
   timeout 10
   across services enable
   across virtuals enable
}
pool IPSEC {
   snat disable
   nat disable
   members
      10.7.0.98:any
         limit 1K
      10.7.0.101:any
         limit 1K
}
pool IPSEC_POOL_4500 {
   action on svcdown reset
   monitor all gateway_icmp
   members
      10.7.0.98:4500
         limit 30
      10.7.0.101:4500
         limit 30
}
pool IPSEC_POOL_UDP_500 {
   action on svcdown reset
   monitor all gateway_icmp
   members
      10.7.0.98:isakmp
         limit 30
      10.7.0.101:isakmp
         limit 30
}
virtual IPSEC {
   translate address disable
   pool IPSEC
   destination 10.7.0.10:any
   persist acrossvirtuals
}
virtual IPSEC_VIP_4500 {
   pool IPSEC_POOL_4500
   destination 10.7.0.10:4500
   ip protocol udp
   profiles fastL4
   persist acrossvirtuals
}
virtual IPSEC_VIP_500 {
   pool IPSEC_POOL_UDP_500
   destination 10.7.0.10:isakmp
   persist acrossvirtuals
}
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:willdsn
ID: 36984039
Vlan Group is what you do for a "one-armed" config, when the VIP and the pool are in the same subnet.
I've tried the "two-armed" config, which makes more sense to you and me from a standard networking point of view, where there's a real NAT/PAT going on between two separate subnets, but I get the same results.  Finally scrounged up the manual that goes w/ this version of f5, 4.5.10, and followed the instructions for a "one-armed" config, which involves creating a "Vlan Group", including the internal and
external vlans in the group.  The self-ip is assigned to the vlan group. The f5 software then is able to "route" between the vlans, like an L3 switch w/ intervlan routing.  I just did it b'c the manual said it wouild work, but it doesn't.

0
 
LVL 16

Expert Comment

by:SteveJ
ID: 36986755
Are you connected directly to the BIG IP with your pool members or are they on a separate switch? Do your pool members have the BIG IP as the default gateway or next hop?

Steve
0
 

Author Comment

by:willdsn
ID: 36989492
Tried setting the BIG IP as the default gateway for the pool members, but get same result.
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 2000 total points
ID: 36989850
Have you done a tcpdump on the internan and external interface to see whats actually happening?

Steve
0
 

Author Comment

by:willdsn
ID: 36991006
I haven't, and it'll be a couple of days before I have the opportunity.  Thank you for your help.  I'll follow up.
0
 

Author Closing Comment

by:willdsn
ID: 37026679
Thanks for your help, Steve.  Going with another config for this Exchange HA.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question