Replacing GTM f5
hello guys! this is also related to F5 GTM GSLB replacement | DevCentral I have some question on our F5 GTM replacement, we have an issue when we add the new F5 on data center following this KB https://my.f5.com/manage/s/article/K45907236 on the part "Creating a server (existing BIG-IP DNS)" the new server is in unknown state. When we check the error we see routines:ssl3_get_server_certificate:certificate verify failed f5 I am thinking bigip_add x.x.x.x will solve the problem however since the existing devices are on production I didnt use it instead, I uploaded the cert of existing f5 to new F5 on device management and Trusted certificate I saw on https://my.f5.com/manage/s/article/K85555245 Trusted device certificatesSystem>Certificate Management>Device Certificate Management>Device Trust Certificates Trusted server certificatesDNS>GSLB>Servers>Trusted Server Certificates the existing and new f5 has same certs now, however the problem is still there but this time error is different iqmgmt_ssl_connect: SSL error: Connection reset by peer (104) from connection x.x.x.x Do you guys know how to solve this SSL issue we have? I also have a question 1. when I updatedDNS>GSLB>Servers>Trusted Server CertificatesI export the server.crt from existing f5 and upload it on the new device. this overwrites the original server.crt. on the new F5. I am thinking running the bigip_add x.x.x.x but my worry is that it will make the certs doubled? because running bigip_add x.x.x.x will "append" the cert from existing F5 to new F5.. so I am thinking to delete the server.crt on my new f5, but the problem is I didnt save a backup of the original server.crt :( is there a way I can generate new server.crt on my new F5? do you think it is necessary to delete the current server.crt? or what I need is to do below per https://my.f5.com/manage/s/article/K9114? cat /config/httpd/conf/ssl.crt/server.crt >> /config/gtm/server.crt 2. Running bigip_add x.x.x.x will be from existing F5 correct existing f5# bigip_add x.x.x.x (new F5 IP) 3. new F5 is in v17 and existing F5s are in v14, do you guys think it is a problem? Thank you!41Views0likes0Commentsprober pool Round Robin with multi health monitors and with multi prober pool members
I have a question about The GTM monitors and prober pools: In my case, I have three datacenters, three gtm(one in each DC), and one prober pool, the prober pool include all three GTM, and the prober pool was set to use Round Robin. And two vs, vs1 and vs2 in different DC, each vs was configured two health monitors(each monitor with different porbe interval, eg. vs1's monitors have interval 5s and 7s, vs2's monitors have interval 9s and 11s). so, my questions is, how does the porber pool Round Robin work? Looking forward to your help, thank you.284Views0likes2CommentsAdding LTM to GTM with different version
Hi Experts, I am looking for a KB that shows the prerequisites or consideration prior doing BIGIP ADD in GTM. Are goal is to use GSLB functionality of our GTM. Our GTM is running in 11.6.1 version and we will upgrade our LTM from 11.6.1 to 13.0. May we know if it is possible or there is an issue with this setup.545Views0likes2CommentsGTM Topology Load Balancing - Order of Operation
Two-part question: 1.) For wide IP-level topology load balancing, what takes precedence: order, weight, or prefix length? (Assuming topology load balancing is choosing between pools based on source IP subnet). 2.) This question came about due to a situation in which I'm seeing some unexpected LB results. Given the below topology configuration (11.x) 1 IP Subnet is 10.0.1.0/29 Pool is West_DC_Pool 1 2 IP Subnet is 10.0.1.0/24 Pool is West_DC_Pool 150 3 IP Subnet is 10.0.0.0/24 Pool is East_DC_Pool 1 4 IP Subnet is 10.0.0.0/16 Pool is East_DC_Pool 100 The LDNS server IP is 10.0.1.5 (there's only one LDNS server at the moment) The East_DC_Pool is being chosen every time. Based on the logs, it seems to be comparing 1 (10.0.1.0/29 with a weight of 1) to 4 (10.0.0.0/16 with a weight of 100) and therefore 4 is winning based on a weight of 100. No mention of 2 (10.0.1.0/24 with a weight of 150) in the logs. If I delete 1, then 2 (10.0.1.0/24 with weight of 150) wins so traffic is then sent to West_DC_Pool. Now re-adding 1 (10.0.0.0/29 with weight 1) causes 4 (East_DC_Pool) to win again. Is this expected behavior??? I would have expected in all cases (with a LDNS IP of 10.0.1.5) that traffic would be routed to the West_DC_Pool based on either longest prefix match(1 would win), weight(2 would win), or order (again 1 would win). But maybe there's something about the order of operation that I'm unaware of. Thanks in advance, Dave319Views0likes3CommentsLoad-balancing generic hosts between different datacenters
Hi all I have GTM F5 Load-balancer sitting in my primary Denver (USA) data center. I have two VPN firewalls sitting in theChennai (India) data center, where there is no F5 load balancer. Hence there is no GSLB. I would like to load-balance these two VPN firewalls through the Denver F5 GTM load balancer. The public IPs are completely different between the data centers. The expectation is that the end host ==> Public DNS Server ==>F5 GTM Listener (Denver) ==>Chennai (India) Datacenter (VPN Firewall). Will this be doable?753Views1like4CommentsDNS to LTM (Server peering for GSLB)
GTM1 (one external selfIP) LTM1 (one external selfIP, multiple internal selfIPs) I noticed that the HELP under DNS->GSLB->Server List states "Address: Spedifies an external (public) address for the device." In Guides - it is recommended to use SELF-IPs of devices to peer. BUT does it really HAVE to be 'external' ? Are there any limitations simply peering to the LTM using one of the internal selfIPs? Thanks for feedback!437Views0likes3CommentsHA GSLB between 2 DC don't work
I have an eviroment of gslb with 2 DC, each datacenter have a F5 DNS and two LTM, we have only one wide ip, the test that we are making is trying to resolve with the dns2 if we make this test is redirect to ltm2, and if we turn off the ltm2 make the redirection to ltm1. But if we make the same test on dns1 first it send the client to ltm1, but if we turn off the ltm1 don't make the redirection to ltm2. On Wide IP i have both pools dc1 and dc2 i have the topology lb method , then in each pool i have both ltm1 and ltm2 depdnding on the zone i change the order, on the pool i have topology, global availability and none lb methods. the topology rules are the next: IP 10.100.2.0/24 Pool is DC2 IP 0.0.0.0/0 Pool is DC1 Are the topology rules ok? i don't know why is not working303Views0likes1CommentGTM Listener with pool
Hi, I was under impression that VS working as GTM Listener with DNS profile options: GSLB: Enabled Unhandled Query Actions: Allow and Pool assigned (with some backend DNS as member). when receiving request matching configured Wide IP will answer directly. From my test (v13.0.0HF2) it looks like it's not the case, request matching Wide IP is still send to pool member. Is that by design, bug or I made some mistake in configuration? Piotr177Views0likes0CommentsGTM health monitor for Standalone Server not being sent
I'm trying to setup a standalone server in new GTM implementation and the health monitors don't seem to be working as expected. I've done the following tasks: - Created a new datacenter (which is showing green/available) - Created a new server as the GTM devices using the floating ip for the external vlan. (showing green / available) - Created another new server (Generic Host) with the ip of the webserver and created a virtual server with the same ip and the http health monitor. (showing red / down) I'm able to successfully curl the webserver from the cli of the GTM device, so I know routing and network connectivity are good. I've done some tcpdumps and the GTM device isn't sending any traffic to the virtual server. Can someone give me some pointers? Thanks in advance.Solved381Views0likes2Comments