Wednesday, 22 June 2016

F5 Load Balancing - My first few forays

I'm currently working on a situation whereby HTTPS load-balancing is inconsistently not working against IBM HTTP Server 8.5.5.

To help me help the client's network team debug this, I've been tinkering with a F5 Local Traffic Manager (LTM) using VMware Fusion on my Mac.

I found a slew of excellent articles on the F5 site including: -


Load balancing got its start in the form of network-based load balancing hardware. It is the essential foundation on which Application Delivery Controllers (ADCs) operate. The second iteration of purpose-built load balancing (following application-based proprietary systems) materialized in the form of network-based appliances. These are the true founding fathers of today's ADCs. Because these devices were application-neutral and resided outside of the application servers themselves, they could load balance using straightforward network techniques. In essence, these devices would present a "virtual server" address to the outside world, and when users attempted to connect, they would forward the connection to the most appropriate real server doing bi-directional network address translation (NAT).


Monitors determine the availability and performance of devices, links, and services on a network. Health monitors check the availability. Performance monitors check the performance and load. If a monitored device, link, or service does not respond within a specified timeout period, or the status indicates that performance is degraded or that the load is excessive, the BIG-IP system can redirect the traffic to another resource.

More importantly, this link: -


was just what I need to get a developer version of F5 VE installed and working.

I ended up with a working F5 Health Monitor probing my IHS server ( on a different Linux VM ), over SSL.

Two things that made a difference: -

(1) Getting the RIGHT cipher

openssl ciphers -v

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export


Note that this particular version of the F5 software does NOT support my preferred ECDHE/RSA/GCM ciphers :-(

On my VM, I am running: -

BIG-IP 11.3.0 Build 39.0 VE Trial 11.3.0-HF1 (based on BIGIP 11.3.0HF6)

(2) Getting the Monitor configuration correct

Specifically the send string and the receive response are mega-important

tmsh list ltm monitor https

ltm monitor https davehttps {
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from https
    destination *:pcsync-https
    interval 5
    recv 200
    send "GET /index.html HTTP/1.1\\r\\nHost: www.example.com\\r\\nConnection: Close\\r\\n\\r\\n"
    time-until-up 0
    timeout 16
}


I inferred the send string using openssl on the device itself: -

openssl s_client -connect 192.168.153.200:8443

and pasted this string: -

GET /index.html HTTP/1.1
Host: www.example.com
Connection: Close


into the terminal, and pressed [Enter].

This returned, in part: -

...
HTTP/1.1 200 OK
Date: Wed, 22 Jun 2016 05:26:41 GMT
Last-Modified: Tue, 06 Jan 2015 17:02:04 GMT
ETag: "da5-50bfec4265b00"
Accept-Ranges: bytes
Content-Length: 3493


which confirms the recv string of 200 ( HTTP 200 OK ).

Now my IHS server is showing regular GET requests from the F5 Monitor: -

192.168.153.1 - - [22/Jun/2016:06:26:54 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:26:59 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:04 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:09 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:14 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:19 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:24 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:29 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:34 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:39 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:44 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:49 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:54 +0100] "GET /index.html HTTP/1.1" 200 3493

...

in the access.log.

Now I need to go and configure the F5 "front door" to allow me to actual send traffic to/through the load-balancer to the downstream IHS box.

These links were also of use: -





2 comments:

Suri Raj said...

Hi I already installed Websphere portal server feature using IBM Integration Designer
But i not able to open Websphere portal editor.

Dave Hay said...

Hi

Thanks for the comment, but not sure what it's got to do with F5 :-)

Also, WebSphere Portal and IBM Integration Designer ? Really ? Are you referring to the Portal Toolkit ? If so, check this link: -

https://www.ibm.com/support/knowledgecenter/SS964W/com.ibm.wbpm.wid.bpel.doc/topics/tportlet.html

This isn't something I've done before, as I've not worked with WebSphere Portal since last 2012.

Cheers, Dave