search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
164 stars 53 forks source link

AS declaration : Pool member changing from 443 to 80 (no SSL) - Unexpected paramater appear in created http monitor #658

Closed JeromeAngles74 closed 1 month ago

JeromeAngles74 commented 2 years ago

Environment

Summary

We have a problem with a behaviour from AS3 declaration when we change the pool member port from https to http. The API call are successful, but when we try to synchronise, the bigip told us there are some unauthorized parameters in the http monitor. When we have a look at the corresponding bigip.conf, we ca see there is a line with CYPHER consideration in the http monitor...

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration to create an application with https pool members :

    {
"class": "ADC",
"schemaVersion": "3.40.0",
"MyApplication01": {
"class": "Tenant",
"MyApplication01_vs": {
  "class": "Application",
  "template": "generic",
  "MyApplication01_vs": {
    "virtualAddresses": [
      "1.2.4.101"
    ],
    "virtualPort": 443,
    "redirect80": true,
    "snat": "auto",
    "persistenceMethods": [],
    "class": "Service_HTTPS",
    "serverTLS": {
      "bigip": "/Common/clientssl"
    },
    "clientTLS": {
      "bigip": "/Common/serverssl"
    },
    "pool": "MyApplication01_pool",
      "profileHTTP": {
        "bigip": "/Common/http"
      },
    "profileTCP": {
      "bigip": "/Common/f5-tcp-lan"
    },
    "iRules": []
  },
  "MyApplication01_pool": {
    "class": "Pool",
    "members": [
      {
        "serverAddresses": [
          "1.2.3.111"
        ],
        "servicePort": 80,
        "connectionLimit": 0,
        "priorityGroup": 0,
        "shareNodes": true
      },
      {
        "serverAddresses": [
          "1.2.3.112"
        ],
        "servicePort": 80,
        "connectionLimit": 0,
        "priorityGroup": 0,
        "shareNodes": true
      }
    ],
    "loadBalancingMode": "round-robin",
    "slowRampTime": 300,
    "monitors": [
        { "use": "MyApplication01_http_monitor" }
    ]
  },
  "MyApplication01_http_monitor": {
  "class": "Monitor",
  "monitorType": "http",
  "interval":5,
  "timeout":16,
  "send":"GET / HTTP/1.1\r\nHost: MyApplication01.MyDomain.ch\r\nConnection: Close\r\n\r\n",
  "receive":"HTTP/1.1 200"
  }
}
}
}

  2. Submit the exact same declaration with the modification in the pool member (https -> http) and the change in the monitor also :

{
  "class": "ADC",
  "schemaVersion": "3.39.0",
  "MyApplication01": {
    "class": "Tenant",
    "MyApplication01_vs": {
      "class": "Application",
      "template": "generic",
      "MyApplication01_vs": {
        "virtualAddresses": [
          "1.2.4.101"
        ],
        "virtualPort": 443,
        "redirect80": true,
        "snat": "auto",
        "persistenceMethods": [],
        "class": "Service_HTTPS",
        "serverTLS": {
          "bigip": "/Common/clientssl"
        },
        "clientTLS": {
          "bigip": "/Common/serverssl"
        },
        "pool": "MyApplication01_pool",
          "profileHTTP": {
            "bigip": "/Common/http"
          },
        "profileTCP": {
          "bigip": "/Common/f5-tcp-lan"
        },
        "iRules": []
      },
      "MyApplication01_pool": {
        "class": "Pool",
        "members": [
          {
            "serverAddresses": [
              "1.2.3.111"
            ],
            "servicePort": 443,
            "connectionLimit": 0,
            "priorityGroup": 0,
            "shareNodes": true
          },
          {
            "serverAddresses": [
              "1.2.3.112"
            ],
            "servicePort": 443,
            "connectionLimit": 0,
            "priorityGroup": 0,
            "shareNodes": true
          }
        ],
        "loadBalancingMode": "round-robin",
        "slowRampTime": 300,
        "monitors": [
            { "use": "MyApplication01_http_monitor" }
        ]
      },
      "MyApplication01_http_monitor": {
      "class": "Monitor",
      "monitorType": "https",
      "interval":5,
      "timeout":16,
      "send":"GET / HTTP/1.1\r\nHost: MyApplication01.MyDomain.ch\r\nConnection: Close\r\n\r\n",
      "receive":"HTTP/1.1 200"
      }
    }
  }
}
  1. Synchronise the bigip cluster : an error is raised : 
    
Sync error on <...> : Load failed from /Common/<...> 01070033:3: Monitor /MyApplication01/MyApplication01_vs/MyApplication01_http_monitor contains an argument that is not allowed.

Recommended action: Review the error message and determine corrective action on the device


### Expected Behavior
Everything work fine, the configuration is correct and there is no problem synchronizing the cluster

### Actual Behavior
There is a unauthorized parameter appearing in the monitor in the "bigip.conf" file
The synchronization on our bigip cluster is not possible, it show an error indicating there is a wrong parameter in the monitor.

ltm monitor http /MyApplication01/MyApplication01_vs/MyApplication01_http_monitor { adaptive disabled adaptive-limit 1000 adaptive-sampling-timespan 180 defaults-from /Common/http destination : interval 5 ip-dscp 0 recv "HTTP/1.1 200" recv-disable none send "GET / HTTP/1.1\r\nHost: MyApplication01.MyDomain.ch\r\nConnection: Close\r\n\r\n" time-until-up 0 timeout 16 user-defined CIPHERLIST DEFAULT <-- Unwanted parameter


### Workaround

1. Delete the application with the DELETE method
2. Create the application again
3. The synchronization work perfectly
sunitharonan commented 2 years ago

Thank you @JeromeAngles74. I have added this issue to our internal product backlog as AUTOTOOL-3510. In order to prioritize and understand the issue better, please reach out to us at automation_toolchain_pm@f5.com

m-kratochvil commented 1 year ago

We have the same issue in our environment, with user-defined configuration lines appearing in various monitor objects, causing the config sync to fail, and config to load. So far we've seen it with monitors of type TCP, HTTP and HTTPS

AS3 version: 3.36.1 Big-IP version: 15.1.3

Here is how we can reproduce it:

  1. Create HTTPS type monitor assigned to a pool
  2. Create another HTTPS type monitor and assign int to a pool member directly
  3. Delete the pool based health monitor (because you want to change its type)
  4. Create new - this time HTTP type monitor and assign in to the pool

The new, pool based, HTTP type health monitor has correct configuration, but the pool-member specific one ends up with the user-defined config lines.

This is not reproducible via tmsh commands, only via AS3 decalration.

The related TMSH outputs

  1. The original pool based monitor:

    ltm monitor https /net_370b0255_eb12_41c4_bd39_587fa7012219/<example-pool-based> {
adaptive disabled
adaptive-limit 1000
adaptive-sampling-timespan 180
cipherlist DEFAULT
defaults-from https
destination *:*
interval 5
ip-dscp 0
partition net_370b0255_eb12_41c4_bd39_587fa7012219
recv "HTTP/1.(0|1) 200"
recv-disable none
send "GET / HTTP/1.0\r\n\r\n"
ssl-profile /Common/cc_serverssl_profile
time-until-up 0
timeout 16
}

  2. Original pool-member based monitor:

    ltm monitor https /net_370b0255_eb12_41c4_bd39_587fa7012219/<example-poolmember-based> {
adaptive disabled
adaptive-limit 1000
adaptive-sampling-timespan 180
cipherlist DEFAULT
defaults-from https
destination 10.180.88.186%2011:irdmi
interval 5
ip-dscp 0
partition net_370b0255_eb12_41c4_bd39_587fa7012219
recv "HTTP/1.(0|1) 200"
recv-disable none
send "GET / HTTP/1.0\r\n\r\n"
ssl-profile /Common/cc_serverssl_profile
time-until-up 0
timeout 16
}

  3. The newly created pool based monitor:

    ltm monitor http /net_370b0255_eb12_41c4_bd39_587fa7012219/<example-pool-based> {
adaptive disabled
adaptive-limit 1000
adaptive-sampling-timespan 180
defaults-from http
destination *:*
interval 5
ip-dscp 0
partition net_370b0255_eb12_41c4_bd39_587fa7012219
recv "HTTP/1.(0|1) 200"
recv-disable none
send "GET / HTTP/1.0\r\n\r\n"
time-until-up 0
timeout 16
}

  4. The (automatically) updated poolmember-based monitor - see the last two lines:

    ltm monitor http /net_370b0255_eb12_41c4_bd39_587fa7012219/<example-poolmember-based> {
adaptive disabled
adaptive-limit 1000
adaptive-sampling-timespan 180
defaults-from http
destination 10.180.88.186%2011:irdmi
interval 5
ip-dscp 0
partition net_370b0255_eb12_41c4_bd39_587fa7012219
recv "HTTP/1.(0|1) 200"
recv-disable none
send "GET / HTTP/1.0\r\n\r\n"
time-until-up 0
timeout 16
user-defined CIPHERLIST DEFAULT
user-defined SSL_PROFILE_NAME /Common/cc_serverssl_profile
}
sunitharonan commented 7 months ago

We have created a internal product backlog for this item, in order for us to prioritize please reach out to us at automation_toolchain_pm@f5.com

mdditt2000 commented 1 month ago

Here are my observations regarding the issue:

When a monitor associated with a pool is modified from HTTPS to HTTP in a transaction, MCPD auto adds the 'user-defined' parameter to the monitor. However, if the monitor is not associated with any pool and is modified in the same way, MCPD does not add this parameter.

The 'user-defined' property is intended only for monitors of type 'external' (as detailed in the documentation here).

Based on these observations, there doesn't seem to be an issue with the commands generated by AS3, but the way MCPD handles the transaction is inconsistent depending on the monitor's association with a pool.

I suggest forwarding this issue to the MCPD team for further analysis. Please open a SR and request a BUG be opened under MCPD. Thanks!

mdditt2000 commented 1 month ago

Bugzilla 1621497. MCP team picked it up

m-kratochvil commented 1 month ago

Awesome, thanks for following up on this old issue. I'll continue with the MCPD team.