my technical experience
Just a short example what you need to configure when use PPPoE on Cisco ASA…
vpdn group myconnection request dialout pppoe vpdn group myconnection localname [email protected] vpdn group myconnection ppp authentication pap vpdn username [email protected] password aeb1puj43 interface Vlan 2 nameif outside security-level 0 pppoe client vpdn group myconnection ip address pppoe setroute no shutdown exit
Syslog servers are a great idea they centralise all your logs from your Servers and networking devices.
I used for the syslog server the following command
bigpipe syslog remote server 'syslog-srv.local-domain.com' host 10.1.1.100 add
After that everything looked fine and I saw syslog messages but I got lots of informational messages and the following debug message.
debug snmpd[PID]: error on subcontainer 'ia_addr' insert (-1)
For the debug message I found a solution on AskF5: http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12136.html?sr=16487442
There is saw that I went the wrong way of configuring syslog on my load balancer, I also needed to set the log level for remote syslog server. Here the solution from F5: http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html
1. Log in to the command line of the BIP-IP
2. Create in /tmp/syslog.inc file with the syslog configuration.
syslog include "
filter f_remote_loghost {
level(notice..emerg);
};
destination d_loghost {
udp(\"10.1.1.100\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_loghost);
};
"
3. To remove the currently configured remote syslog servers, type the following command:
Important: This step disables all remote logging.
[root@l-ltm-ve-01:Active] tmp # b syslog remote server none
4. Copy the changes into the configuration
[root@l-ltm-ve-01:Active] tmp # bpsh < /tmp/syslog.inc
5. Refresh and start syslog deamon
[root@l-ltm-ve-01:Active] tmp # syslog-ng -s
6. Save the configuration
[root@l-ltm-ve-01:Active] tmp # b save all /config/bigip_base.conf was renamed to /config/bigip_base.conf.bak (86 lines). /config/bigip_sys.conf was renamed to /config/bigip_sys.conf.bak (66 lines). /config/bigip.conf was renamed to /config/bigip.conf.bak (894 lines). /config/bigip_local.conf was renamed to /config/bigip_local.conf.bak (1 lines). [root@l-ltm-ve-01:Active] tmp #
If the new logging configuration is not working as expected, make the desired changes to the /tmp/syslog.inc file and return to Step 2.
When the syslog-ng -s command reports the following error message:
# syslog-ng -s syntax error at 751
Remove the syslog include entries by typing the following command:
bigpipe syslog include none
Review the import configuration for syntax errors before attempting to re-import by typing the command listed in Step 2.
Short overview of how to redirect Cisco show commands… quite useful sometimes 😉
show <command> | redirect URL
The syntax to redirect the command output to the file location specified in the URL. The pipe (|) is required. Prefixes can be local file locations, like flash: or disk0:. Alternatively, you can specify network locations using the following:
ftp://username:password@location/directory/filename
tftp://location/directory/filename
Rcp: prefix is not supported.
show tech-support | redirect tftp://10.1.1.100/show-tech_c2960s-01.txt
This is an iRule for F5 BIGIP to balance on the requested http path, so http://domain.com/appversion1-0 or http://domain.com/appversion2-0 . The benefit is that you have different server pools under the same domain.
With the iRule you can also access every member and open a status.txt or servername.txt with the following path http://domain.com/monitor/servername.txt?app=appversion1-0&node=1 . Â This option is for monitoring reasons as you can monitor every node over the external URL.
I also use the status.txt for an http monitor to see if the server is online or offline. You can use that to set the web server offline without doing that over the F5 management console.
GET /monitor/status.txt HTTP/1.1\r\nHOST:\r\nConnection: Close\r\n\r\n Enable: ONLINE Disable: OFFLINE
In the servername.txt I write the name of the server.
This is the iRule:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::path]] {
"*appversion1-0*" { pool pool_http80_domain.com-appversion1-0}
"*appversion2-0*" { pool pool_http80_domain.com-appversion2-0}
"*monitor*" {
switch [URI::query [HTTP::uri] "app"] {
appversion1-0 {
switch [URI::query [HTTP::uri] "node"] {
1 { pool pool_http80_domain.com-appversion1-0 member 10.0.1.1 80 }
2 { pool pool_http80_domain.com-appversion1-0 member 10.0.1.2 80 }
default { HTTP::respond 200 content "<html><head><title>Member Status</title></head><body>INVALID OR MISSING QUERYSTRING: You must enter the URL in the following format http://domain.com/monitor/(status|servername).txt?app=AppVersionNumber&node=NodeNumber" "Content-Type" "text/html" }
}
}
appversion2-0 {
switch [URI::query [HTTP::uri] "node"] {
1 { pool pool_http80_domain.com-appversion2-0 member 10.0.2.1 80 }
2 { pool pool_http80_domain.com-appversion2-0 member 10.0.2.2 80 }
default { HTTP::respond 200 content "<html><head><title>Member Status</title></head><body>INVALID OR MISSING QUERYSTRING: You must enter the URL in the following format http://domain.com/monitor/(status|serversame).txt?app=AppVersionNumber&node=NodeNumber" "Content-Type" "text/html" }
}
}
default { HTTP::respond 200 content "<html><head><title>Member Status</title></head><body>INVALID OR MISSING QUERYSTRING: You must enter the URL in the following format http://domain.com/monitor/(status|servername).txt?app=AppVersionNumber&node=NodeNumber" "Content-Type" "text/html" }
}
}
default { pool pool_http80_domain-appversion1-0 }
}
}
The default app pool is appversion1-0 so everything that didn’t match is forwarded to that pool.
Here is a procedure on how to upgrade the software on an F5 BIGIP cluster tier.
After 6 to 7 minutes the device booted with the new software version. From now on you won’t be able to sync your configs between the devices anymore because of the different software versions it’s only possible within the same release. F5 doesn’t recommend to run cluster with different software versions.
Now initiate the failover on the active unit! Do that maybe at low traffic period! Normally there should be no side effect and the failover is not visible to clients because of the mirroring the sessions.
In case of problems with the new software version you should be able to switch back to the other cluster member with the old software version at any time.
The same procedure you use to install hotfixes on the BigIP.