November 2016 – MadeBeen.com Network Security

Month: November 2016

  • “Cannot delete IP self-ip because it would leave a pool member unreachable.” message.

    Have you ever tried to delete an ip address on an F5 device and came across the following message “”Cannot delete IP self-ip because it would leave a pool member unreachable.” I will teach how to overcome this issue now.
    my scenario involves two boxes in active and standby as below.

    Regarding nansstore-nonssl-pool, both Active/Standby units have below configuration.

    /config/partitions/PCI-CIA/bigip.conf
    ltm pool /PCI-CIA/nansstore-nonssl-pool {
    load-balancing-mode least-connections-member
    members {
    /PCI-CIA/pciwebprd10:7081 {
    address 172.20.184.5
    }
    /PCI-CIA/pciwebprd11:7081 {
    address 172.20.184.6
    }
    /PCI-CIA/pciwebprd12:7081 {
    address 172.20.184.7
    }
    }
    monitor /Common/tcp
    }

    Here is ‘tmsh show net route’ result on both of them.
    ———————————————————————————————————————————-
    Net::Routes
    Name Destination Type NextHop Origin MTU
    ———————————————————————————————————————————-
    /Common/pciwebprd10 172.20.184.5/32 gw 172.27.107.97 static 0
    /Common/pciwebprd11 172.20.184.6/32 gw 172.27.107.97 static 0
    /Common/pciwebprd12 172.20.184.7/32 gw 172.27.107.97 static 0

    This shows we don’t use Self IP 172.20.184.3 for routing any more.
    However, we can not delete IP 172.20.184.3 because we are getting “Cannot delete IP 172.20.184.3 because it would leave a pool member (pool /PCI-CIA/nansstore-nonssl-pool) unreachable.” message.

    I was testing at my lab and saw same issue.
    Also I was able to delete self IP with 2 type of methods.

    NOTE: Please create UCS archives before proceed below 2 methods for backup of current configration.

    SOL4423: Overview of UCS archives
    https://support.f5.com/kb/en-us/solutions/public/4000/400/sol4423.html

    – First one is simple, I just deleted pool member from pool then I was able to delete self IP. After that I added pool member to pool WebSv_pool again. This is supportable answer for you.

    1. deleted pool members from nansstore-nonssl-pool
    2. delete self IP
    3. after that add pool members to nansstore-nonssl-pool

    – Second one is alternative method, we don’t support edit config files via text editor, therefore this is best effort answer for you.
    However, when I remove self via text editor then load base config first then load config looks ok to me.

    1. vi /config/bigip_base.conf
    Comment out via vi
    Example:
    ——————————————————–
    #net self /Common/1.1.1.2 {
    # address 1.1.1.2/27
    # traffic-group /Common/traffic-group-local-only
    # vlan /Common/Internal
    #}
    ——————————————————–
    2. load base config first
    # tmsh load sys config base

    3. load config
    # tmsh load sys config

    Here is the current information we can provide regarding your questions

  • Automating iRules creation process

    if you are like me that likes to script and automate some of your configuration steps here is the summary on how to do so under version 12. Initially F5 used to have a b command available for the iRules creation which was never replaced with a TMOS equivalent.
    This is the old creation method using b commands
    b shell write partition Common
    b rule fn89dev_rootlogin_ssl ‘{
    when HTTP_REQUEST {
    if {[HTTP::uri] == “” || [HTTP::uri] == “/”} {
    HTTP::redirect “https://[HTTP::host]/fn89dev/signon.html”
    }
    else {
    HTTP::header insert WL-Proxy-Client-IP [getfield [IP::client_addr] “%” 1]
    }
    }
    }’

    This is the new creation method using Unix shell scripts

    echo writing irule to /var/tmp/irule.$$
    cat << EOF > /var/tmp/irule.$$
    ltm rule /BoQ/fn89dev_rootlogin_ssl {
    when HTTP_REQUEST {
    if {[HTTP::uri] == “” || [HTTP::uri] == “/”} {
    HTTP::redirect “https://[HTTP::host]/fn89dev/signon.html”
    }
    else {
    HTTP::header insert WL-Proxy-Client-IP [getfield [IP::client_addr] “%” 1]
    }
    }
    }
    EOF
    echo merge irule in /var/tmp/irule.$$ to config
    tmsh load sys config file /var/tmp/irule.$$ merge
    echo deleting temp file /var/tmp/irule.$$
    rm -f /var/tmp/irule.$$
    echo done