what to do about hotfixes and updates

Today’s Issue:

How to prepare for, and install a Hotfix on the BIGIP LTM 6400 running 10.0.1 configured with Volumes

Where We Are:

As noted in the previous post, F5 released several hotfixes for the LTM recently (we’re now at HF2 for 10.0.1).  As you may or may not know, you don’t install updates or hotfixes to the active volume… you apply them to an inactive volume, then you reboot into the patched one.  That way, if something blows up, you boot back into the un-patched one and back to where you were.

How We Got Here:

So there are several things going on here…

1. Installing an inactive boot volume
2. Installing a hotfix
3. Image, Boot Volume, and Update/Hotfix Management

Everything that I’m going to present will be performed from the GUI, however it is my understanding that it can also all be done from the CLI.

As well, the scenarios below have been performed by connecting both to the Management Port and through the device’s external IP address, without any interruption to service (except obviously for the reboot part).

Continue reading ‘what to do about hotfixes and updates’

BIG-IP v10.0.1 HF1 Released

For those of you who haven’t seen…

BIG-IP v10.0.1 HF1 Released
F5 Networks is excited to announce the release of BIG-IP v10.0.1 hotfix 1.  While there are no new features in this release, it does improve upon the BIG-IP v10.0.1 branch with increased stability. F5 strongly recommends upgrading from any version of 10.0.1 to v10.0.1 HF1. This release contains:

* Stabilization fixes for LTM, GTM, ASM, and WAM
* A BIND vulnerability resolution

Software: https://downloads.f5.com/esd/productlines.jsp
Documentation: https://support.f5.com/kb/en-us.html – Select your product from the dropdown box.
Software support policy: https://support.f5.com/kb/en-us/solutions/public/8000/600/sol8651.html
Managing LVM 10.x Hotfixes: https://support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html
Managing Partitioned 10.x Hotfixes: https://support.f5.com/kb/en-us/solutions/public/9000/800/sol9819.html
Managing 9.x Hotfixes: https://support.f5.com/kb/en-us/solutions/public/6000/800/sol6845.html

Just a disclaimer, I haven’t gotten around to installing this yet, but hope to sometime in the next few days

SSLDump – Hey where’d it go?

Today’s Issue:

How to monitor & dump HTTP and HTTPS traffic for troubleshooting a Sharepoint 2007 website with F5 Support, on an LTM 6400 running 10.0.1, configured for SSL Offloading

Where We Are:

As we’ve talked about in the previous post, I can still reliably reproduce the problem of trying to modify a Sharepoint Web Part using the Rich Text Editor while in IE.  I’ve been working with F5 support to get to the bottom of this, but it sounds like they’re as stumped as me.  So now we’re doing some real-time monitoring and TCPDumps, which they’re trying to decipher… good choice of words, as this is all SSL traffic, so how do you read it?  Here’s how to get from point gobbledygook to point B.

How We Got Here:

Once again, in a nutshell:

• Sharepoint 2007 Application Template deployment on and LTM 6400 running 10.0.1
• SSL Offloading configured by using OpenSSL to break PFX into SSL Cert & Key, then imported onto LTM
• Browse to site as admin from outside (hitting F5 on port 443 first, then F5 passes you to web server over port 80 in the back), edit the web part, and you get errors
• Browse to site as admin from inside (hitting web server directly over port 443 from an internal subnet) edit the web part and life is good

Recommendation from F5 is to run HTTPWatch on the sessions while concurrently running a TCPDump locally on the F5, and send them the goods on both a working and non-working set of transactions.  Here’s what we did, and what I messed up (still wiating to hear back from today’s uploads) Continue reading ‘SSLDump – Hey where’d it go?’

sharepoint 2007 WebPartPages.asmx & 500 Errors

Today’s Issue:

Error while using IE to edit a Sharepoint 2007 page behind a BIGIP LTM 6400 v10.0.1 configured for SSL Offloading:

Cannot retrieve properties at this time

Where We Are:

After deploying a Virtual Server for the Sharepoint 2007 site using the Application Templates in version 10.0.1, site admins cannot create new pages, or edit existing content using the “Edit Content” hyperlink when using IE.  Workaround at this point is one of two options:

Leave the site behind F5, and edit content in another browser

• Pro:  Allows you to edit content
• Con:  Editor window is small, simple text box, no rich formatting

Move site out from behind F5, and edit content in IE

• Pro: Allows full editing capabilities
• Con:  Site is no longer load balanced

How We Got Here

As outlined in another post and over on DevCentral, we used the new Sharepoint 2007 Application Template to move an existing site from it’s single WFE setup, to being behind our LTM 6400.  The current setup only utilizes 1 WFE now, but we have plans to expand as time & funding permit.

As we’ve discussed, the move went fine, the template seems to have provided all of the necessary nuts & bolts to make everything function, but now that we’ve dug in some more, we’ve encountered a relatively significant problem. Continue reading ’sharepoint 2007 WebPartPages.asmx & 500 Errors’

Curiosities, gotchas

Today’s Issues:

• Licensing your upgrade BEFORE you actually upgrade
• Putting your Application Template to work

Where we are:

• Successful upgrade of a production F5 BIGIP LTM 6400 from 9.3.1 to version 10.0.1
• Successful Implementation of a version 10.0.1 Application template to move a production SharePoint 2007 website behind an F5 BIGIP LTM 6400, with SSL Offloading enabled

Although both of these are now working, some weirdness and curiosities before we got the green light.

How we got here:

There’s only so much testing you can do, at some point you’ve got to pull the trigger and make your changes in production. Maybe it’s just me, but I heard a quote somewhere, something about “the best laid plans…” and going awry.

Continue reading ‘Curiosities, gotchas’

Working with Application Templates – Sharepoint 2007

A big feature of the 10.x upgrade is the Application Template “wizard.”   BIGIP has their deployment guides, which walk you through creating all of the configuration objects you need to get set up and running, but they aren’t always the clearest map through the woods.  As discussed on the DevCentral site, the wizard/survey/form takes a lot of the page-turning out of the mix, and presents everything in a much clearer manner (as in all on one page, fill-in-the-blanks-and-click-go).

Here’s my take on using the Microsoft Sharepoint 2007 Application Template, what you need, and what it makes for you.

Continue reading ‘Working with Application Templates – Sharepoint 2007′

The real deal – upgrade from 9.3.1 to 10.0.1

Today’s Issue:

Out of the box F5 BIGIP LTM 6400 device with 9.3.1 installed and active, to be upgraded to latest 10.0.1 version, including the switch from partitions to volumes

Where we are:

Starting fresh.  Luckily I’ve got a spare LTM laying around that I was able to experiment with over the last few weeks before upgrading in production.  Even luckier, I have 1 “production” that I can play with that really doesn’t hurt anyone if it blows up, since no one’s on it yet.

How We Got Here:

As you’ve seen, I took a bit of a roundabout approach to getting the system upgraded, and slipped a few times along the way.  As such, I think it only safe to assume that a few of the snafus had something to do with how easily (or not) things went (or didn’t).

So with that said, here’s the run-through of the process to get from 9.3.1 to 10.0.1 that I just performed in all of about 20 minutes:

Continue reading ‘The real deal – upgrade from 9.3.1 to 10.0.1′

SSL Certificates exported from IIS… where were we?

Today’s Issue:

Export existing SSL certificate from Windows 2008 (IIS 7) and private key to a password-protected PFX file, and import for SSL Offloading use on BIGIP LTM6400 9.3.1

Where We Are:

We’re essentially back at square one here.  Upgrading to version10.0.1 did nothing to resolve the IMPORT FAILED: CERTIFICATE/KEY MISMATCH error when I tired to import several different ways.  Need to know THE way to do this correctly.

How We Got Here:

To recap:

If I export the cert from IIS, the only option I have is to export as password-protected .PFX. When I import certificate (Local Traffic >> SSL Certificates >> Import SSL Certificates and Keys), I get: Continue reading ‘SSL Certificates exported from IIS… where were we?’

Volumes over Partitions. Wait… what?

Today’s Issue:

Validating an F5 BIGIP LTM 6400 System upgrade from 9.3.1 to 10.0.1 including migrating from Partitions to Volumes.

Where We Are:

So we did it, then we un-did it, and re-did it again (to make sure we did it right, of course), but it went far to smoothly this time, and we don’t quite believe it.  Just want to have a clearer picture of what we’re getting into, before we really do it.

How We Got Here:

So I heard back from F5 support this morning… some good news, and some questionable news.

First the weirdness:  turns out that the install, while relatively quick, certainly should have taken longer than 15 seconds to complete.  Somehow I have a feeling that the previous install of 10 never really went away, although we verified using the “local-install” script to confirm its non-existence AND after we got 10 rebuilt on volumes, there were now 3 (count ‘em) volumes, where previously there had been 2 partitions:

Continue reading ‘Volumes over Partitions. Wait… what?’

Upgrading – But wait… there’s more!

Today’s Issue:

Restoring a UCS archive from 9.3.1 configuration to a 10.0.1 upgrade installation on an F5 BIGIP LTM 6400

Where We Are:

Through various iterations, have “successfully” upgraded to 10.0.1, but without the transfer of settings & configuration objects (virtual servers, nodes, pools, user accounts, etc)

How We Got Here:

Continuing from yesterday’s post:

Test 1 – Change the hostname to match the previous… worked like a charm.

Test 2 – import & install of the old version to the secondary partition was actually SIMPLE with the new interface.  So far has taken about an hour for the new install to “activate” reboot…  once that comes up, make sure the UCS config is still there, or re-apply the archive (thinking re-apply, as this will be on a new partition without the old files/filesystem).

Continue reading ‘Upgrading – But wait… there’s more!’