Jump to content

guru

Administrators
  • Posts

    161
  • Joined

  • Last visited

Everything posted by guru

  1. When migrating you want to make sure you don't miss anything so here are a few commands that I run to help me make sure what was on the old is on the new. CONFIGURATION PHASE Virtual Servers First objective is to check to make sure all the Virtual Servers are present. If you aren't changing IP addresses then all I grab is the destination field since in many cases the name and/or partition may change. For example we are moving to deploying all our Virtual Servers using JSON format and the Partition is now the IP address so all pools, profiles etc that are specific to that virtual server would be found under that partition/ip address. Anyhow, so how do you get all the destination IPs from all partitions? Just run this command: tmsh -q -c 'cd / ; show ltm virtual recursive' | grep -i "destination " > /var/tmp/vs-destination-old_$HOSTNAME"."$(date +%Y%m%d).txt Why do I use show versus list? List command will show the destination IP with the port in the common name like 443 would be listed as https but on the show command its always the port number no matter how it was configured which is consistent which also makes it easier to do compares. Certificates and Keys AWAF Policies DEPLOYMENT PHASE - BEFORE MIGRATION DEPLOYMENT PHASE - AFTER MIGRATION VALIDATION PHASE
  2. Here is a very helpful script that can be used to export Virtual Server Profile Certificate Ciphers I personally create a file called: show-vs-cpfl-cert-ciphers.sh Then I make it executable: chmod 755 show-vs-cpfl-cert-ciphers.sh Now copy the code below and paste it in the new file #!/bin/bash # Search /config and sub directories (partitions) for bigip.conf files LIST=`find /config -name bigip.conf | xargs awk '$2 == "virtual" {print $3}' 2> /dev/null | sort -u` echo "Virtual: Profile: Certificate: Ciphers:" echo "__________________________________________________________" for VAL in ${LIST} do PROF=`tmsh show /ltm virtual ${VAL} profiles 2> /dev/null | grep -B 1 " Ltm::ClientSSL Profile:" | cut -d: -f4 | grep -i "[a-z]" | sed s'/ //'g| sort -u` test -n "${PROF}" 2>&- && { VIRTS=`expr $VIRTS + 1` for PCRT in ${PROF} do CERT=`tmsh list /ltm profile client-ssl ${PCRT} | awk '$1 == "cert" {print $2}' 2> /dev/null | sort -u` test -n "${CERT}" 2>&- && { CIPHERS=`tmsh list /ltm profile client-ssl ${PCRT} ciphers | grep ciphers | awk '{print $2}'` echo "${VAL} ${PCRT} ${CERT} ${CIPHERS}" } done } done echo "Virtual server count: ${VIRTS}" Finally you can run the newly created file: ./show-vs-cpfl-cert-ciphers.sh My preference is to run it and capture the output to a txt file that I can manipulate later to sort by each of the fields so I run the command this way: ./show-vs-cpfl-cert-ciphers.sh > /var/tmp/how-vs-cpfl-cert-ciphers_output_$HOSTNAME"."$(date +%Y%m%d).txt Hope this helps you out as it has helped me
  3. Need to work on the development of the new Event Management Application for Invision Community Board version 5 when its released. To be able to invest in the new development we need to do a few things first Acquire Funds (estimated cost will be close to 10k) by November 2023 should acquire the funds Write out project and expectations (can leverage some of what we are currently using) HISTORY Spreadsheets Filemaker Pro database Invision Community 3.x Brandon Davie (no longer doing development for IPB) Invision Community 4.x Ahmed Zayed (appears to have lost interest in developing these apps) Invision Community 5.x ?? (possibly Adriano Faria or Terabyte or InterMedia) GOALS Identify a developer that invests in app and can provide updates and support as needed (difficult to keep changing developers) Utilize website for each customer to leverage for all shows (use Mid-America Festivals as example) Services App would provide include Ticketing and Accounting Not mandatory but having a POS app that we could load on Android or iOS device that would accept info (even offline) and transfer to website when connection is re-established) Have the ability to export and import data for setup and transactions (preferable via CSV) Needs the ability to print reports with Logo included (possibly just use logo in header)
  4. guru

    AWAF Policies

    Trying to migrate an LTM from old school to doing to via JSON and this particular LTM has AWAF Resource Provisioned so its what makes it difficult AND we are running version 15.x which only supports exporting policies into XML. In newer versions (16.x and 17.x) the AWAF policies can be exported into JSON format. We exported the policies and imported them and now when you go to a child policy and you want to update it, the settings are grayed out like shown here But it use to look like this here where you can Add and do changes. It took a minute to understand what's happening but I eventually discovered that inheritance is taking place so you could make the changes at the parent policy but it would affect all child policies. If you want to edit just certain child policies then you will need to go to Inheritence Settings on the child policy and click Decline and you will see that button change from Decline to Declined. Below is a picture of what it looks like.. (in red is declining inheritance and in gray it is keeping the inheritance)
  5. Here is the demo
  6. REQUIREMENTS: For the BIG-IP DNS synchronization group members to properly synchronize their configuration settings, verify that the following requirements are in place: BIG-IP DNS synchronization group members must be running the same software version A BIG-IP DNS device should be running the same software version as other members in the synchronization group. BIG-IP DNS devices that are running different software versions will not be able to communicate and properly synchronize BIG-IP DNS configuration and zone files. For information about displaying the software version, refer to K8759: Displaying the BIG-IP software version. Synchronization parameters must be properly defined for all members Synchronization must be enabled and each device must have the same synchronization group name. You can define the synchronization parameters by navigating to: BIG-IP DNS 11.5.0 and later: DNS > Settings > GSLB > General BIG-IP GTM 10.0.0 through 11.4.1: System > Configuration > Device > GTM > General NTP must be configured on each device Before you can synchronize BIG-IP DNS systems, you must define the network time protocol (NTP) servers for all synchronization group members. Configuring NTP servers ensures that each BIG-IP DNS synchronization group member is referencing the same time when verifying the configuration data that needs to be synchronized. You can configure NTP by navigating to System > Configuration > Device > NTP. Port Lockdown must be set properly for the relevant self IP addresses Port lockdown is a security feature that specifies the protocols and services from which a self IP address can accept traffic. F5 recommends using the Allow Custom option for self IP addresses that are used for synchronization and other critical redundant pair intercommunications. You can configure port lockdown by navigating to Network > Self IPs. Note: Management-IP address are not compatible with iQuery; you should not use them as server IP addresses in the DNS server list. Configure the service ports shown in the following table for BIG-IP DNS operation on the specific self IP. Allowed Protocol Service Service Definition TCP 4353 iQuery TCP 22 SSH TCP 53 DNS UDP 53 DNS UDP 1026 Network Failover For further information on Port Lockdown behavior, please refer to K17333 listed in the Supplemental Information section below. TCP port 4353 must be allowed between BIG-IP GTM systems BIG-IP DNS synchronization group members use TCP port 4353 to communicate. You must verify that port 4353 is allowed between BIG-IP DNS systems. Compatible big3d versions must be installed on synchronization group members The big3d process runs on BIG-IP systems and collects performance information on behalf of the BIG-IP DNS system. For metrics collection to work properly, synchronization group members must run the same version of the big3d process. For more information about verifying big3d version information, refer to K13703: Overview of big3d version management. A valid device certificate must be installed on all members The device certificate is used by the F5 system to identify itself to a requesting F5 client system. The default device certificate, /config/httpd/conf/ssl.crt/server.crt, must be installed on each sync group member. You can verify the certificate validity by navigating to System> Device Certificates. EXPLANATION of DNS SYNC A BIG-IP DNS synchronization group is a collection of multiple BIG-IP DNS systems that share and synchronize configuration settings. You must meet several minimum requirements for BIG-IP DNS synchronization group members to communicate and synchronize properly. Starting in 11.x, the BIG-IP DNS system uses a commit_id structure, which is linked to an MCP transaction, as a timestamp when updating the configuration for a given sync group. The BIG-IP DNS sync group communication flow works as follows: The Configuration utility or the TMOS Shell (tmsh) communicates configuration changes to the mcpd process. The mcpd process forwards the new configuration in its entirety to the local gtmd process. The gtmd process updates the commit_id value and writes the new configuration to the /config/bigip_gtm.conf file. The local big3d process begins advertising the updated commit_id value using heartbeat messages transmitted to all remote gtmd processes. When a remote gtmd process notices that the peer BIG-IP DNS system has a newer commit_id value, the remote gtmd invokes the iqsyncer utility to pull the newer configuration. The iqsyncer utility connects to the big3d process of the BIG-IP DNS system with the newer commit_id and requests the changes between the newer commit_id and its current commit_id. The big3d process connects to its mcpd process and if the differences between commit_ids exist in the incremental config sync cache, then just these incremental changes are passed back. If not, the full configuration are passed in one or more messages. The big3d process then transmits those messages back to the requesting iqsyncer utility, and iqsyncer passes the new configuration directly to its own mcpd process, which loads it into memory. After the mcpd process receives the new configuration, it passes the configuration to its own gtmd process, which updates its timestamp with the commit_id of the source BIG-IP DNS system, and writes the configuration to the /config/bigip_gtm.conf file.
  7. Ran into an issue last night where I had to redirect https://example.thezah.com/ to https://example.thezah.com/?idp_id=two Attempted a few different way of redirecting the URI in the Policy and they all didn't work. Ran into a few issues... When creating the Redirect_URI policy under the do the following: Replace - HTTP URI - path with value /?idp_id=two at request time What would happen is when you enter the value /?idp_id=two and save F5 would change it to /\?idp_id=two and my assumption is its using reg-ex to escape the ? so I used the URL encode for question mark which is %3F so it looked like /%3Fidp_id=two and still no luck. Then realized they were breaking because to use policies you need an HTTP Profile (Client) of http. Then we added an SSL Profile (Client) with the FQDN in for example.thezah.com and also add the F5 default SSL Profile (Server) called serverssl The Policy still wouldn't work so created an iRule like the one below when HTTP_REQUEST { if { [HTTP::uri] equals "/" } { HTTP::uri "/?idp_id=two" } } Assigned the iRule to the Virtual Server Resources and now we are in business.
  8. If you have BIG-IQ in your environment to help manage/monitor your applications then let me help understand how to use some cool features of BIG-IQ. Many times you have several F5's in your environment and trying to identify what F5 has the application you need to troubleshoot is kind of a pain in the butt unless you have BIG-IQ. First thing I do is if someone says they have an issue with their application is I ask for the FQDN or the URL that is having issues. Next thing I do is go to BIG-IQ and click on the Configuration Tab then click on Virtual Servers and you get a screen like the one below You can enter the fqdn in the filter box on the right and if that doesn't work because the name of the virtual server may differ, go to your command prompt and do a dig on the FQDN to get the IP Address and come back to BIG-IQ and enter the IP Address in the Filter box on the right. What if you get nothing still? Then a few things could be happening Maybe there application doesn't go through the F5 BIG-IQ is only up to date if the application was deployed via JSON/AS3 and for those legacy apps that didn't use JSON/AS3 to deploy, under the Devices Tab you must click those legacy boxes and click import on the services to keep the BIG-IQ database up to date.
  9. Internal Medicine (3 doctors) just came in and checked to see how Kate is doing and feeling. Sounds like Chemotherapy is still on the docket for today but we are awaiting Dr.Yang. They checked on how Kate is doing with all the procedures she had done yesterday. She is super sleepy and is passed out now but I think its a good thing. I see its lunch time and I may sneak downstairs and get something to munch on. I love chips but because of all the stroke victims in the hospital I lean away from them since its one of the major causes of a stroke. Actually I have been trying to eat healthy so I can keep taking care of Kate but I may break down and get something non-healthy (meaning something with some flavor) today for lunch like a burger from Wendys. Dr.yang came in at the this time and gave us more information. Results of lumbar punture (spinal tap) proved positive results (no cancer in spinal fluid). He also spoke about treatment which includes: the following once a week (every Monday as out patient): daunorubicin (side effect: nausea, hair loss) - Syringe vincristine (side effect: tingling in hands) - IV bag *constipation is a worry with treatments so much the nurse and doctors ask every time they come in the following every day for 28 days: steroid: prednisone may add another drug week 2 and another drug that is used on children week 3 (rituxan) which focuses on A.L.L. he mentioned things to pay attention to while she’s home which is mainly infection (fever of 100.4 that lasts more than 30minutes she must come to ER). mentioned chemo will reduce platelets which are optimum at 50k but at 30k now and we may notice bleeding when below 10k. —— after Induction period (first 4 weeks) the chemotherapy gets kicked up a notch and is unpleasant and this will happen for 6 months and sounds like multiple visits per week. .. Kates first chemotherapy treatment is coming soon (sometime this afternoon) They gave Zofran (for nausea) and Prednisone (the steroid) today at 14:30 at this time (15:12) kate received the daunorubicin via syringe. Nurse mentioned it is important for oral hygiene since it could create sores in your mouth. Also it will more than likely create red urine. They are also giving the vincristine via IV. COMPLETED adding the daunorubicin and vincristine at 15:30 Kate is doing good. She's groggy but doing okay. Just brought her an ICEE (coke.. uh oh), grilled chicken bits from chik-fil-a and watching TV. Shes not a fan of how she feels because its different than anything else she felt. She is homesick... missing her puppies. I'm saying she's emotional which the doc said a side effect of the medicine. They just put a bag of cefepime and a couple blue pills which we believe is antibiotics (fungal, bacterial, ) Bloodwork at 3am and then more antibiotics at 4:30am unfortunately Kate didn’t get much sleep (which is another side effect of chemo). She’s also nauseous and did have tingling in her feet but she was able to work out the tingling. visit from internal medicine at 7:30am to check on her status. LABs moved up to twice a day because of Chemo they need to keep monitoring blood counts. As of now, morning labs came back with hemoglobin 7+ & platelets 33 so no blood transfusion at the moment. We'll have another bloodwork around 5pm tonight and we'll see what her numbers are then. We are still on track for going home Friday and we are both hoping that stays true since she is going stir crazy being cooped up in the hospital. I may leave today to go get a shower and change of clothes since we are here until Friday. I feel disgusting so need a refresher. Hoping they validate the parking since we have been there since Sunday. Nurses helped kate change into a new gown and I got her a breakfast bagel. They flushed the PICC line to help the machine stop beeping because of blockage. They also recommended her getting up and walking the floor. Bandage for PICC line will be changed before we go home which will be nice even though we are only home for Saturday and Sunday and back on Monday for an all day treatment but its suppose to be outpatient so we'll be able to go back home. She is getting Zofran for nauseous at 9am Kate got another dose of antibiotics and her daily steroid at 10:15am antifungal: diflucan antibacterial: bactrin antiviral: aciclovir steroid: prednisone which she'll get every day during the induction phase (roughly 28 days) And still getting the IV drip of cefepime (2gm/100mL) which is also used to treat bacterial infections. Kate got about 3 hours sleep last night. They said the chemo chemicals would cause sleeplessness. Kate is getting headaches but they give her a Tylenol 3 before going to sleep and it helps relieve the pain and allow her to sleep. They took blood at 5am and Hemoglobin dropped to 7.1 and Platelets dropped to 24k. She is also still getting some nausea but the Zofran does help relieve it. So today we walked around the floor with her pet IV stand closely in hand. She decided to wear a gown with an exposed back which proudly displays the lovely bruises from the bone marrow biopsy and lumbar puncture. We did two Different walks which all together equals about 1/2 mile walked today. they dropped her bloodwork to once a day instead of the typical twice a day. No bowl movement since Tuesday so they gave her some Colace. she should get bloodwork at either 3am or 5am, then blood transfusion. Odd but her hemoglobin has to be less than 7 for her to get a blood transfusion and it was at 7.1 this morning so we all know it will be low 6 probably tomorrow morning which will prompt the blood transfusion allowing Kate and I to go home for the weekend.
  10. Induction Phase It’s 3am on 2/17/2020 and we are in a room on the 9th floor in Karmanos Cancer Facility in Detroit. This is the beginning of the Induction process which in short means the beginning of chemo treatments while keeping a close eye on Kate during the process. The doctor believes this will take less than a week this visit but the Induction process is typically a week. There are four phases to chemotherapy treatment: The first phase is called Remission Induction. Treatment during this phase is designed to kill the leukemic cells in the blood and the bone marrow, putting the disease into remission. The second phase is Central Nervous System Directed Therapy. This phase kills cancer cells in the central nervous system and prevents the disease from spreading to the spinal fluid. The Consolidation/Intensification phase is given after the disease is considered to be in remission. It's designed to kill remaining leukemic cells that may be inactive but could begin growing again and cause the leukemia to recur. This phase usually lasts several months. The maintenance phase is the final phase of treatment that lasts for two to three years. It's used to kill any remaining cells that could cause a recurrence. Medications are often given at lower doses. So her hemoglobin dropped to 6.1 overnight (in less than 12 hours) so they are getting everything together for another blood transfusion (#6). Today she'll also get spinal tap which will inject some Chemo into her spinal cord while they take a sample to test to see if the Leukemia has made its way into the spinal cord.. we are hoping it hasn't. Dr.Yang is a superstar of a Doctor but seriously all of the doctors that we have encountered have been awesome. Our least favorite area was the Harper Hutzel ER room (happy to be out of there). They may take another bone marrow biopsy if Dr.Yang doesn't get back the results from the company they sent the bone marrow biopsy they took in Flint McLaren Hospital. Dr.Yang doesn't want to delay treatment anymore so another bone marrow biopsy is a possibility and he can get the results next day to find out if she is Philadelphia chromosome positive or negative which dictates what ingredients need to be in the chemo treatment. Starting Blood Transfusion now... need to get Kate’s blood count up. Only numbers they are really focusing on is hemoglobin (They want above 7 and its 6) and platelets (they want in the 50’s and it’s in 30’s). Finished transfusion just now and they are now moving into doing a bone marrow biopsy on left side since it was done on the right side. also adding some platelets Good news is they didn’t do a bone marrow biopsy but instead they did something where they just extracted some marrow which I think they called aspired. So Kate earns her hashtag again #k8strong they mentioned MRD testing, need to look that up. next they are adding platelets and will do the spinal tap adding chemo in the spinal fluid at the same time taking some fluid for testing Kate just left to IVR (radiation) for spinal punch. The procedure is roughly 20-40minutes and then there is recovery. They do sedate Kate which she is looking forward to so maybe she could get some sleep. dr.yang got some news from the bone marrow biopsy and they said Kate is Philadelphia chromosome negative but he wants to double-check since treatment is very important to know for sure. So the test he did earlier will give him those results in 24 hours. He did say they are trying to get us a room on the 8th floor which is reserved for chemo patients. They do not want to start chemo until Kate gets on the 8th floor since the nurses here on the 9th floor don’t work with chemo. now we wait for procedure. Just spoke to Dr.Yang as he made a visit on his way out for the day. he recommends Kate lay as flat as she can when she gets back to the room for 2 hours preferable but 1 hour minimum. he said there is no reason why they can not start chemotherapy tomorrow which will consist of two drugs for chemo and she will have to take one pill (steroid) orally. The steroid she will take daily and the two chemo injections she will do once a week. More than likely she will need another transfusion but the current tentative goal is go home Friday and come back Monday. Repeat process for a total of four weeks which would conclude the Induction process at which time they want to get more blood marrow to see if the cancer cells are declining. Kate got some food in her and now she’s fighting through some pain (with the assist of some pain killers) and maybe one more dose of pain killers before she tries to get some sleep. im hoping to sleep on a cot or anything besides these chairs which are not comfortable. i really need to thank our friends And family for helping take care of our dogs while we are gone. It’s a huge stress for Kate and I being so far away but everyone seems to be helping relieve the stress and I seriously can’t thank u enough. it appear the remaining of our night will be hopefully uneventful so don’t be surprised if you don’t see anymore posts tonight (unless something negative happens). we just got moved down to the chemotherapy floor (8) so now we are in room 8223 her hemoglobin is down to 7 so they are going to give her a blood transfusion. Kate got some sleep and woke up on her own at 4am because she had to pee. The nurses then did bloodwork to see if her hemoglobin is back up from 7.4 now that she had a unit of blood last night. white blood cells 1.3 (normal is 4-11) and platelets 35 (normal is 55+). Kate's fed, she took a tylenol 3 for pain (pill), allopurinol (pill), antiviral (pill), anti-bacterial (pill) and an anti fungal (oral liquid) medicine. Now we wait for Dr. Yang to give us the game plan for today.
  11. What is a Lumbar Puncture - Spinal Tap During the time you are fighting cancer (especially A.L.L.) you will have to received several Lumbar Punctures or also referred to as Spinal Taps. So what are they? Lumbar puncture, also known as a spinal tap, is a medical procedure in which a needle is inserted into the spinal canal, most commonly to collect cerebrospinal fluid for diagnostic testing. The main reason for a lumbar puncture is to help diagnose diseases of the central nervous system, including the brain and spine. A lumbar puncture (spinal tap) is performed in your lower back, in the lumbar region. During a lumbar puncture, a needle is inserted between two lumbar bones (vertebrae) to remove a sample of cerebrospinal fluid. This is the fluid that surrounds your brain and spinal cord to protect them from injury. A lumbar puncture can help diagnose serious infections. Sometimes doctors use lumbar punctures to inject anesthetic medications or chemotherapy drugs into the cerebrospinal fluid.
  12. 11:00pm they brought her down for x-ray Gave Kate tordol at this time for her headaches. when we came in they gave her via an IV (not using PICC line) cefepime 2gm which is an antibiotic. we are watching 2.5 men (the era that Charlie sheen still existed) just had a visit from the Karmanos doctor on duty which did a quick evaluation of Kate. Going to transfer Kate up to a room in Karmanos, just waiting. So Karmanos doctor on duty came in and did some more checking while we wait for a room. She mentioned Kate’s hemoglobin is down to 7.2 and her white blood cell count is at 1.7, so now we wait for her room Got our room (9203) in Karmanos on the 9th floor but was told they may move her to 8th floor.. but not sure when. I'm thinking Kate would really just like to sleep. FYI: room is HUGE.
  13. Arrived at Harper-Hutzel Hospital (it's attached to Karmanos and they address after hours concerns with Karmanos patients) Just saw Dr.Woolman. Man he was a talker. Not giving Kate a chance to answer any questions. They asked these questions: when admitted to Mclaren (flint): Tuesday the 4th. When bone marrow biopsy: 2/6/20 when was picc line installed: 2/6/20 last transfusion: 2/7/20 did they give you any medicine: dexatron (2/7/20-2/10/20) 40mg a day for the 4 days. When did you learn for sure Kate has ALL: bone marrow biopsy confirmed Kate has ALL on 2/10/20 allergic to anything: no taking any medicine: allopurinol (300mg) because music acid high, norco 7.5mg for discomfort for bone marrow biopsy but hasn’t taken any anything doctor should know? we noticed bleeding from picc Line. mentioned she had a bloody nose NOTE: We are going to avoid Harper Hutzel Hospital as much as humanly possible.... horrible!
  14. Fevers are no good Tonight Kate developed a fever (running 100.5) and whats scary is they say if you have Leukemia and get a fever you must go to the nearest Emergency Room since its more than likely an infection which can prove to be fatal. So right now we are calling 1-800-Karmanos to find out what they want us to do. Patients with acute lymphoblastic leukemia (ALL) present with either symptoms relating to direct infiltration of the marrow or other organs by leukemic cells, or symptoms relating to the decreased production of normal marrow elements. Fever is one of the most common symptoms of ALL, and patients with ALL often have fever without any other evidence of infection. However, in these patients, one must assume that all fevers are from infections until proved otherwise, because a failure to treat infections promptly and aggressively can be fatal. Infections are still the most common cause of death in patients undergoing treatment for ALL. The doc called Kate and said she needs to immediately get down the the hospital because it means it could be infection. Loading up the car and heading down as fast as we can since the doctor expressed urgency.
  15. Home Care Nurse Visit Last night Kate called the Support line for the Homecare nurse complaining on how much the bandage hurts after they redid it during our Hospital visit yesterday (Friday). Kate was complaining of a burning sensation and very uncomfortable. A homecare nurse showed up and was very polite and helped explain how to clean the pic line with basically salt water and yea, I got my intro on how to do this myself for Kate. She re-bandaged it up and Kate kept thanking the nurse because it was like night and day difference. She is no longer after the polite home care nurse re-bandaged Kates pic-line. Now if I could only get Kate to relax... I'm trying to restrict her some so she doesn't get her blood flowing. In my mind, more blood flow means the quicker the cancer can spread since it is a cancer of the blood. Of course thats my logic and I really don't want to loose my wife. What is a PICC Line? Below is a pretty good illustration but its basically a quick way for doctors to pull blood from within having to re-stab kate with a needle every-time. It's also a place for the doctor to administer the chemo treatments. She has to keep moving that right arm so it doesn't get buildup on the line as well as get clogs.. we don't want to get clogs in the line which is why I get the pleasure of flushing the line out daily. I am glad she is more comfortable now. Kareta had hers in her chest & that seemed constantly uncomfortable. So glad she doesn't have it in her chest. So much love & many prayers being sent!
  16. Abby Angel Gift Came home from a tough appointment today to find a care package waiting for Kate. one of the sweetest women at Mclaren health plan is always looking out for how she can encourage and help others. One of those ways is through her “Abby Angel’s”. She lost someone and decided years ago to light the path for others struggling by giving these angels when they are needed. It is an honor to be gifted one by Lana because it means that she is now a warrior for your battle. We came home today to a package of an Abby Angel from Lana’s personal collection to watch over and protect while we fight this battle. Words cannot express the thoughtfulness and encouragement that this angel and sweet Lana has instantly brought to our home. Thank you all for being part of our warrior tribe. With this much determination, there is no way we won’t succeed in our battle.
  17. Karmanos DETROIT Visit 1 About to go to bed but figured I'd post a quick update about our first visit to Karmanos in Detroit and our visit with Dr. Yang (2.14.2020). We were given Valet so getting in wasn’t too bad and traffic down from Davison was quick. Front staff that checked us in was very professional and then a guide brought us to the room on the second floor where we had a pretty brief wait before being called back. Dr. Yang is another great doctor that is very knowledgeable. Leukemia is his specialty and he is very informed on Kate’s condition. He mentioned it’s typically found in kids (under the age of 12) with around an 80% success rate of fully cured within three years. If she was 70 years old she would have a 10% chance of survival with treatment. Dr. Yang said she might be somewhere in the middle being 34 years old but he wants to treat Kate as a child which means it’s more aggressive chemo. So estimated treatment is: 1-3 months of very aggressive chemo treatment First 4 weeks is induction Then 6-7 months aggressive chemo Maintenance Kate will have 20 spinal taps over the course of three years to make sure the leukemia hasn’t entered her spinal cord since it wants to get to her brain which would be not a good thing. Unfortunately she will have to have multiple bone marrow biopsies to monitor the progress chemo is having on the cancer located in the bone marrow. During this process she will have routine blood transfusions to get her blood numbers up since chemo will bring them down. Eventually after chemo kills the cancer cells, her bone marrow will hopefully start producing good cells. How the doctor explained it is the good cells are getting pushed out or over run by all the leukemia cells. So chemo will hopefully kill this leukemia cells. Monday Kate’s hemoglobin was 8.8 and then Thursday (yesterday) it was 8.7 and when measured today it was down to 8.3 Apparently when your hemoglobin drops to low you run the risk of bleeding and not able to stop the bleeding. They told us if Kate begins to bleed and we can’t get it to stop within an hour that I should drive her to the ER at Harper Hutzel which is attached to Karmanos and they will admit her then. Scary stuff. Ran into a little worry. Tonight (9:25pm) Kate began to have a nose bleed (her first ever). It luckily stopped within the first 10minutes because if it didn't stop in an hour we would of been heading back down to Karmanos via the Harper-Hutzel Emergency Room.
  18. Acute Lymphoblastic Leukemia (ALL) What is acute lymphoblastic leukemia? Acute lymphoblastic leukemia (ALL) is a cancer that affects the white blood cells. These cells fight infection and help protect the body against disease. Patients with ALL have too many immature white blood cells in their bone marrow. These cells crowd out normal white blood cells. Without enough normal white blood cells, the body has a harder time fighting infections. ALL affects a type of white blood cell called lymphocytes, causing them to build up in the liver, spleen and lymph nodes. How common is acute lymphoblastic leukemia? ALL is the most common type of childhood cancer. It most often occurs in children ages 3 to 5 and affects slightly more boys than girls. ALL is most common in Hispanic children, followed by those of white and African-American descent. About 3,000 people younger than age 20 are found to have ALL each year in the United States. Siblings of children with leukemia have a slightly higher risk of developing ALL, but the rate is still quite low: no more than 1 in 500. What are the symptoms of acute lymphoblastic leukemia? Symptoms of ALL include: Frequent infections Fever Easy bruising Bleeding that is hard to stop Flat, dark-red skin spots (petechiae) due to bleeding under the skin Pain in the bones or joints Lumps in the neck, underarm, stomach or groin Pain or fullness below the ribs Weakness, fatigue Paleness Loss of appetite Shortness of breath How is acute lymphoblastic leukemia treated? Expect your child’s ALL treatment to include three phases: Induction — to kill the leukemia cells in the blood and bone marrow and put the disease into remission (a return to normal blood cell counts) Consolidation/intensification — to rid the body of any remaining cells that could begin to grow and cause the leukemia to return (relapse) Maintenance — to destroy any cancer cells that might have survived the first two phases Four types of treatment may be used during any of these treatment phases: Chemotherapy (“chemo”) — uses powerful medicines to kill cancer cells or stop them from growing (dividing) and making more cancer cells. Chemo may be injected into the bloodstream, so that it can travel throughout the body. Some chemo may be given by mouth. Combination therapy uses more than one type of chemo at a time. Stem cell transplant — includes replacing blood-forming cells in the bone marrow that have been killed by chemo and/or radiation therapy: A stem cell transplant gives the patient new blood cells from a donor’s blood or bone marrow. These cells grow into healthy blood cells to replace the ones the patient lost. Some types of stem cell transplants may be called “bone marrow transplants” because the cells come from the donor’s bone marrow. Radiation therapy — uses high-energy X-rays or other types of radiation to kill cancer cells or stop them from growing. Targeted therapy — uses medicines or other treatments that target and attack specific cancer cells without harming normal cells. What are the survival rates for ALL? The National Cancer Institute (NCI) estimates 5,960 people will receive a diagnosis of ALL in the United States in 2018. About 1,470 people will die from the disease in 2018. Several factors can determine survival rates, such as age at diagnosis and subtype of ALL. The five-year survival rate in the United States is 68.1 percent, reports the NCI. However, these numbers are steadily improving. From 1975 to 1976, the five-year survival rate for all ages was under 40 percent. Although most people who receive a diagnosis of ALL are children, the highest percentage of Americans with ALL who pass away are between the ages of 65 and 74. In general, about 40 percent of adults with ALL are considered cured at some point during their treatment, estimates American Cancer Society. However, these cure rates depend on a variety of factors, such as the subtype of ALL and age at diagnosis. A person is “cured” of ALL if they’re in complete remission for five years or more. But because there’s a chance of the cancer coming back, doctors can’t say with 100 percent certainty that a person is cured. The most they can say is whether or not there are signs of cancer at the time.
  19. So over the course from Tuesday night when Bridgett took blood (2.4.2020) to Saturday (2.8.2020) noonish my wife had to get bone marrow biopsy so they can determine what blood disease she has. Initial thought from the hematologist was a-plastic anemia but after the bone marrow biopsy it said it was for sure Leukemia but not sure which kind until results are back from Karmanos Cancer Research in Detroit which we received FINAL confirmation yesterday that it for sure is Acute Lymphocytic Leukemia (ALL) or otherwise known as acute lymphoblastic leukemia which in children under the age of 12 has a good chance for cure and in adults they says there still is a chance to be cured. What is a Bone Marrow Biopsy? A bone marrow biopsy involves removing a small sample of the bone marrow inside your bones for testing. Bone marrow is a soft tissue in the center of most large bones. It makes most of the body's blood cells. The biopsy is done using a small needle inserted into the bone. We met with Dr Eilander, Karmanos Flint, on 2.13.2020 and he was fairly confident in the diagnosis and treatment but strongly/highly recommended Dr. Yang located at the Karmanos in Detroit which we have an appointment with him tomorrow (2.14.2020) I’m sure I’m missing pieces since my head is drowning in knowledge of what this disease is. I have to apologize that my time is reduced since I am doing everything I can to support my wife while she is going through this without breaking down myself. It’s insane to think of a time where we were both healthy and just enjoying the day probably stressing about stuff that doesn’t even matter today or involved in drama that goes away. Everything now seems so minor (except our Health Insurance).
  20. We get pulled in the back room they look at what her doctor sent over and they wanted to double check for themselves so they also took her blood. In a few minutes they came back and said, “How are you walking?” When her doctor pulled her blood her hemoglobin was at a 5 (normal for women its between 12-15) and her White Blood Cells were at 1 (normal is between 4-11). Now in the ER her hemoglobin is down to 4.3 and her white blood cell was down to less than 1. NOW they are giving her a ton of attention and she immediately gets two bags of O negative blood (since she is O+) at the fastest rate they can perform a blood transfusion which is at 150 in hopes to get her blood levels up. Kate said it felt so cold entering her body and it tasted aluminum in her mouth reminded her of a Pepsi which is disgusting to her. She asked for the coke version of O- but I guess they didn’t have any. Did another blood work (checking to see if its raising her counts) and it did slightly but required a total of 5 bags of O-.
  21. guru

    Splunk Request Logging

    SCENARIO Walking through troubleshooting since the virtual server will show up, the pool will show up but going to the URL the application doesn't come up as long as on the logging profile you have Respond on error enabled and your logging pool has no available members. BELOW IS AN EXAMPLE VIRTUAL SERVER ltm virtual /Integration/vs.sim1.102799.qa.enterpriseremarketing.int.thezah.com.443 { destination /Integration/10.46.65.206:443 ip-protocol tcp last-modified-time 2021-11-15:10:18:54 mask 255.255.255.255 partition Integration persist { cookie { default yes } } pool /Integration/pool.sim1.102799.qa.enterpriseremarketing.int.thezah.com.443 profiles { http { } logprofile { } oneconnect { } serverssl { context serverside } ssl.client.qa.enterpriseremarketing.int.thezah.com { context clientside } tcp-lan-optimized { } } rules { /Integration/irule.qa.enterpriseremarketing.int.thezah.com.content.redirect } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { pool MOD_SNAT_POOL type snat } translate-address enabled translate-port enabled vs-index 1492 } Run a tcpdump against the IP address of the Virtual Server to see what's going on since Virtual Server shows up, Pool shows up tcpdump -s0 -nni 0.0:nnnp -vvv -w /var/tmp/qa.enterprise_20200312.pcap host 10.46.65.206 In order to utilize the Wireshark F5 plugin, you need to flag the tcpdump command appropriately with -s0 and setting the level of noise by flagging the interface with a colon followed by a single, double, or triple n for, respectively, low, medium, and high details. In Wireshark use the display filter: f5ethtrailer.rstcausetxt in order to get the same screen as show above So from this you can see the F5 is RESETTING the connection (F5RST) and come to find out its because of the below setting in an attached logprofile Now the when a virtual server has the logprofile attached it sends an extreme amount of data to Splunk so it only gets turned on critical applications or if you are troubleshooting an application so you can get more log data to help find out whats going on exactly. With Respond on Error = Enabled it means when the Splunk Servers go down then the application also goes down. With Respond on Error = Disabled (which is the default setting) then when the logging server goes down, the applications will continue to function. Easy CLI command to change this to disable is tmsh modify ltm profile request-log logprofile proxy-respond-on-logging-error no Hope you find this helpful. Also note that the wireshark capture above to get the F5RST to be displayed you have to either install the wireshark plugin on Wireshark 2.5 and older and on Wireshark 2.6 and newer you just need to enable it via Analyze - Enabled Protocols - F5 Ethernet trailer - f5ethtrailer Now you can
  22. guru

    MAF User Management

    There may be times when a user is asked to “Reauthenticate” when they are logging into the child sites. why does this happen? usually it’s because the passwords are not in sync meaning the password was changed on the child site somehow instead of the main/master site (eventguyz.com) how to fix? Have an administrator update ur password on both master site and child site. You can then change/update your password by going to the main/master website (https://eventguyz.com), log in and in the top right corner click on your name and click Account Settings. There you will see the ability to update your password. Once completed you can now log into any of the child sites with the updated password. For administrators it’s a tad different. You need to log into each the backend (or have another administrator do it) change ur password.
  23. guru

    Davison Robotics

    Today is the last day supporting the website. Some bad eggs. No longer supporting the following websites davisonrobotics.com davisonrobotics.net davisonrobotics.org team10058.com team9514.com team3534.com DONE! Yes this logo is something provided by EventGuyZ
  24. guru

    Davison Robotics

    Davison Robotics is part of an extra curricular activity offered to students of the Davison Community Schools that offers the ability to learn STEM (Science, Technology, Engineering, and Mathematics) and is part of FIRST. Current Davison Community School FIRST Teams include: Davison High School (Team 3534) Davison Middle School (Team 10058, Team 9514 ) Davison Intermediate School ( ) Davison Elementary School ( ) EventGuyZ became a supporter and addressed the lack of a davisonrobotics.com website in early 2018. They were using team3534.com but nothing to represent any of the other Davison Robotics teams so we registered davisonrobotics.com and created a general Davison Robotics logo Then we created email accounts for the domain @davisonrobotics.com since the turnover on volunteers and board members is pretty often so when volunteers contact supporters and/or vendors the email will be saved for the next person. All we do is setup a forward to personal email of volunteer so they can see the email come into there mailbox (still leaving the original in the mailbox on the server). To respond, they can email with whatever@davisonrobotics.com so everything is saved. All working beautifully. Initial website used Wordpress which was slow... very very slow. Was getting attacked on a regular basis (unsuccessfully) but the investment to build the website on Wordpress and add all the requested features was taking more money than we felt comfortable donating so we had to regroup and strategize on a better solution. We ended up building an Invision Community website that was beautiful, functional and half the cost. Also provided much better security. Kids and Coaches were using the site successfully and then began the downward spiral which is why the website no longer exists. We did this to help the kids and support volunteers since they are giving up their time to help the students be successful but being ungrateful for the thousands invested breaks that relationship very easily. We wish Davison Robotics much success. You can follow them on Facebook.
  25. guru

    F5 GTM-DNS Sync Group

    This is to help better explain the purpose of a sync group on the F5 GTM's or otherwise known as BIG-IP DNS. The following figure shows that, after a configuration change is made on the Los Angeles BIG-IP DNS system, the local big3d process initiates an iQuery connection to BIG-IP DNS sync group members in New York and Europe and advertises the updated configuration to the remote gtmd processes. Synchronization details When you configure BIG-IP DNS synchronization, the sync group members share and synchronize BIG-IP DNS configuration objects and metrics data. The following table lists the relevant configuration objects and whether the objects are synchronized. BIG-IP DNS configuration object Synchronized Wide IP addresses Yes Data centers Yes Servers Yes Virtual servers Yes Links Yes GSLB iRules Yes Topology records / Regions Yes Distributed applications Yes GSLB global settings Yes GSLB monitors Yes DNSSEC zones / Keys Yes DNS zone files Not synchronized by default Named configuration Not synchronized by default Listener addresses No DNS express zones No DNS cache No Synchronization group requirements Before you configure synchronization, you should be aware of the requirements for BIG-IP DNS synchronization group members to communicate and synchronize properly which are found on F5 K13734, but the high level summary of it is this for the BIG-IP DNS synchronization group members to properly synchronize their configuration settings. Verify that the following requirements are in place: BIG-IP DNS synchronization group members must be running the same software version A BIG-IP DNS device should be running the same software version as other members in the synchronization group. BIG-IP DNS devices that are running different software versions will not be able to communicate and properly synchronize BIG-IP DNS configuration and zone files. For information about displaying the software version, refer to K8759: Displaying the BIG-IP software version. Synchronization parameters must be properly defined for all members Synchronization must be enabled and each device must have the same synchronization group name. You can define the synchronization parameters by navigating to on BIG-IP DNS 11.5.0 and later: DNS > Settings > GSLB > General NTP must be configured on each device Before you can synchronize BIG-IP DNS systems, you must define the network time protocol (NTP) servers for all synchronization group members. Configuring NTP servers ensures that each BIG-IP DNS synchronization group member is referencing the same time when verifying the configuration data that needs to be synchronized. You can configure NTP by navigating to System > Configuration > Device > NTP. Port Lockdown must be set properly for the relevant self IP addresses Port lockdown is a security feature that specifies the protocols and services from which a self IP address can accept traffic. F5 recommends using the Allow Custom option for self IP addresses that are used for synchronization and other critical redundant pair intercommunications. You can configure port lockdown by navigating to Network > Self IPs. Note: Management-IP address are not compatible with iQuery; you should not use them as server IP addresses in the DNS server list. Configure the service ports shown in the following table for BIG-IP DNS operation on the specific self IP. Allowed Protocol Service Service Definition TCP 4353 iQuery TCP 22 SSH TCP 53 DNS UDP 53 DNS UDP 1026 Network Failover For further information on Port Lockdown behavior, please refer to K17333 listed in the Supplemental Information section below. TCP port 4353 must be allowed between BIG-IP GTM systems BIG-IP DNS synchronization group members use TCP port 4353 to communicate. You must verify that port 4353 is allowed between BIG-IP DNS systems. Compatible big3d versions must be installed on synchronization group members The big3d process runs on BIG-IP systems and collects performance information on behalf of the BIG-IP DNS system. For metrics collection to work properly, synchronization group members must run the same version of the big3d process. For more information about verifying big3d version information, refer to K13703: Overview of big3d version management. A valid device certificate must be installed on all members The device certificate is used by the F5 system to identify itself to a requesting F5 client system. The default device certificate, /config/httpd/conf/ssl.crt/server.crt, must be installed on each sync group member. You can verify the certificate validity by navigating to System > Device Certificates. Configuration review via GUI Enable synchronization on the system to ensure that the BIG-IP DNS system that is already installed on your network can share configuration changes with other BIG-IP DNS systems that you add to the BIG-IP DNS synchronization group. On the Main tab, click DNS > Settings > GSLB > General . The General configuration screen opens. Select the Synchronize check box. In the Group Name field, type the name of the synchronization group to which you want this system to belong. In the Time Tolerance field, type the maximum number of seconds allowed between the time settings on this system and the other systems in the synchronization group.The lower the value, the more often this system makes a log entry indicating that there is a difference. Tip: If you are using NTP, leave this setting at the default value of 10. In the event that NTP fails, the system uses the time_tolerance variable to maintain synchronization. Click Update. When a change is made on one BIG-IP DNS system in the BIG-IP DNS synchronization group, that change is automatically synchronized to the other systems in the group. Creating a data center on the existing BIG-IP DNS Create a data center on the existing DNS system to represent the location where the new BIG-IP DNS system resides. On the Main tab, click DNS > GSLB > Data Centers . The Data Center List screen opens. Click Create. The New Data Center screen opens. In the Name field, type a name to identify the data center. Important: The data center name is limited to 63 characters. In the Location field, type the geographic location of the data center. In the Contact field, type the name of either the administrator or the department that manages the data center. From the Prober Preference list, select the preferred type of prober(s). Option Description Inside Data Center By default, select probers inside the data center. Outside Data Center Select probers outside the data center. Specific Prober Pool Select one of the Probers from the drop-down list. When you want to assign a Prober pool at the data center level. Note: Prober pools are not used by the bigip monitor. From the Prober Fallback list, select the type of prober(s) to use if insufficient numbers of the preferred type are available. Option Description Any Available By default, select any available prober. Inside Data Center Select probers inside the data center. Outside Data Center Select probers outside the data center. None No fallback probers are selected. Prober fallback is disabled. Specific Prober Pool Select one of the Probers from the drop-down list. When you want to assign a Prober pool at the data center level. From the State list, select Enabled or Disabled. The default is Enabled, which specifies that the data center and its resources are available for load balancing. Click Finished. Defining a server on the existing BIG-IP DNS You must ensure that a data center where the new DNS system resides is available in the configuration of the existing BIG-IP® DNS before you start this task. You define a new server, on the existing BIG-IP DNS system, to represent the new BIG-IP DNS system. On the Main tab, click DNS > GSLB > Servers . The Server List screen opens. Click Create. The New Server screen opens. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. From the Product list, select BIG-IP System. From the Data Center list, select the data center where the server resides. From the Prober Preference list, select the preferred type of prober(s). Option Description Inherit From Data Center By default, a server inherits the prober preference selection assigned to the data center in which the server resides. Inside Data Center A server selects the probers from inside the data center where the server resides. Outside Data Center A server selects the probers from outside the data center where the server resides. Specific Prober Pool Select one of the Prober pools from the drop-down list. When assigning the Prober pool at the server level. Note: Prober pools are not used by the bigip monitor. From the Prober Fallback list, select the type of prober(s) to be used if insufficient numbers of the preferred type are available. Option Description Inherit From Data Center By default, a server inherits the prober fallback selection assigned to the data center in which the server resides. Any Available For selecting any available prober. Inside Data Center A server selects probers from inside the data center where the server resides. Outside Data Center A server selects probers from outside the data center where the server resides. None No fallback probers are selected. Prober fallback is disabled. Specific Prober Pool Select one of the Probers from the drop-down list. When you want to assign a Prober pool at the server level. From the State list, select Enabled. In the BIG-IP System Devices area, click Add to add a device (server). Type a name in the Device Name field. Type an external (public) non-floating IP address in the Address field. If you use NAT, type an internal (private) IP address in the Translation field, and then click Add. Click Add. Click OK. From the Configuration list, select Advanced. Additional controls display on the screen. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. From the Availability Requirements list, select one of the following and enter any required values. Option Description All Health Monitors By default, specifies that all of the selected health monitors must be successful before the server is considered up (available). At Least The minimum number of selected health monitors that must be successful before the server is considered up. Require The minimum number of successful probes required from the total number of probers requested. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Option Description Disabled The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP DNS system or for a BIG-IP DNS/LTM® combo system when you plan to manually add virtual servers to the system, or if your network uses multiple route domains. Enabled The system uses the discovery feature to automatically add and delete virtual servers. Use this option for a BIG-IP DNS/LTM combo system when you want the BIG-IP DNS system to discover LTM virtual servers. Enabled (No Delete) The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist in the configuration. Use this option for a BIG-IP DNS/LTM combo system when you want the BIG-IP DNS system to discover LTM virtual servers. In the Virtual Server List area, if you selected Disabled from the Virtual Server Discovery list, specify the virtual servers that are resources on this server. In the Name field, type the name of the virtual server. In the Address field, type the IP address of the virtual server. From the Service Port list, select the port the server uses. Click Add. Click Finished. Note: The gtmd process on each BIG-IP DNS system will attempt to establish an iQuery® connection over port 4353 with each self IP address defined on each server in the BIG-IP DNS configuration of type BIG-IP. Allow port 4353 in your port lockdown settings for iQuery® to work. The Server List screen opens displaying the new server in the list. The status of the newly defined BIG-IP DNS system is Unknown, because you have not yet run the gtm_add script. Running the gtm_add script Before you start this task, you must determine the self IP address of a DNS system in the BIG-IP® DNS synchronization group to which you want to add another BIG-IP DNS. You run the gtm_add script on the BIG-IP DNS system you are adding to your network to acquire the configuration settings from a BIG-IP DNS system that is already installed on your network. For additional information about running the script, see SOL13312 on AskF5.com (www.askf5.com). Note: The BIG-IP DNS and other BIG-IP systems must have TCP port 22 open between the systems for the script to work. You must perform this task from the command-line interface. Log in as root to the BIG-IP DNS system you are adding to your network. Run this command to access tmsh. tmsh Run this command to run the gtm_add script run gtm gtm_add Press the y key to start the gtm_add script. Type the IP address of the BIG-IP DNS system in the synchronization group to which you are adding this BIG-IP DNS system. Press Enter. If prompted, type the root password. Press Enter. The BIG-IP DNS system you are installing on your network acquires the configuration of the BIG-IP DNS system already installed on your network. Implementation result The new BIG-IP® DNS system that you added to the network is a part of a BIG-IP DNS synchronization group. Changes you make to any system in the BIG-IP DNS synchronization group are automatically propagated to all other BIG-IP DNS systems in the group. Troubleshooting BIG-IP DNS sync connections (11.x - 16.x) tmsh The tmsh utility lists failing server objects as Offline and a failing iQuery connection as Not Connected. The following table lists tmsh commands that you can use to check the status of BIG-IP DNS synchronization group members and iQuery connections. tmsh component Description Example commands server Summary of defined DNS/GTM server objects tmsh list /gtm server all tmsh show /gtm server all iquery Summary of iQuery statistics tmsh show /gtm iquery all gtm Summary of DNS/GTM statistics tmsh show /gtm Note: All members that participate in the iQuery mesh must be listed in the Server List. If a member of the iQuery mesh is not included in the Server List, it may result in some or all monitors intermittently or consistently failing. The monitors fail any time the big3d agent on the missing member (server) is expected to perform and report the monitor status. This can result in virtual servers being marked offline with a reason of no reply from big3d: timed out. Verify required configuration elements for synchronization group members For BIG-IP DNS synchronization group members to communicate and synchronize properly, you must verify that certain requirements are in place. To do so, review the following checklist. Sync requirement Description Configuration utility location tmsh Software versions Run the same software version for synchronization group members System > Software Management tmsh show /sys software Sync settings Use the same synchronization group settings for all members DNS > Settings > GSLB > General (BIG-IP 11.5.0 and later) System > Configuration > Global Traffic > General (BIG-IP 11.4.1 and earlier) tmsh list /gtm global-settings general all-properties NTP Configure NTP for all members System > Configuration > Device > NTP tmsh list /sys ntp servers Port Lockdown Use the Allow Default option for self IPs that process iQuery traffic Network > Self IPs tmsh list /net self allow-service iQuery port Verify that TCP port 4353 is allowed on interconnecting devices Not Applicable Not Applicable big3d versions Run the same big3d version on all members. Note: The big3d version should not be older than the host BIG-IP version. Not Applicable big3d -v /shared/bin/big3d -v Review log files Reviewing the log files is one way to determine the cause of synchronization/iQuery connection issues. The system logs global traffic events to the /var/log/gtm file. Some of the logging related to synchronization/iQuery connection issues is as follows: Device certificate messages The BIG-IP system uses SSL certificates for inter-device communication using the iQuery protocol. If device certificates are missing, expired, or contain duplicate common name (CN) entries with certificates on one of the synchronization group members, the system is marked Offline and logs an error message to the /var/log/gtm file that appears similar to the following example: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed When creating or renewing BIG-IP device certificates, use the following guidelines: Device certificates should have unique and meaningful subject data. For example, the CN field should match the hostname of the BIG-IP system in which the certificate was created. When possible, create device certificates with an extended expiration date. Make sure that SSL certificates are not expired. iQuery Connectivity messages The iQuery protocol uses TCP port 4353 to connect to synchronization group members. The system logs a successful iQuery connection to the /var/log/gtm file. For example: gtmd[8472]: 011ae020:5: Connection in progress to <iquery_peer> gtmd[8472]: 011ae01c:5: Connection complete to <iquery_peer>. Starting SSL handshake gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/<hostname> (ip=<iquery_peer>) state change red --> green gtmd[11895]: 011a5008:1: SNMP_TRAP: BIG-IP GTM /Common/<hostname> (<iquery_peer>) joined sync group default If the iQuery protocol is blocked; for example, by a router ACL, or packet filter, the BIG-IP DNS system marks its iQuery peer as Unavailable and attempts to reestablish the iQuery connection every 10 seconds. When this behavior occurs, a log sequence appears in the /var/log/gtm file that appears similar to the following example: gtmd[11895]: 011a500c:1: SNMP_TRAP: Box <iquery_peer> state change green --> red (Box <iquery_peer> on Unavailable) gtmd[11895]: 011a5004:1: SNMP_TRAP: Server /Common/<hostname> (ip=<iquery_peer>) state change green --> red (No communication) gtmd[8472]: 011ae020:5: Connection in progress to <iquery_peer> gtmd[8472]: 011ae020:5: Connection in progress to <iquery_peer> gtmd[8472]: 011ae020:5: Connection in progress to <iquery_peer> gtmd[8472]: 011ae020:5: Connection in progress to <iquery_peer> NTP messages The Synchronization Time Tolerance setting specifies the number of seconds that one system clock can be out of sync with another system clock in the synchronization group. If the time difference between synchronization group members is greater than the Synchronization Time Tolerance value, the system logs a message to the /var/log/gtm file that appears similar to the following example: gtmd[11895]: 011a0022:2: Time difference between GTM /Common/B3900-242 and me is 486 seconds -- Make sure NTP is running and GTM times are in sync This error message is an indication that NTP may not be configured on one or more synchronization group members. Troubleshoot iQuery connectivity BIG-IP DNS systems in a synchronization group create an iQuery mesh across synchronization group members. For example, the local BIG-IP DNS system's gtmd process opens an iQuery connection to its own big3d process, and to remote synchronization group member's big3d process. There may be occasions when you must test iQuery connectivity between synchronization group members. For example, if log messages indicate that a BIG-IP DNS system has marked its iQuery peer as Unavailable, you can perform the following troubleshooting procedure to test TCP port 4353 connectivity: Impact of procedure: Performing the following procedure should not have a negative impact on your system. Log in to the command line. To verify the iQuery connection status, enter the following netstat command: netstat -na |grep 4353 The following netstat output indicates that the local system (10.11.16.238) is listening on port 4353 and has an iQuery connection established to its own big3d process. In addition, the local system and its iQuery peer (10.11.16.242) have established an iQuery mesh: Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 :::4353 :::* LISTEN tcp 0 0 ::ffff:10.11.16.238:52794 ::ffff:10.11.16.238:4353 ESTABLISHED tcp 0 0 ::ffff:10.11.16.238:4353 ::ffff:10.11.16.242:58779 ESTABLISHED tcp 0 0 ::ffff:10.11.16.238:4353 ::ffff:10.11.16.238:52794 ESTABLISHED tcp 0 0 ::ffff:10.11.16.238:46882 ::ffff:10.11.16.242:4353 ESTABLISHED If the synchronization group iQuery mesh is incomplete, you can use the iqdump command to determine if the iQuery packets arrive at the destination. If the iQuery channel is not established, iqdump returns with an SSL error similar to the following example: iqdump 10.10.10.20 46947856243768:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1168: Note: If the iqdump command returns a connection refused message, you should ensure connectivity for the iQuery channel is allowed, such as ensuring port 4353 is allowed by the self IP addresses on each system and devices in between. You may need to restart the big3d process to recover from the connection-refused condition. If the iQuery channel is established, iqdump returns XML similar to the following example: iqdump 10.10.10.20 <!-- Local hostname: lc1.example.com --> <!-- Connected to big3d at: ::ffff:10.10.10.10:4353 --> <!-- Subscribing to syncgroup: default --> <!-- Tue May 6 09:55:43 2014 --> <xml_connection> <version>11.5.1</version> <big3d>big3d Version 11.5.1.0.0.110</big3d> Verify device SSL certificates Each synchronizing group member must have a valid SSL device certificate installed in the /config/httpd/conf/ssl.crt/ directory for iQuery connections to succeed. If log messages indicate an issue with a device certificate on one of the synchronization group members, you can verify the certificate status by performing the following procedure: Note: SSL certificates signed by a third-party certificate authority (CA) must include both the client authentication (clientAuth) and server authentication (serverAuth) extended key usage (EKU) extensions, to allow use by both server and client applications. For example, the big3d process operates as a server (serverAuth), while the gtmd process operates as a client (clientAuth). For information, refer to K7717: BIG-IP DNS and Link Controller support for third-party SSL certificates. Impact of procedure: Performing the following procedure should not have a negative impact on your system. Log in to the command line. Check the status of the device certificate by entering the following command: openssl x509 -noout -text -in /config/httpd/conf/ssl.crt/server.crt Verify the certificate validity date and confirm whether the certificate is expired. If necessary, renew the certificate. To do so, refer to K16951115: Changing the BIG-IP DNS system device certificate using the Configuration utility. Troubleshoot daemons Impact of procedure: Performing the following procedure should not have a negative impact on your system. The tmm, mcpd, big3d, and gtmd processes are all critical to synchronizing BIG-IP DNS configurations. To confirm that the daemons are running as expected, use the tmsh command. For example, to confirm the status of the tmm, mcpd, big3d, and gtmd processes, enter the following command: tmsh show sys service tmm mcpd big3d gtmd If the mcpd process is consuming more than 90 percent of a CPU, and synchronizing actions, such as saving the configuration, may fail. To check the CPU usage for the mcpd process, enter the following command: top -p `pidof mcpd` To quit, enter q. Troubleshoot synchronization group members using the server type Starting from BIG-IP 12.x, you can use the Server Type field from the tmsh show /gtm iquery command output to determine if the listed BIG-IP DNS devices are fully setup to be in the same BIG-IP DNS synchronization group. If the BIG-IP DNS device is fully setup to be in the same BIG-IP DNS synchronization group as the remaining listed BIG-IP DNS devices, the command output would have the value of BIGIP-DNS for Server Type as shown in the following example: ----------------------------------------------------------- Gtm::IQuery: 192.168.74.129 ----------------------------------------------------------- Server b100 Server Type BIGIP-DNS Note: The previous example output is truncated for brevity. If the BIG-IP DNS device is not properly setup to be in the same BIG-IP DNS synchronization group as the remaining listed BIG-IP DNS devices, the command output would have the value of BIGIP for Server Type as shown in the following example: Important: For remote BIG-IP LTM devices that are integrated into the network with BIG-IP DNS, their Server Type continues to indicate as BIGIP. -------------------------------------------------- Gtm::IQuery: 192.168.74.130 -------------------------------------------------- Server b101 Server Type BIGIP Note: The previous example output is truncated for brevity. In the case of the BIG-IP DNS device not properly setup, you may want to re-run the gtm_add utility on the affected BIG-IP DNS device again.
×
×
  • Create New...

Important Information

Privacy Policy