LoadBalancer – MadeBeen.com Network Security

MadeBeen.com Network Security

Category: LoadBalancer

“Cannot delete IP self-ip because it would leave a pool member unreachable.” message.

Have you ever tried to delete an ip address on an F5 device and came across the following message “”Cannot delete IP self-ip because it would leave a pool member unreachable.” I will teach how to overcome this issue now.
my scenario involves two boxes in active and standby as below.

Regarding nansstore-nonssl-pool, both Active/Standby units have below configuration.

/config/partitions/PCI-CIA/bigip.conf
ltm pool /PCI-CIA/nansstore-nonssl-pool {
load-balancing-mode least-connections-member
members {
/PCI-CIA/pciwebprd10:7081 {
address 172.20.184.5
}
/PCI-CIA/pciwebprd11:7081 {
address 172.20.184.6
}
/PCI-CIA/pciwebprd12:7081 {
address 172.20.184.7
}
}
monitor /Common/tcp
}

Here is ‘tmsh show net route’ result on both of them.
———————————————————————————————————————————-
Net::Routes
Name Destination Type NextHop Origin MTU
———————————————————————————————————————————-
/Common/pciwebprd10 172.20.184.5/32 gw 172.27.107.97 static 0
/Common/pciwebprd11 172.20.184.6/32 gw 172.27.107.97 static 0
/Common/pciwebprd12 172.20.184.7/32 gw 172.27.107.97 static 0

This shows we don’t use Self IP 172.20.184.3 for routing any more.
However, we can not delete IP 172.20.184.3 because we are getting “Cannot delete IP 172.20.184.3 because it would leave a pool member (pool /PCI-CIA/nansstore-nonssl-pool) unreachable.” message.

I was testing at my lab and saw same issue.
Also I was able to delete self IP with 2 type of methods.

NOTE: Please create UCS archives before proceed below 2 methods for backup of current configration.

SOL4423: Overview of UCS archives
https://support.f5.com/kb/en-us/solutions/public/4000/400/sol4423.html

– First one is simple, I just deleted pool member from pool then I was able to delete self IP. After that I added pool member to pool WebSv_pool again. This is supportable answer for you.

1. deleted pool members from nansstore-nonssl-pool
2. delete self IP
3. after that add pool members to nansstore-nonssl-pool

– Second one is alternative method, we don’t support edit config files via text editor, therefore this is best effort answer for you.
However, when I remove self via text editor then load base config first then load config looks ok to me.

1. vi /config/bigip_base.conf
Comment out via vi
Example:
——————————————————–
#net self /Common/1.1.1.2 {
# address 1.1.1.2/27
# traffic-group /Common/traffic-group-local-only
# vlan /Common/Internal
#}
——————————————————–
2. load base config first
# tmsh load sys config base

3. load config
# tmsh load sys config

Here is the current information we can provide regarding your questions

November 30, 2016
Automating iRules creation process

if you are like me that likes to script and automate some of your configuration steps here is the summary on how to do so under version 12. Initially F5 used to have a b command available for the iRules creation which was never replaced with a TMOS equivalent.
This is the old creation method using b commands
b shell write partition Common
b rule fn89dev_rootlogin_ssl ‘{
when HTTP_REQUEST {
if {[HTTP::uri] == “” || [HTTP::uri] == “/”} {
HTTP::redirect “https://[HTTP::host]/fn89dev/signon.html”
}
else {
HTTP::header insert WL-Proxy-Client-IP [getfield [IP::client_addr] “%” 1]
}
}
}’

This is the new creation method using Unix shell scripts

echo writing irule to /var/tmp/irule.$$
cat << EOF > /var/tmp/irule.$$
ltm rule /BoQ/fn89dev_rootlogin_ssl {
when HTTP_REQUEST {
if {[HTTP::uri] == “” || [HTTP::uri] == “/”} {
HTTP::redirect “https://[HTTP::host]/fn89dev/signon.html”
}
else {
HTTP::header insert WL-Proxy-Client-IP [getfield [IP::client_addr] “%” 1]
}
}
}
EOF
echo merge irule in /var/tmp/irule.$$ to config
tmsh load sys config file /var/tmp/irule.$$ merge
echo deleting temp file /var/tmp/irule.$$
rm -f /var/tmp/irule.$$
echo done

November 29, 2016
NTP Servers

Not knowing the parameters configured on the F5’s specially for the Server Side on the connection I can’t tell for sure this is the issue. But assuming they are enforcing Certificate validation you see expect a reset out of this…
you can find the following time:

In the client side
GMT Unix Time: Jan 20, 2010 06:48:41.000000000 Cen. Australia Daylight Time
In the server side:
GMT Unix Time: May 19, 2041 21:36:39.000000000 Cen. Australia Standard Time

If you go to any other website such as www.commbank.com.au
You will find:
Client side:
GMT Unix Time: Nov 12, 2015 14:48:20.000000000 Cen. Australia Daylight Time
Server side:
GMT Unix Time: Nov 12, 2015 14:48:20.000000000 Cen. Australia Daylight Time

NTP servers should have been configured for the network devices specially in the F5s themselves being a HA pair. Certificates expiration dates are very sensitive to date and time specially if you are enforcing Certificate validation on the server side as previously mentioned before.

For more details please include the following filter in your wireshark packet capture.
tcp.stream eq 9

For more info about SSL server profiles please visit https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html
cheers

November 23, 2015
Troubleshooting F5 Health Checks Monitors

Hi all,
I have finished this at home now . Some of my findings are pretty good and will most likely make us go ahead on next Thursday for BW.

I have set up the same monitors (the same way both f5 have been configured in PROD Norwest) without the XFF header being added into the APP VIP as per below:

Client F5’s:

Our Managed F5’s
Using basic http (default)

I can see the requests passing through the APP proxy for both monitors and marking them as green…

Client F5’s request

start transaction ——————-
CPL Evaluation Trace: transaction ID=733
transaction type: qualifier-index=1 name=http service=SG-HTTP-Service module=HTTP
MATCH: authenticate(no)
MATCH: ALLOW
miss : condition=X-Forwarded-For_Suppressed_URLs

MATCH: url.domain=//www.google.com.au/ cache(no)
MATCH: trace.request(yes) trace.rules(all) trace.destination(Trace)
connection: service.name=Explicit HTTP client.address=192.168.2.199 proxy.port=8080
time: 2014-11-03 08:29:30 UTC
CONNECT tcp://www.checkpoint.com:443/
DNS lookup was unrestricted
user: unauthenticated
authentication status=’not_attempted’ authorization status=’not_attempted’
server.response.code: 0
client.response.code: 200
application.name: unavailable
application.operation: unavailable
caching-decisions: cache(no)
DSCP client outbound: 65
DSCP server outbound: 65

Transaction timing: total-transaction-time 1217 ms
Checkpoint timings:
new-connection: start 1 elapsed 0 ms
client-in: start 1 elapsed 0 ms
server-out: start 1 elapsed 0 ms
access-logging: start 1217 elapsed 0 ms
stop-transaction: start 1217 elapsed 0 ms
Total Policy evaluation time: 0 ms
url_categorization not completed
client connection: first-response-byte 0 last-response-byte 1217

stop transaction ——————–

Our Managed F5’s request

start transaction ——————-
CPL Evaluation Trace: transaction ID=734
transaction type: qualifier-index=1 name=http service=SG-HTTP-Service module=HTTP
MATCH: authenticate(no)
MATCH: ALLOW
miss : condition=X-Forwarded-For_Suppressed_URLs

miss : url.domain=//www.google.com.au/
MATCH: trace.request(yes) trace.rules(all) trace.destination(Trace)
connection: service.name=Explicit HTTP client.address=192.168.2.199 proxy.port=8080
time: 2014-11-03 08:29:31 UTC
GET https://192.168.2.200:8080/
RDNS lookup was unrestricted
user: unauthenticated
authentication status=’not_attempted’ authorization status=’not_attempted’
EXCEPTION(invalid_request): Request could not be handled
server.response.code: 0
client.response.code: 200
application.name: unavailable
application.operation: unavailable
DSCP client outbound: 65
DSCP server outbound: 65

Transaction timing: total-transaction-time 486 ms
Checkpoint timings:
new-connection: start 1 elapsed 0 ms
client-in: start 1 elapsed 485 ms
server-out: start 486 elapsed 0 ms
client-out-terminated: start 486 elapsed 0 ms
access-logging: start 486 elapsed 0 ms
stop-transaction: start 486 elapsed 0 ms
Total Policy evaluation time: 485 ms
url_categorization not completed
server connection: start 486
DNS Lookup: start 486 elapsed 0 ms
server connection: connected 486
client connection: first-response-byte 0 last-response-byte 486

Total time added: 485 ms
Total latency to first byte: 485 ms
Request latency: 485 ms
OCS connect time: 0 ms
Response latency (first byte): 0 ms
Response latency (last byte): 0 ms
stop transaction ——————–

inserting the XFF into the http header for the APP proxy it has the same behavior experienced in PROD as down so I was able to replicate the issue:

Getting some packet captures that’s what I can see is a replica during the troubleshooting session:
No response from our Managed F5’s.

And looking at the conversation from our Managed F5 to the APP proxy is stating BAD REQUEST.

Changing the monitor to what it should be using http1.1.

Life is good again 🙂

start transaction ——————-
CPL Evaluation Trace: transaction ID=1723
transaction type: qualifier-index=1 name=http service=SG-HTTP-Service module=HTTP
MATCH: authenticate(no)
MATCH: ALLOW
miss : condition=X-Forwarded-For_Suppressed_URLs

MATCH: cache(no)
MATCH: trace.request(yes) trace.rules(all) trace.destination(Trace)
connection: service.name=Explicit HTTP client.address=192.168.2.199 proxy.port=8080
time: 2014-11-03 09:05:32 UTC
CONNECT tcp://www.checkpoint.com:443/
DNS lookup was unrestricted
user: unauthenticated
authentication status=’not_attempted’ authorization status=’not_attempted’
server.response.code: 0
client.response.code: 200
application.name: unavailable
application.operation: unavailable
caching-decisions: cache(no)
DSCP client outbound: 65
DSCP server outbound: 65

Transaction timing: total-transaction-time 465 ms
Checkpoint timings:
new-connection: start 1 elapsed 0 ms
client-in: start 1 elapsed 0 ms
server-out: start 1 elapsed 0 ms
access-logging: start 465 elapsed 0 ms
stop-transaction: start 465 elapsed 0 ms
Total Policy evaluation time: 0 ms
url_categorization not completed
client connection: first-response-byte 0 last-response-byte 465

stop transaction ——————–

explanation: A client MUST include a Host header field in all HTTP/1.1 request messages . If the requested URI does not include an Internet host name for the service being requested, then the Host header field MUST be given with an empty value. An HTTP/1.1 proxy MUST ensure that any request message it forwards does contain an appropriate Host header field that identifies the service being requested by the proxy. All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message which lacks a Host header field.
Besides I reckon once we have included XFF into the VIP is not supported by HTTP 1.0 (but I haven’t researched on that).

October 17, 2015