F5 - License Issue or Config Issue?

Just purchased an f5 BIG-IP 5100 4.5.10 licensed load balancer from ebay, from very
reputable seller, Andover (been buying from them for over 10yrs).

The f5 unit is activated, and seems to be in good working order.  Checked the status of the license
from f5's site, got this:

# Base Key for F5 Product BIG-IP 4.x for S90806
#-------------------------------------------------------------------
  Base RegKey           : XXXXX (Locked) Product Code: HA
  F5 Platform           : D51
  First Activation Date : 12-05-2005
  Last Activation Date  : 08-23-2011
  License Time Limit    : N/A

QUESTION 1:  Are any of you guys f5 masters?  What does (Locked) mean?
This is my first load balancer from f5 - flyin' in the dark here.

QUESTION2:  Regarding config and inability to browse website:

2 webservers - 192.168.250.220 and 192.168.250.221.  Can browse website on each server individually, so IIS is working properly.

Absolutely most basic config on the f5.

One-arm config.  The "internal" and "external" vlans are grouped together and have a
self-IP of 192.168.250.225

The two webserver nodes are in a pool with default parameters.

Virtual Server is 192.168.250.226:80

Nodes are UP, monitor checking port 80 is UP

Attempt to browse through VIP times out.

The Virtual Server Statistics show a connection, show packets in, but no packets out.

I followed the config instructions from f5 manual.  The instructions don't seem to indicate that there's any more magic required.

What am I missing?

THANK YOU FOR TAKING THE TIME TO CONSIDER THIS ISSUE.
willdsnAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve JenningsIT ManagerCommented:
"locked" means activated on a soecific system

I will look at the rest of your question Monday

Stevr
0
Steve JenningsIT ManagerCommented:
Im not sure what you are referring to when you say the VLANs are grouped. Typically, you'd have an external VLAN (associated with a NIC facing the Internet) and an internal VLAN (associated with a NIC facing the internal network.) For example, in a CRUDE config, your F5 would have an interface with a public IP address in the external VLAN and a an interface with a private IP address in the internal VLAN.

Does that make sense? If not I can post a working bigip_base.conf and a bigip.conf . . .maybe that would help.

Good luck,
Steve
0
Steve JenningsIT ManagerCommented:
Here's a bigip_base.conf with an internal (vlan 493) and external (vlan 102) vlan defined. Also an internal and external self IP address has been defined.

BIGIP_BASE.CONF

mgmt 192.168.1.245 {
   netmask 255.255.255.0
}
vlan external {
   tag 102
   interfaces 1.1
}
vlan internal {
   tag 493
   interfaces 1.2
}
stp instance 0 {
   vlans
      external
      internal
   interfaces
      1.1
         external path cost 20K
         internal path cost 20K
      1.2
         external path cost 20K
         internal path cost 20K
}
self allow {
   default
      tcp any
      udp any
}
self 10.7.0.70 {
   netmask 255.255.255.248
   vlan external
}
self 10.7.0.99 {
   netmask 255.255.255.248
   vlan internal
}
shell write partition Common
system {
   gui setup disable
   hostname "ltm01.net.org"
}

Here's a config file with 2 pools defined and VIPs defined for each pool. There's also a default gateway (toward the external network) defined.

BIGIP.CONF
partition Common {
   description "Repository for system objects and shared objects."
}
user root {
   password crypt "$1$qmI4IWPM$.iCFXAoiL0Tv.tJo2ivkL1"
}
route default inet {
   gateway 10.7.0.68
   static
}
snat IPSEC_SNAT {
   translation 10.7.0.10
   origins
      10.7.0.98
      10.7.0.101
}
shell write partition Common
user admin {
   password crypt "$1$TBLlXUBq$lE2baBM338qoBWtps6TOE."
   description "admin_for_configsync"
   id 0
   group 500
   home "/home/admin"
   shell "/bin/false"
   role administrator in all
}
user f5emsvr {
   password crypt "!!"
   description "F5 EM Service Account"
   id 975
   group 975
   home "/root"
   shell "/bin/false"
   role guest in all
}
profile fastL4 fastl4_loose_close {
   defaults from fastL4
   tcp close timeout 51
   loose initiation enable
   loose close enable
}
profile persist acrossvirtuals {
   defaults from source_addr
   mode source addr
   timeout 10
   across services enable
   across virtuals enable
}
pool IPSEC {
   snat disable
   nat disable
   members
      10.7.0.98:any
         limit 1K
      10.7.0.101:any
         limit 1K
}
pool IPSEC_POOL_4500 {
   action on svcdown reset
   monitor all gateway_icmp
   members
      10.7.0.98:4500
         limit 30
      10.7.0.101:4500
         limit 30
}
pool IPSEC_POOL_UDP_500 {
   action on svcdown reset
   monitor all gateway_icmp
   members
      10.7.0.98:isakmp
         limit 30
      10.7.0.101:isakmp
         limit 30
}
virtual IPSEC {
   translate address disable
   pool IPSEC
   destination 10.7.0.10:any
   persist acrossvirtuals
}
virtual IPSEC_VIP_4500 {
   pool IPSEC_POOL_4500
   destination 10.7.0.10:4500
   ip protocol udp
   profiles fastL4
   persist acrossvirtuals
}
virtual IPSEC_VIP_500 {
   pool IPSEC_POOL_UDP_500
   destination 10.7.0.10:isakmp
   persist acrossvirtuals
}
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

willdsnAuthor Commented:
Vlan Group is what you do for a "one-armed" config, when the VIP and the pool are in the same subnet.
I've tried the "two-armed" config, which makes more sense to you and me from a standard networking point of view, where there's a real NAT/PAT going on between two separate subnets, but I get the same results.  Finally scrounged up the manual that goes w/ this version of f5, 4.5.10, and followed the instructions for a "one-armed" config, which involves creating a "Vlan Group", including the internal and
external vlans in the group.  The self-ip is assigned to the vlan group. The f5 software then is able to "route" between the vlans, like an L3 switch w/ intervlan routing.  I just did it b'c the manual said it wouild work, but it doesn't.

0
Steve JenningsIT ManagerCommented:
Are you connected directly to the BIG IP with your pool members or are they on a separate switch? Do your pool members have the BIG IP as the default gateway or next hop?

Steve
0
willdsnAuthor Commented:
Tried setting the BIG IP as the default gateway for the pool members, but get same result.
0
Steve JenningsIT ManagerCommented:
Have you done a tcpdump on the internan and external interface to see whats actually happening?

Steve
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
willdsnAuthor Commented:
I haven't, and it'll be a couple of days before I have the opportunity.  Thank you for your help.  I'll follow up.
0
willdsnAuthor Commented:
Thanks for your help, Steve.  Going with another config for this Exchange HA.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.