Monday, 18 November 2019

F5 Big-IP Troubleshooting commands


TCP Dump



 #tcpdump -nni 0.0 host 10.1.64.138 or host 10.1.1.1 -i 0.0

-n - disable name resolution

>file.txt - save to  a text file

src host <ip_address> / dst host <ip_address> /src port /dst port/

tcpdump src host 172.16.101.20 and dst host 10.90.100.1

-vvv - maximum verbosity
-i <if_number or vlan>
-c (count) number of packets to capture

Additional filters:
 host
 src10.2.2.2
 dst  10.1.11
net 10.0.0.0/8
tcp/udp/icmp
port 



-s 2000 - the amaount to capture, -s0 - capture the whole packet

 #tcpdump -nni 0.0 -s0 host 10.1.64.138 or host 10.1.1.1 -w /var/tmp/capture1.pcap







Example

sudo tcpdump -c 10 -s 1500 src 10.113.88.2 and dst  10.113.88.6 and port 514 and udp
SSL Dump



To save capture to file:



tcpdump -vvv -s 0 -nni asmltm-outside-cd03 -w /var/tmp/ssl-capture.pcap



To read captured file:



ssldump -A -d -k <key file> -n -i <capture VLAN> <traffic expression>

-A      Print all fields
-d      Show application data when private key is provided via -k
-k      Private key file, found in /config/ssl/ssl.key/; the key file can be located under client SSL profile
-n      Do not try to resolve PTR records for IP addresses
-i      The capture VLAN name is the ingres VLAN for the TLS traffic



Device certificate file localtion:
/config/httpd/conf/ssl.crt/server.crt

Device key file location:
/config/httpd/conf/ssl.key/server.key

Analytics capture filter



Ping


ping 10.1.97.74%2 -I 10.1.68.129

-c - count

-I - source interface or address


Tracepath - allows you to specify a port:
tracepath -nc 10.1.1.1/443

To start shell:

run /util bash

exit


Useful tmsh troubleshooting commands

Note: show live information about a configuraiton object, while list displays the configuration for that object

To show current sessions over the device. Options are (cc-
#show sys connection {options}


#list /net self
#list /net route 


Unix Test access to servers/VIP from a host:

 HTTP:
 curl -v http://10.1.1.1:343


HTTPS:
 wget --no-check-certificate https://10.1.1.1:343
 curl -v https://10.1.1.1:343

Any TCP:
telnet 10.1.1.1 343

UDP:
iperf 10.1.1.1 -p53 -u
(-p - port, -t tcp, -u udp) 
Example: 
 iperf -c 192.168.66.1 -u -b 100m -t 30

To test your VPN SSL settings:

https://www.ssllabs.com/ssltest/  

No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...