Curiosities, gotchas

Today’s Issues:

  • Licensing your upgrade BEFORE you actually upgrade
  • Putting your Application Template to work

Where we are:

  • Successful upgrade of a production F5 BIGIP LTM 6400 from 9.3.1 to version 10.0.1
  • Successful Implementation of a version 10.0.1 Application template to move a production SharePoint 2007 website behind an F5 BIGIP LTM 6400, with SSL Offloading enabled

Although both of these are now working, some weirdness and curiosities before we got the green light.

How we got here:

There’s only so much testing you can do, at some point you’ve got to pull the trigger and make your changes in production. Maybe it’s just me, but I heard a quote somewhere, something about “the best laid plans…” and going awry.

Upgrades & License Activation

As you’ve read in previous posts, I’ve been able to do a lot of planning and testing and mistake-making, and seemed to have everything ironed out. The upgrade to version 10 was ready first, and was going great until things literally came to a screeching halt.

Following my own instructions, here we went:

  1. Run command im BIGIP-
  2. Run command image2disk BIGIP-
  3. Run command image2disk –-instslot=HD1.2 –-format=volumes BIGIP-

This should have been it. Wait for a few minutes, let the system reboot, and up it comes on the new version.

Cue the skidding car.

First we got back:

warning: License entitlement check failed. Please Reactivate.
Cannot continue (use –nvlicenseok to force)

Hmmm. Didn’t get this anywhere before. Well, headed over to the browser to System >> License, and tried to Re-activate.

Well, as you may recall from any time you’ve had to hit the licensing application, you need web access. Which is all well and good, but we’re working from the management port here, which by definition isn’t able to be on the same network, and in my situation very much didn’t have web access.

Hmmm. Well if it gives you an option to override the license check, maybe it will let you re-activate under the new version… maybe?

Not so fast. Yes, the install of the new system will proceed, and succeed, but then you can’t do much else. After the reboot completes, you’re presented with the following after logging back into the console:

Local/locahost emerg mcpd[2409]: … : Software version not covered by service agreement. See service check date and version date in /var/log/ltm.
Local/locahost emerg mcpd[2409]: … : License is not operational (expired or digital signature does not match contents).

And the LCD panel shows: CRITICAL ERROR: License is not operational

More fun… you can only access the device from the management interface or from the same network as an active interface, on both the console and the GUI, and only as Root. A quick call to F5 support provided me with a new bigip.license with proper licensing information. Upload it to /config/bigip.license, reboot, and all’s well that ends well.

For future reference, if you get the message to re-activate, do it before you run the upgrade.

Application Templates

As we discussed, Application Templates are new in version 10, and expanded further for 10.0.1.  In a previous post, we did a run-through of how to set up a Sharepoint implementation.  Here’s the real-world result… with some funny business.  Some on the part of Windows Server 2008, some with IIS7, and some on the LTM.

Here’s what we started with:

  • Windows Server 2008, IIS 7
  • Sharepoint 2007
  • 2 IP addresses, URL resolves to .5 and the server itself responds on .10
  • SSL Certificate lives on server
  • Website configured to respond on “All Unassigned” on port 443

Where we wanted to go:

  • F5 Virtual Server responds on .5 on port 443
  • F5 offloads SSL traffic
  • F5 passes HTTP traffic to server on .10

What we did:

  • Ran through the SSL Certificate & Key upload process (converted from PFX)
  • Ran through the Application Template, using a dummy IP for the virtual server (until ready for the real changeover)
  • Removed the .5 address from the server
  • Added the .5 address to the Virtual Server configuration (both for the “https” and “http” virtual servers)
  • Configure IIS to bind the Sharepoint site to .10 on port 80

Here’s where the weirdness kicked in… The only way we could get the site to respond properly was to retain the binding on .10 on port 443.  I don’t quite get what’s going on here, as my understanding was that when SSL offloading is happening, that the traffic from the LTM to the server itself was ONLY over port 80.

Once that was set, we were good to go.


2 Responses to “Curiosities, gotchas”

  1. 1 Brian
    December 3, 2009 at 11:43 pm

    Thanks for the info – I hit the same issue when upgrading from version 9.4.7 to version 10.0.1. Reactivated the license key before re-running the installation command and it worked like a charm.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: