Chapter 4 - Using the Traffic Management Shell (tmsh) 419 Managing System Backups with UCS Archives Before you replace a version of the BIG-IP system with a newer version, apply an upgrade or a hot-fix, or make significant configuration changes, you should create an archive (backup copy) of current configuration data in the form of a user configuration set or UCS. Then, if you need to recover that data later, you can restore the data from the archive. By default, a UCS archive contains all of the files that are required to restore your current configuration to ‘anew system, including configuration files, the product license, local user accounts, and Secure Socket Layer (SSL) certificate’key pairs. You can override these defaults at the time you create the archive. UCS archives can be created and managed using either the Configuration utility or tmsh. Only users with the Administrator or Resource Administrator role can load configuration data with tmsh. Other roles receive an error message. Saving archives By default, the BIG-IP system saves a UCS archive file with a .ues extension and stores the archive in the directory /var/Local/ues. If using the GUI (System » Archives), this is the only location in which ‘you can create a new archive. You can save a UCS archive directly to a different directory on the BIG-IP ‘system using the command line (tmsh) but, if you do, you will not be able to see the file in the list of archives on the GUI. F5 recommends that you include the BIG-IP hostname as part of the filename to easily associate the archive with the system on which it was generated. ‘After you create an archive on the BIG-IP system, you can download a copy of it to the system from which you are running the Configuration utility - preferably a secure remote system. Remember, the default UCS archive contains SSL private keys, user accounts, passwords and critical system files. Storing in a secure, remote location provides an extra level of protection in the unlikely event that you need to restore the data, and the BIG-IP system prevents you from accessing the archive in the BIG-IP system directory. And it frees up space on your BIG-IP hard drive! If your configuration data includes SSL keys and certificates, be sure to store the UCS archive in a secure environment. Administering BIG-IP v11 4194-20 Chapter 4 - Using the Traffic Management Shell (tmsh) available hard drive space which can, in turn, impact BIG-IP functions. F5 recommends that you save archived UCS files offsite for secure disaster recovery. Saving multiple UCS files locally can consume ~” SOL175: Transferring files to or from an FS system If you do decide to store UCS archives locally, the following utilities can lessen the impact: © Crontab— The crontab utility can be used to create and control the frequency with which UCS files are created. © Logrotate — The logrotate utility can be used to rotate the UCS files to save disk space. ~ $0L13418: Archiving UCS files using the logrotate and crontab utilities Customizing UCS archive options At the time you create a UCS archive, you can request the contents of the archive be encrypted with a passphrase and/or private keys excluded, as shown in Figure 9. bigip4_20140204_encrypt_nokeys [Enabled « Exclude + BIG-IP 11.5.0 Bulld 0.0.221 (Cancel || Finished Figure 9: Encrypting a UCS at the time itis created: Private keys are also excluded in this example 4-20 Administering BIG-IP v11Chapter 4 - Using the Traffic Management Shell (tmsh) Customizing the data contained in a UCS archive ‘The files that are includes in a UCS archive are described in the file /usr/libdata/configsync/es.dat. This file contains: ‘© Keys that specify what files to include ‘© Keys that specify what directories to include © Keys that specify what files to exclude If your system configuration has been customized to reference files that are not included in the default BIG-IP installation, you should consider adding these files to the archive process. $0L.4422: Viewing and modifying the files that are configured for inclusion in a UCS archive Restoring the BIG-IP System from a UCS Archive Changes in BIG-IP 11.x Prior to BIG-IP version 11, when restoring a BIG-IP system from a UCS archive, configuration data was restored either partially or in full depending on the hostname of the unit and the hostname stored in the archive file. If the hostname of the unit matched the hostname stored in the UCS archive, BIG-IP restored the full configuration, including self-IP addresses and VLANs. If the hostname of the unit did not match the hostname stored in the archive, BIG-IP restored only the shared configuration (e.g. virtual servers, pools, profiles). Beginning in BIG-IP v11.0.0, BIG-IP always restores the full configuration by default when installing a UCS configuration archive. BIG-IP software version and platform considerations FS recommends that you run the same version of the BIG-IP software on the BIG-IP system from which it was backed up. However, you can restore a BIG-IP v10.x UCS archive on a system running BIG-IP VILx software. ‘Administering BIG-IP v114-22 Chapter 4 - Using the Traffic Management Shell (tmsh) Licensing considerations The BIG-IP license is associated with a specific hardware serial number. The UCS archive contains the license of the file from which the configuration was saved. To successfully install a UCS archive file on a BIG-IP system, you must perform one of the following actions: Restore the UCS archive to the same system from which it was saved. Have the license associated with the serial number of a new system. (To do so, contact FS Technical Support.) Relicense the BIG-IP system after restoring the UCS archive. Save the license file (bigip license) prior to restoring the configuration from another system, and then copy the license file back after the restore is complete. Install the UCS archive by using the no-license option on the tmsh load sys ues command. This option is mostly used during an RMA process. It loads the full configuration minus the license, If you use a different license from the one contained in a restored UCS archive, the license must include authorization for the same options and add-on modules (e.g. LTM, ASM, GTM, etc.). Consult with F5 Technical ‘Support before using this option. There are other considerations when restoring a UCS archive to a BIG-IP system that is not the system on which it was created, including but not limited to: GTM considerations (relating to bypassing synchronization on UCS restore, and restoring DNSSEC configuration data) ASM considerations (may need to provision BIG-IP ASM prior to the restore) Restore a UCS file on a BIG-IP unit that is part of a high availability group (how to do this without interrupting service) CMP considerations (host vs. guest configuration data, and the impact on guests when restoring a host) @D SOL13132: Backing up and restoring BIG-IP configuration files (11.x) Administering BIG-IP v11Chapter 4 - Using the Traffic Management Shell (tmsh) Managing UCS Archives with tmsh ‘When compared with the GUI, tmsh provides many more options for creating and restoring UCS archives. For example, you can create a UCS archive in a different directory other than the default directory (/var/local/ues). Or, when restoring from a UCS archive, you can bypass restoring the BIG-IP license. ‘The basic commands for saving and restoring a UCS archive are show in the table below. Module Command sys save ucs load ucs Usage Creates the UCS archive file at the location specified by . if just a filename is specified, the UCS file is saved by default in the Wwathocallucs! directory. Restores the UCS archive file from the location specified by . If just a filename is, provided, BIG-IP looks for the file in the ‘atflocallucs! directory. Note: You may have to reboot the BIG-IP system for the restored UCS archive to take effect. Restoring archives using the Configuration utility 4-23 Ifusing the Configuration utility to restore a UCS archive, the archive must be in the /vax/1oca1/ucs irectory otherwise it will not appear in the archive list. If you previously downloaded an archive to a remote system, you should upload it first to the /vax/ocal /ucs directory at System » Archives. Single Configuration Files (SCF) Working with single configuration files When you save a single configuration file, BIG-IP first gathers all of the configuration data on the running system in the form of tmsh commands (and their attributes and values) that can be used to recreate the configuration at a later date. Once gathered, BIG-IP saves the configuration commands to a flat text file in the /var/local/scf/ directory with the name you specify and an extension of .sef. For example: tmsh save /sys config file bigip1_20121128 saves the currently running configuration as /var/loca/sef/bigip1_20121128.sef. ‘When you install an SCF on a target BIG-IP system, the target system first saves the currently running configuration to /var/locaVscf/backup.sef, and then loads the specified SCF into running memory. For example: tmsh load /sys config file bigipl_20121128.scf saves the currently running configuration to /var/loca/sef/backup.sef before loading the SCF file at Ivar/local/sef/bigip1_20121128.sef onto the system. Administering BIG-IP v11 4-234-24 Chapter 4 - Using the Traffic Management Shell (tmsh) tmsh commands for managing single configuration files Module Command Usage ig fi ‘Saves a copy of the currently running configuration save config file [£4: ae Fite [£Senamel 1 3r SCF with the name provided by [lename] Does not affect the running or stored configuration of the BIG-IP system on which you run the ‘command. ‘Saves the running configuration in /varflocal/scf! and then resets the running configuration to the values contained in the SCF file specified by [filename] ‘Saves the running configuration in /varflocal/scf/ and then resets the running configuration to the factory default settings contained in /defaults/defaults.scf load config file [filename] load config default Guidelines for using SCF files Build a BIG-IP template configuration using the Configuration utility or tmsh, Save an SCF file from the fully-configured system using the tmsh save /sys command, and store the SCF file in a safe place for future use. This SCF file can be used as a template to configure future BIG-IP systems. ‘When you are ready to use the SCF file to configure a new BIG-IP system, copy the SCF file to the new BIG-IP system, and edit the SCF prior to importing it to change IP addresses, routing information, and other common settings, as needed. Install the modified SCF file into the new BIG-IP system using the tmsh load /sys command, Administering BIG-IP v11Chapter 4 - Using the Traffic Management Shell (tmsh) 4-25 Viewing the BIG-IP Connection Table Lesson Objectives At the end of this lesson, you should be able to: © Define the term connection reaping + Use tmsh to view and filter the BIG-IP connection table results About the Connection Table ‘The BIG-IP system manages each connection explicitly by keeping track of the connection in the connection table while the connection is still active. The connection table contains state information about client-side and server-side connections, as well as the relationships between them. Each connection in the connection table consumes system resources to maintain the table entry and ‘monitor connection status. The BIG-IP system uses several metrics to determine when a connection is no longer active and then retires the connection to avoid exhausting critical system resources such as ‘memory and processor cycles. Connection reaping Connections that close or reset in a normal way are retired from the connection table automatically. Many ‘connections, however, often remain idle without closing normally, for any number of reasons (such as a response did not flow back through the BIG-IP system). Consequently, the BIG-IP system reaps these connections once they have been determined to be inactive. Reaping is the process of retiring or recycling connections that would otherwise remain idle. ‘The BIG-IP system has a number of time-outs that can be set to promote active connection management. ‘These timeouts are outside of the scope of this course, but more information can be found in the BIG-IP Local Traffic Manager Concepts manual. Viewing the connection table ‘As an administrator, you may wish to view entries in the connection table from time-to-time. For example, during troubleshooting, you may wish to get a quick snapshot of connection activity that involves a particular client, virtual server, and/or load balanced pool member. You can use the tmsh show sys connection command to view current connection table entries. This command includes several options to limit the display to connections that match specified client-side or server-side filtering criteria, as shown in Figure 10. ‘Administering BIG-IP v11 4-254-26 Chapter 4 - Using the Traffic Management Shell (tmsh) Client Side | Server Side es-client-addr ce-client-port sa-server-adar Se-server-port (x72.1620122 J =a 17216201, cs-server-addr, ga-server-port ss-client-adar, ag-client-port 17216202 | Figure 10: Client-side and server-side fiters available for use on the tmsh show /sys connection command Based on the illustration in Figure 10: tmsh show /sys connection cs~server-addr 10.10.1.100 might produce output similar to the following: cs-client-addrport _cs-server-addriport_ss-client-addrport__ss-server-addr:port 10.10.1.30:3378 10.10.1.100:22 —-10.10.1.30:3378 172.16.20.1:22 tcp 9 10.10.2.30:4599 10.10.1.100:22 —-10.10.2.30:4599 172.16.20.2:22 top 2 Had the virtual server been configured with SNAT Auto Map, the server-side source address (ss-client- addr) would reflect one of the BIG-IP system’s self IP addresses - hopefully a floating self IP address on the 172.16/16 network such as 172.16.1.33. Running the tmsh show /sys connection command globally (to display the entire connection table) places a load on the BIG-IP system and can cause the system to restart if the command is interrupted before completing. Consider using the available filters based on client-side IP addresses and/or ports as well as server-side addresses and/or ports to limit the number of connection table entries displayed. If displaying the entire table, wait for tmsh to complete the collection and formatting of connection table information. SOL15246: The TMM process may restart when the ‘tmsh show sys connection’ command is interrupted. 4-26 Administering BIG-IP v11Chapter 4 - Using the Traffic Management Shell (tmsh) Examples of viewing the connection table In the first two examples, with or without the [head -50 parameter, the full connection table entries are retrieved. It does not lessen the load on the BIG-IP system by only displaying the top 50. The full connection table must be searched in order to produce the top 50. 1. Quick bash one-liner to get the top 50 client IP addresses from the connection table: tmsh show sys conn |awk -F: '{print $1}'|sort|unig -clsort -nr|head -50 Leave off the head -50 to get all the client IPs sorted by connection count: tmsh show sys conn |awk -F: '{print $1)'|sort|unig -clsort -nr Get the top 50 clients by connection count to a specific virtual server: tmsh show sys conn cs-server-addr 10.102.114.60 cs-server-port 53 |grep *[0-9]| awk -P\: '{print §1}'|sort|uniq -clsort -nr|head -50 Administering BIG-IP v114-28 Chapter 4 - Using the Traffic Management Shell (tmsh) Chapter Resources Solution Number SOL13418 SOL13132 sOL10245 SOL13551 S0L13294 SOL9420 SOL13408 ‘SOL14906 S0L4423 SOL14083 ‘SOL8087 SOL13127 ‘SOL7369 SOL15246 ‘SOL14564 014422 Manual Solution Title Archiving UCS files using the logrotate and crontab utilities (11.x) Backing up and restoring BIG-IP configuration files (11x) BIG-IP UCS installation and licensing behavior Configuring a replacement BIG-IP device after an RMA when no UCS archive is available Installing a UCS configuration archive now restores the full configuration Installing a UCS file containing an encrypted passphrase Overview of single configuration files (11.x) Overview of the UCS no-platform-check tmsh option Overview of UCS archives Preventing synchronization when installing a UCS archive on a BIG-IP GTM system Replacing a BIG-IP system in a redundant pair without interrupting service Restoring the BIG-IP configuration to factory default settings (11.x) Shutting down and restarting the BIG-IP system The TMM process may restart when the ‘tmsh show sys connection’ command is interrupted The tmsh savelload /sys config command now savesiloads configuration in all administrative partitions Viewing and modifying the files that are configured for inclusion ina UCS archive Chapter BIG-IP TMOS: Concepts Archives BIG-IP TMOS: Implementations Working with Single Configuration Files Administering BIG-IP v11Lab 4.1 - Configuring BIG-IP using tmsh Lab Objectives © Configure pools and virtual servers using tmsh and observe the changes that occur in the stored configuration files as the result of these changes. ‘© Estimated time for completion: 30 minutes Lab Requirements ‘© Command-line access to BIG-IP © Services to load balance, including SSH Configure a Pool using tmsh In this lab, wherever you see notation such as , please interpret that as meaning you should press the keyboard key specified rather than type the letters. For example, means “press the Tab key.” ‘When an instruction indicates that you should “run” a particular command, press after typing in the command, Access the Traffic Management Shell (tmsh) 1. Access the command-line interface to BIG-IP and log in as the root user. 2. Atthe bash prompt, enter the Traffic Management Shell by typing: tmsh 3. Navigate to the Itm module using command completion by typing: 1t Your command prompt should now read something like this: root@ (bigipX) (cfg-sync Standalone) (Active) (/Common) (tmos.1tm) #_ Create a pool using tmsh In the next group of lab steps, you will create a new pool — ssh_pool — using the information in the table below. During the creation process, you should practice using tmsh’s auto-completion functions when you can. If you're already comfortable using tmsh, feel free to create the pool and move to the next step. Object Name Load Balancing Mode Node IPs Port ssh_pool Round Robin 172.16.20.1 22 172.16.202 2 172.16.203 2 4, Type cx and the word create should auto-complete. ‘ype5. Type p and options for modules and components that begin with the letter “p” should be displayed — for example, persistence, profile, and pool. Since there is more than one option, tmsh cannot auto complete the command and awaits additional input 6. Type cocTab> and the word pool should auto-complete. 7. Type 2 to show a list of available options for completing the command, 8. Type ssh_pool for the pool name, followed by a space. 9. Type {10 and the load-balancing-mode option should auto-complete, 10. Type xo and the round-robin option should auto-complete. 11. Continue using auto-complete until you have created the full tmsh command below, then press to run the command: (emog.ltm)# create pool ssh_pool { load-balancing-mode round-robin members add { 172.16.20.1:22 172.16.20.2:22 172.16.20.3:22 } } 12. Verify the pool was successfully created by viewing its configuration. You should see three members: (tmos.1tm)# List pool ssh_pool Save the running configuration to the stored configuration 13, Save the current running configuration to the stored configuration by running: (tmos.1tm)# save /sys config Note the “/” is required in front of the “sys” as you are currently in the “Itm” module and the “save config” command is part of the “sys” module. Notice also that your prompt still reads: (tmos.1tm) # indicating you are in the LTM module within the TM shell View pools in the running configuration 14, View all pools in the running configuration by running: List pool 15, Are all of the pools displayed, including ssh_pool? View the stored configuration in bigip.conf 16. Exit tmsh by running: quit 17. View the stored configuration in bigip.conf by running: moxe /config/bigip.conf Use the space bar to page down or the key to scroll down through the display. 18. Is pool ssh_pool in the stored configuration? Why or why not? 19. End the “more” display by typing: aCreate a virtual server using tmsh 20. Create the virtual server defined in the table below using the tmsh command shown immediately below the table as the basis. (Hint: Navigate to the correct shell and module first before running the command exactly as shown, or add the appropriate syntax to the command to nun it from wherever you are currently located.) Object Name _IP Address Port Profile Resource vs_ssh 10.10X.100 22 top sssh_pool (tmos.ltm)# create virtual vs_ssh destination 10.10.X.100:22 profiles add { tep } pool ssh_pool 21. List the virtual server's properties: tmsh list /ltm virtual vs_ssh all-properties 22. Navigate to the bash shell (if not already there) and view the stored configuration again: more /config/bigip.cont 23. Is vs_ssh listed? Why or why not? Test your configuration changes 24. Open a new SSH session to virtual server vs_ssh (at the appropriate IP address:port). Were you able to connect? Log in with userid student and password student. 25. Which pool member did you load balance to? Hint: Check node statistics by running the command: tmsh show /ltm node 172.16.20.* ‘The asterisk is a wildcard that indicates any value in the last octet. You can reset each node's statistics by running the command: tmsh reset-stats /ltm node 172.16.20.* View connection table entries 26. Back on your SSH session to the BIG-IP system, view the connection table and filter to show only connections to your vs_ssh virtual server. tmsh show /sys connection cs-server-addr 10.10.X.100 cs-server-port 22 27. Do you have an open (current) connection to one of the pool members? Which one? 28. Open a second SSH session to vs_ssh, and view the connection table entries again. View configuration files 29. Close the SSH session windows to vs_ssh. Back on the SSH session to BIG-IP, save the running configuration to the stored configuration 30. View the stored BIG-IP configuration bigip.conf again to verify that vs_ssh is now part of the stored configuration. 31. You've looked at bigip.conf. Now go look at /config/bigip_base.conf. What types of configuration objects are stored there?cs Create UCS and SCF backups of your configuration using tmsh 32. Make a UCS archive of your current configuration by running the following: (tmos)# save /sys ucs trainX mod4.ucs 33. What directory did the BIG-IP system save the UCS archive in by default? 34. Make an SCF archive of your current configuration by running the following: (emos)# save /sys config file trainX mod4.scf file in by default? 35. What directory did the BIG-IP system save the 36. View your current local traffic objects: (emos)# List /1tm pool (emos)# List /ltm virtual (emos)# list /ltm node Note that you can see all the virtual servers, pools, pool members, and nodes you've created so far in class, View tmsh command history 37. View your tmsh command history so far: (tmos)# show /cli history or (tmos) #! 38. Note the number associated with the list /Itm pool command you executed earlier and re-execute it, For example: (tmos) #135 where “35” is the number associated with the command. Restore from a previous UCS archive 39. Restore the UCS archive from the very first lab in this course by running: (tmos)# load /sys ucs trainX_base.ucs 40. All of the local traffic objects created after Lab 1 should now be gone (virtual servers, pools, etc.). Look at the stored configuration in bigip.conf, and then the running configuration via the Configuration utility (GUI) or the same tmsh commands you ran earlier (e.g. tmsh list /Itm pool). 41. Restore the configuration as it existed before the UCS restore, and view local traffic objects again, Everything should be back to normal. (tmos)# load /sys ucs trainx_mod4.ucs View SCF contents 42. View the single configuration file (SCF) you created earlier with cat, tail, more, less, and other Linux bash tools. For example: cat /var/local/scf/trainx_modé.scf |less CecaView the automatic rotating BIG-IP system archives 43. Change to the default UCS archive directory and list its directory’ ed /var/locai/ucs 2-1 44, Notice that there are additional UCS archives in this directory, above and beyond those that you have explicitly created to date. You should see train4_base.ues (which you created in the first Jab) and trainX_mod4.ucs (which you created just a few moments ago). Notice also that there are several UCS files called ¢s_backup.ues, ¢s_backup.ues.1, etc. When you issued the load /sys ucs command in an earlier step to restore the configuration from trainX_base.ucs, the BIG-IP system first archived the existing running configuration as one of the cs_backup.ucs archives you see in the /var/local/ues directory. The date and time on the actual ¢s_backup archive will be slightly after you created the train4_mod4.ucs file in step 30, just before you did the restore. 45. View the rotating archive configuration file: more cs_backup_rotate.contoD) Administering BIG-