bigip tcpdump

Capture inbound and outbound from an interface


[root@bigip1:Active:In Sync] config # tcpdump -nni 1.1

This command disables ip address and port resolution and from interface 1.1.

Capture inbound and outbound and filter by address and port


[root@bigip1:Active:In Sync] config # tcpdump host 172.16.5.254 and port 80 -nnvvi 1.1

This command filter the host by 172.16.5.254 and filter port 80. Verbose is used in this command.

Capture outbound and filter by ip address and port


[root@bigip1:Active:In Sync] config # tcpdump src host 172.16.5.254 and dst port 80 -nnvvi 1.1 -w /var/tmp/vmnet5.cap

This command writes the result to /var/tmp/vmnet5.cap, and filter outbound traffic from 172.16.5.254 to port 80

Read the vmnet5.cap


[root@bigip1:Active:In Sync] config # tcpdump -r /var/tmp/vmnet5.cap -X

-X is used to present the data in ascii format.

The sample is like this:

20:35:13.406570 IP 172.16.5.254.47300 > 172.16.3.254.http: Flags [P.], seq 0:435, ack 1, win 229, options [nop,nop,TS val 29089249 ecr 11663189], length 435 in slot1/tmm0 lis=/Common/dvwa
0x0000: 0005 0800 4500 01e7 f16e 4000 4006 e585 ....E....n@.@...
0x0010: ac10 05fe ac10 03fe b8c4 0050 4607 2c8d ...........PF.,.
0x0020: e307 7839 8018 00e5 cc72 0000 0101 080a ..x9.....r......
0x0030: 01bb dde1 00b1 f755 4745 5420 2f64 7677 .......UGET./dvw
0x0040: 612f 696e 7374 7275 6374 696f 6e73 2e70 a/instructions.p
0x0050: 6870 2048 5454 502f 312e 310d 0a48 6f73 hp.HTTP/1.1..Hos
0x0060: 743a 2031 3732 2e31 362e 332e 3235 340d t:.172.16.3.254.
0x0070: 0a55 7365 722d 4167 656e 743a 204d 6f7a .User-Agent:.Moz
0x0080: 696c 6c61 2f35 2e30 2028 5831 313b 2055 illa/5.0.(X11;.U
0x0090: 6275 6e74 753b 204c 696e 7578 2078 3836 buntu;.Linux.x86
0x00a0: 5f36 343b 2072 763a 3436 2e30 2920 4765 _64;.rv:46.0).Ge
0x00b0: 636b 6f2f 3230 3130 3031 3031 2046 6972 cko/20100101.Fir
0x00c0: 6566 6f78 2f34 362e 300d 0a41 6363 6570 efox/46.0..Accep
0x00d0: 743a 2074 6578 742f 6874 6d6c 2c61 7070 t:.text/html,app
0x00e0: 6c69 6361 7469 6f6e 2f78 6874 6d6c 2b78 lication/xhtml+x
0x00f0: 6d6c 2c61 7070 6c69 6361 7469 6f6e 2f78 ml,application/x
0x0100: 6d6c 3b71 3d30 2e39 2c2a 2f2a 3b71 3d30 ml;q=0.9,*/*;q=0
0x0110: 2e38 0d0a 4163 6365 7074 2d4c 616e 6775 .8..Accept-Langu
0x0120: 6167 653a 2065 6e2d 5553 2c65 6e3b 713d age:.en-US,en;q=
0x0130: 302e 350d 0a41 6363 6570 742d 456e 636f 0.5..Accept-Enco
0x0140: 6469 6e67 3a20 677a 6970 2c20 6465 666c ding:.gzip,.defl
0x0150: 6174 650d 0a52 6566 6572 6572 3a20 6874 ate..Referer:.ht
0x0160: 7470 3a2f 2f31 3732 2e31 362e 332e 3235 tp://172.16.3.25
0x0170: 342f 6476 7761 2f76 756c 6e65 7261 6269 4/dvwa/vulnerabi
0x0180: 6c69 7469 6573 2f65 7865 632f 0d0a 436f lities/exec/..Co
0x0190: 6f6b 6965 3a20 7365 6375 7269 7479 3d69 okie:.security=i
0x01a0: 6d70 6f73 7369 626c 653b 2050 4850 5345 mpossible;.PHPSE
0x01b0: 5353 4944 3d33 7270 376a 3468 3866 3665 SSID=3rp7j4h8f6e
0x01c0: 6872 6c6c 3262 6831 646e 6f73 706c 300d hrll2bh1dnospl0.
0x01d0: 0a43 6f6e 6e65 6374 696f 6e3a 206b 6565 .Connection:.kee
0x01e0: 702d 616c 6976 650d 0a0d 0a01 1101 0100 p-alive.........
0x01f0: 000c 2f43 6f6d 6d6f 6e2f 6476 7761 ../Common/dvwa

Posted in F5, General stuffs, Security | Tagged , , | Leave a comment

BIGIP virtual server status

Virtual server is enabled but is unavailable

vs1

Although the virtual server is enabled, is unavailable. This is because a pool member has reached its connection limit.

vs-pools

In this scenario two virtual servers were marked down by health monitor, and the only available virtual server has reached its connection limit.

vs2.png

Virtual server is enabled and ready to receive traffic

vs3.png

This is the business as usual status of a virtual server.

Virtual server is enabled but offline

vs4.png

The virtual server is enabled but is marked offline, the virtual server will not receive any incoming traffic. This indicate pool members might be down which caused the virtual server to be offline.

vs5

In this scenario, the http services were down for all pool members.

vs6.png

In this scenario the pool members are all been forced offline; which caused the virtual server to be offline as well.

vs7

Interestingly if all pool members are disabled the pool will still indicate as enabled, hence caused virtual server to indicate as enabled as well.

vs3.png

vs8

If there is already a persistence to a server traffic will still be sent to the pool member even if it has been disabled.

Virtual server is available but disabled

vs9.png

This happens when you disabled the virtual server, when virtual server is disabled no incoming traffic will be received.

Virtual server status is unknown

vs10

Bigip cannot determine the status of the virtual server because there is no health monitor configured for a node or a pool member.

 

 

Posted in F5, General stuffs, High Availability | Tagged , , | Leave a comment

Exploring various load balancing method

Round Robin

Snap6

Traffic is evenly distributed. Default load balancing method for members have similar memory and processing capability.

Least Connection (member)

Snap7

Traffic is passed to the member that has the least current connection. Used for members that have similar capabilities.

Ratio (member)

ratio settings

Ratio settings: For every 5 connection, 1 connection will be given to dvwa2, for every 2 connection 1 connection will be given to dvwa3. 

ratio stats

Static load balancing method. You are defining how the connection is distributed among the members.

Dynamic ratio

This is a dynamic load balancing method, however the member or node need to have some monitoring agents installed to report the performance over time. Dynamic ratio uses the performance report to determine the ratio of each member.

Least sessions

Connection is passed to the member that has the least persistence sessions. The virtual server needs to enable persistence such as source address affinity to track the persistence sessions of each clients.

Snap11

Persistence profile is using source address affinity

Snap12

dvwa1 has a persistence session with lubuntu-1 and dvwa2 has a persisntence session with lubuntu-2

 

 

 

 

Posted in F5, General stuffs | Tagged | Leave a comment

Bigip Priority Group

You can load balance across all members in a pool or you can load balance to members in the highest priority.

Traffic will be load balanced among members in the highest priority, if the member is less than the priority group activation number, the traffic will throw to members in the next highest priority group.

Snap1

Snap2

dvwa1 receives traffic because it is in the highest priority group and the group maintains the minimum number of member.

Snap3

When dvwa1 is unavailable, the traffic is sent towards the member of the next highest priority group.

Snap4

Despite dvwa1 is back online, traffic still sends to dvwa2 because persistence is turned on for this virtual server.

Posted in F5, General stuffs | Tagged , , | Leave a comment

Bigip Active/Standby HA

Summary step

  1. Create high availability VLAN and self ip on both bigip1 and bigip2.
  2. Create HA configuration on both bigip1 and bigip2 such as config sync and failover network.
  3. HA cluster setup such as include peer into trust domain and include trusted peer into the same device group.

Create vlan and self ip on bigip1 and bigip2

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# /net vlan
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.vlan)# create ha-vlan tag 999 interfaces add { 1.5 }
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.vlan)# /net self
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# create ha-ip vlan ha-vlan address 192.168.32.1/24
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# modify ha-ip allow-service default


[root@bigip2:Active:Standalone] config # tmsh
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# /net vlan
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.vlan)# create ha-vlan tag 999 interfaces add { 1.5 }
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# create ha-ip vlan ha-vlan address 192.168.32.2/24
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# modify ha-ip allow-service default

The allow-service should not be none, otherwise the peer cannot be discovered, need to set to default at least

Test ping to each other:

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# ping 192.168.32.2
PING 192.168.32.2 (192.168.32.2) 56(84) bytes of data.
64 bytes from 192.168.32.2: icmp_seq=1 ttl=255 time=10.0 ms
64 bytes from 192.168.32.2: icmp_seq=2 ttl=255 time=6.02 ms
64 bytes from 192.168.32.2: icmp_seq=3 ttl=255 time=6.00 ms
64 bytes from 192.168.32.2: icmp_seq=4 ttl=255 time=5.99 ms


root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# ping 192.168.32.1
PING 192.168.32.1 (192.168.32.1) 56(84) bytes of data.
64 bytes from 192.168.32.1: icmp_seq=1 ttl=255 time=6.70 ms
64 bytes from 192.168.32.1: icmp_seq=2 ttl=255 time=5.50 ms
64 bytes from 192.168.32.1: icmp_seq=3 ttl=255 time=6.02 ms
64 bytes from 192.168.32.1: icmp_seq=4 ttl=255 time=5.45 ms
64 bytes from 192.168.32.1: icmp_seq=5 ttl=255 time=6.02 ms

Preparing for HA
Assign interface and address for config sync and unicast failover respectively.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# /cm device
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.cm.device)# modify bigip1 configsync-ip 192.168.32.1 unicast-address { { ip 192.168.32.1 } }


root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# /cm device
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.cm.device)# modify bigip2.cyruslab.net configsync-ip 192.168.32.2 unicast-address { { ip 192.168.32.2 } }

Cluster setup
On bigip1 add bigip2.cyruslab.net into device trust peer list.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.cm.device)# /cm trust-domain
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.cm.trust-domain)# modify /Common/Root ca-devices add { 10.10.10.2 } name bigip2.cyruslab.net username admin password admin

The command line requires you to put in the hostname / fqdn but in gui this is not necessary, only the peer’s management ip and credential are required.

Create a device group to include bigip1 and bigip2.cyruslab.net

root@(bigip1)(cfg-sync In Sync (Trust Domain Only))(Active)(/Common)(tmos.cm.trust-domain)# /cm device-group
root@(bigip1)(cfg-sync In Sync (Trust Domain Only))(Active)(/Common)(tmos.cm.device-group)# create ha devices add { bigip1 bigip2.cyruslab.net } type sync-failover full-load-on-sync true network-failover enabled auto-sync disabled
root@(bigip1)(cfg-sync Awaiting Initial Sync)(Standby)(/Common)(tmos.cm.device-group)#

Soon after the sync-failover device group was created, bigip1 becomes standby and bigip2 becomes active.

In this command line I have enabled full sync and network failover, and I disabled the automatic sync feature. I will have to do a manual config sync whenever i made changes to the active bigip.

Now go to the active bigip – bigip2.cyruslab.net to sync config to group.

root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)# run /cm config-sync to-group ha
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync In Sync)(Active)(/Common)(tmos.net.self)#

As observed above, config becomes in sync after a while.

Posted in F5, General stuffs, High Availability | Tagged , , , , | Leave a comment

Installing bigip hotfix

I have encountered weird issues on BIGIP 12 VE:

  1. Changes, disable, enable the virtual server will cause bigip to temporarily unable to ping the pool members despite dynamic ARP entry is available.
  2. Because of point 2, health monitor registered failures on the monitored pool members.
  3. Priority group does not work properly when persistence is applied. Priority group activation is set to 1, one server in priority group 2 is down, traffic does not send to the only server left in priority group 2 instead sends to server in priority group 1.

Download the base image and hotfix

Download the F5 bigip base image and hotfix from F5. Base image has to be imported before you can install the hotfix.

You will not be able to install the hotfix without importing the base F5 bigip image.

install HF3.png

Import the base image

import base

import base2.png

import base3.png

Import hotfix

install HF.png

install HF2

Can use command line to create a new partition known as HD1.2 and install the hotfix in this partition.


root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# install sys software hotfix Hotfix-BIGIP-12.0.0.2.0.644-HF2.iso create-volume volume HD1.2

This command above is the same as this gui.

install HF4

In command line show the installation progress

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys software
---------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.0.0 0.0.606 no installing 6.000 pct
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)#

The command line above showed 6% in progress.

install HF5

install hf6

Almost done

install hf6b

In command line

Activate the boot location

activate boot1

Install configuration to the new boot location from a currently activated boot location.

reboot1

Once activate button is clicked, bigip will reboot itself.

If install configuration is selected, the new boot location version must be equal or greater than the version in the source boot location.

In command line need to do two step:

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# quit
[root@bigip1:Active:Standalone] config # switchboot -b HD1.2
info: default boot location changed to HD1.2.

The copy the configuration from one partition to the new partition

[root@bigip1:Active:Standalone] config # cpcfg --source=HD1.1 HD1.2
info: Getting configuration from HD1.1
info: Copying configuration to HD1.2
info: Applying configuration to HD1.2

After this you need to reboot the bigip.

Using GUI is much straight forward and easier.

Reboot completed

complete1

complete2.png

 

 

Posted in F5, General stuffs | Tagged , , | Leave a comment

Simple load balancing with bigip

Lab information
2x DVWA servers in vmnet3
1x Lubuntu client in vmnet5
Use round robin as load balancing method.
DVWA has a login page, hence enable persistence source address.
Enable health monitor for the DVWA servers.

Create DVWA pool
DVWA has two servers namely 172.16.3.130 and .131

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# /ltm pool
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.pool)# create dvwa members add { 172.16.3.130:80 172.16.3.131:80 } load-balancing-mode round-robin description "DVWA server pool"

Here we create two server pools that listen to http and chose the round robin as the load balancing method.

 

Create virtual server to answer Lubuntu’s request

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# /ltm virtual
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.virtual)# create dvwa source 172.16.5.0/24 destination 172.16.3.254:80 profiles add { fastL4 } pool dvwa ip-protocol tcp persist replace-all-with { source_addr }

Here I configured the expected source address which I put vmnet5 subnet, and also the destination server which was the selfip which i created.

I also attached the dvwa pool and enabled source address persistence.

What this persistence does is to ensure the same source address always hit the same server within a session.

Do a save configuration before testing.
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.virtual)# save /sys config
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet mapping...done

Test

dvwa login.png

dvwa login success.png

dvwa try.png

Enable health monitor for DVWA pool

Before the health monitor is enabled, the status of the virtual server is unknown.

before health monitor.png

The following command line enables the health monitor.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# /ltm monitor
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.monitor)# create http dvwa-monitor username admin password password

I created a http monitor known as dvwa-monitor from the http monitor template, I added the username and password of the DVWA.


root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.monitor)# /ltm pool
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.pool)# modify dvwa monitor dvwa-monitor description "To monitor DVWA status"
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.pool)# save /sys config

after health monitor.png

pool after monitor.png

Posted in F5, General stuffs, Security | Tagged , , , | 2 Comments