search

f5devcentral / f5-azure-saca

Secure Azure Computing Architecture for DoD (SACA) - Notional Secure Cloud Computing Architecture (SCCA) Deployment
MIT License
26 stars 39 forks source link

Network setup failed errors #96

Closed saingle355 closed 4 years ago

saingle355 commented 4 years ago

We have updated our ARM template with the latest HA 3Tier code from here https://github.com/f5devcentral/f5-azure-saca/tree/master/SACAv2/3NIC_3Tier_HA. Added some minor customizations, integrated with TerraForm The code successfully deployed, but when I looked at the VMExtension Status for the 4 f5 Vms I see some “Network setup failed” errors. I’m attaching the error logs for each server. f5vmlogs.zip. Any thoughts on resolving this?

Mikej81 commented 4 years ago

Which ARM was used? There are 3 templates at that directory; PAYG, BIGIQ, BYOL.

Also, it looks like the subnets were changed and there is a conflict with the subnetting.

These are not Single NIC images, so the management IP cannot reside on the same subnet as the Self-IPs.

01070392:3: Self IP 172.24.192.68 / 255.255.255.0: This IP shares a network with the management IP (172.24.192.4 / 255.255.255.192). 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (172.24.192.132);

So everything fails after that.

saingle355 commented 4 years ago

I used the BYOL 3 tier Here is the link of the ARM template https://github.com/f5devcentral/f5-azure-saca/tree/master/SACAv2/3NIC_3Tier_HA. Here is the subnet parameters:

"NorthboundLoadBalancerType": { "value": "Public-alb" }, "MgmtAddressSubnet": { "value": "172.22.192.0/26" }, "MgmtAddressStartIP": { "value": "172.22.192.4" }, "NorthUntrustedAddressSubnet": { "value": "172.22.192.64/26" }, "NorthUntrustedAddressStartIP": { "value": "172.22.192.68" }, "NorthUntrustedLBPrivateAddress": { "value": "172.22.192.94" }, "NorthTrustedAddressSubnet": { "value": "172.22.192.128/26" }, "NorthTrustedAddressStartIP": { "value": "172.22.192.132" }, "IPSUntrustedAddressSubnet": { "value": "172.22.193.128/26" }, "IPSUntrustedAddressStartIP": { "value": "172.22.193.132" }, "IPSUntrustedLBPrivateAddress": { "value": "172.22.193.162" }, "IPSTrustedAddressSubnet": { "value": "172.22.194.0/26" }, "IPSTrustedAddressStartIP": { "value": "172.22.194.4" }, "SouthUntrustedAddressSubnet": { "value": "172.22.193.0/26" }, "SouthUntrustedAddressStartIP": { "value": "172.22.193.4" }, "SouthUntrustedLBPrivateAddress": { "value": "172.22.193.30" }, "SouthTrustedAddressSubnet": { "value": "172.22.193.64/26" }, "SouthTrustedAddressStartIP": { "value": "172.22.193.68" }, "vnetName": { "value": "vdss-f5-3tier-vnet" }

From: Michael notifications@github.com Sent: Tuesday, March 10, 2020 2:16 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

Which ARM was used? There are 3 templates at that directory; PAYG, BIGIQ, BYOL.

Also, it looks like the subnets were changed and there is a conflict with the subnetting.

These are not Single NIC images, so the management IP cannot reside on the same subnet as the Self-IPs.

01070392:3: Self IP 172.24.192.68 / 255.255.255.0: This IP shares a network with the management IP (172.24.192.4 / 255.255.255.192). 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (172.24.192.132);

So everything fails after that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%3Femail_source%3Dnotifications%26email_token%3DAOZIKKCL7AXWDHQQRYP5GRLRGZ7XLA5CNFSM4LFE7YFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOMR3DA%23issuecomment-597237132&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7Ca40ae04527bf4b64cbd108d7c51f234e%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C1%7C637194609835114520&sdata=2r7Ju%2BhpLiDPcKDiKk4oJCYEoK%2FtZ8j5cSN8ksT6CVs%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKCZNIZZXTFISPY3BPDRGZ7XLANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7Ca40ae04527bf4b64cbd108d7c51f234e%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C1%7C637194609835119510&sdata=wzjL9T%2BDje7VY94wqCcpCVTGzH%2F0frs%2BHubf5Mn1PLk%3D&reserved=0.

Mikej81 commented 4 years ago

It looks like you are changing the management address / subnet. This is purposely not exposed as a parameter in the ARM, and is set via variable.

If the Management Subnet is changed, all of the (original) accompanying AS3 will fail as well.

If you are customizing the management subnet, you will need to ensure that it's different than any other networks.

It will also cause issues if North Untrusted is the same as North Trusted, South Trusted / Untrusted and so on. These templates are designed around network segregation requirements.

Recommend deploying with the default network settings at least once to get a feel for the setup.

saingle355 commented 4 years ago

Hi Michael and f5 team – I deployed the ARM template with the default network settings as per your recommendation. It looks like it did complete the “Network setup” this time. I’m attaching the VM extension logs for each f5 VM. ( Note: This is based on the byol ARM template as of last week. I tried to get the latest ARM template from yesterday but I ran into some issues) Can you please review and let us know if the onboarding of the BigIPs have completed successfully?

We also reviewed the ARM template in detail yesterday. All subnet code blocks in ARM template require classful addressing of /24 or /16. Below is an example. Is this a reasonable requirement?

 "NorthUntrustedAddressSubnet": {
        "defaultValue": "192.168.2.0/24",
        "metadata": {
            "description": "The CIDR block the BIG-IP VEs use when creating the North Untrusted Subnet.  You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
        },
        "type": "string"
    },

For our project, we have been given the following IP addressing from our Enterprise Architect lead:

subnets central

management_subnet = "172.24.192.0/26" external_subnet = "172.24.192.64/26" external2_subnet = "172.24.192.128/26" ips_external_subnet = "172.24.193.128/26" ips_internal_subnet = "172.24.194.0/26" internal_subnet = "172.24.193.0/26" internal2_subnet = "172.24.193.64/26"

Will this work? If this works, what changes need to be made in the ARM/ template/tmos shell script for the “Network setup” to be completed successfully?

If this does not work, we would need justification to change the IP addressing to /24. Can you send us that justification?

Thanks,

Sanjay Ingle Cloud Solution Architect (Microsoft Azure) Accenture Federal Services Mobile: 612 812 4380 Office: 571 414 2606 Email: sanjay.ingle@accenturefederal.commailto:sanjay.ingle@accenturefederal.com Security First: Know. Choose. Champion

From: Michael notifications@github.com Sent: Tuesday, March 10, 2020 2:41 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

It looks like you are changing the management address / subnet. This is purposely not exposed as a parameter in the ARM, and is set via variable.

If the Management Subnet is changed, all of the (original) accompanying AS3 will fail as well.

If you are customizing the management subnet, you will need to ensure that it's different than any other networks.

It will also cause issues if North Untrusted is the same as North Trusted, South Trusted / Untrusted and so on. These templates are designed around network segregation requirements.

Recommend deploying with the default network settings at least once to get a feel for the setup.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%3Femail_source%3Dnotifications%26email_token%3DAOZIKKGAXEDRYABKO6H3ARDRG2CTPA5CNFSM4LFE7YFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOMUVFA%23issuecomment-597248660&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C0a1010c4a2c94485b8ba08d7c5229279%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637194624587043496&sdata=JWjV6x4HA6fCxm%2BV046SjJxrLLdq22hFvQPCVLxNbX4%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKG7XU62TJ6XZRAXB6LRG2CTPANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C0a1010c4a2c94485b8ba08d7c5229279%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637194624587053489&sdata=8bFinhMR%2BhlT0RjhUd1GScKEQ3ulSOUe2SwwS47dFL8%3D&reserved=0.

Mikej81 commented 4 years ago

/26 should work fine, as long as the Management is on a separate subnet than all other interfaces. The default templates will all fail AS3 deployment unless those are modified as well.

The templates from last week are significantly different than the current iteration. 2.5 vs 2.6.1. There are significant changes in the templates.

Recommend rebasing from 2.6.1 for any modifications.

It should also be noted any templates under F5DevCental Repos are community supported, no F5 Supported. You can get some assistance from your account team for slight modifications, but extensive changes may require consulting services.

saingle355 commented 4 years ago

Assuming that 2.6.1 is solid and working? Thanks for confirming that /26 will work fine.

We do have Management in a separate subnet 172.24.192.0/26.

I do understand the changes that need to made in the ARM template to accommodate /26 . For example, below changing the PrivateAddressPrefix offset Change highlighted in bold "mgmtSubnetPrivateAddress1": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 5))]", "mgmtSubnetPrivateAddress2": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 6))]", "mgmtSubnetPrivateAddress3": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 7))]", "mgmtSubnetPrivateAddress4": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 30))]", "mgmtSubnetPrivateAddress5": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 31))]", "mgmtSubnetPrivateAddress6": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 40))]", "mgmtSubnetPrivateAddress7": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 41))]",

I’m not familiar with AS3 deployment. Where else should I be making changes to accommodate /26? Here are the findings from one of our developers:

Your ARM param clearly has the management stuff established as /26 from your parameters.json "mgmtAddressSubnet": { "value": "172.24.192.0/26" },

There is a part of the commands that the VM extension calls where it is running this "network.js" script and specifies self-ip parameters

It supplies the address to it using a variable that only provides a specific IP address but NOT with it's subnet. /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwdfile://config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress'), ',vlan:internal --log-level info;

I think running that script with an IP address like "172.24.192.68" forces it to ASSUME the subnet when it prefers to have it specified. I think it ASSUMES "/24" in this case.

If we were supplying that IP address with its subnet in CIDR form or with subnet, it might get it correctly. like 172.24.192.68/26

Thanks,

Sanjay Ingle Cloud Solution Architect (Microsoft Azure) Accenture Federal Services Mobile: 612 812 4380 Office: 571 414 2606 Email: sanjay.ingle@accenturefederal.commailto:sanjay.ingle@accenturefederal.com Security First: Know. Choose. Champion

From: Michael notifications@github.com Sent: Wednesday, March 11, 2020 12:43 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

/26 should work fine, as long as the Management is on a separate subnet than all other interfaces. The default templates will all fail AS3 deployment unless those are modified as well.

The templates from last week are significantly different than the current iteration. 2.5 vs 2.6.1. There are significant changes in the templates.

Recommend rebasing from 2.6.1 for any modifications.

It should also be noted any templates under F5DevCental Repos are community supported, no F5 Supported. You can get some assistance from your account team for slight modifications, but extensive changes may require consulting services.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-597741121&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C2f57a7de289145d1c5e908d7c5db31dd%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195417540766680&sdata=IFIavsr6uiA%2F4LsJsOttjA%2F5yNGBYpOtZ5PCkb7eNGI%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKFBB5XKL62V357UXADRG65PPANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C2f57a7de289145d1c5e908d7c5db31dd%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195417540766680&sdata=6zU9RPivv%2FEJOmlHM4L8DD4Hgl22yGKhNOKBMZxMbRg%3D&reserved=0.

Mikej81 commented 4 years ago

The F5 Cloud Libs are Maintained by @F5Networks and are supported. It may work, but I cannot confirm since I didn't write those modules.

At the minimum I would recommend opening an issue there to see if that capability exists today, and if not to request an enhancement.

Current Source for network.js

saingle355 commented 4 years ago

What is the difference between byol and payg in 2.6.1? We do have licenses but it is a pain to have to release the licenses everytime before you re-deploy. Is it ok to use payg until will have our solution solidified and then apply the licenses?

Thanks,

Sanjay Ingle Cloud Solution Architect (Microsoft Azure) Accenture Federal Services Mobile: 612 812 4380 Office: 571 414 2606 Email: sanjay.ingle@accenturefederal.commailto:sanjay.ingle@accenturefederal.com Security First: Know. Choose. Champion

From: Michael notifications@github.com Sent: Wednesday, March 11, 2020 2:26 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

The F5 Cloud Libshttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FF5Networks%2Ff5-cloud-libs&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C79b943e49c98495174ee08d7c5e9a789%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195479636825735&sdata=Xw61wwrZLdbv90g4c1Ri0d5mbhp%2Fn4Y2L5p8TNXi6ao%3D&reserved=0 are Maintained by @F5Networkshttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FF5Networks&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C79b943e49c98495174ee08d7c5e9a789%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195479636835731&sdata=JWbGMwva6QMzgilC69DLRuFQwH9LqSGW%2BJmy0zlW6nM%3D&reserved=0 and are supported. It may work, but I cannot confirm since I didn't write those modules.

At the minimum I would recommend opening an issue there to see if that capability exists today, and if not to request an enhancement.

Current Source for network.jshttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FF5Networks%2Ff5-cloud-libs%2Fblob%2Ff8b276e89859e6963a6b9cccc788cabde4915749%2Fscripts%2Fnetwork.js&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C79b943e49c98495174ee08d7c5e9a789%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195479636865711&sdata=72KnHebWBJ91u9XTt8hPNk3GOcHE7C3%2FEXwGod5cCeg%3D&reserved=0

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-597794114&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C79b943e49c98495174ee08d7c5e9a789%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195479636865711&sdata=kFHBsFV%2BUrH0rAHl0bi8rdFD4ue1lh12Ifw2JT68kCo%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKFUCMM6ZS2PICYZTXLRG7JTVANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C79b943e49c98495174ee08d7c5e9a789%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195479636875713&sdata=vTPJU5yZQFjJG5gQ2VRBlbyjIk7%2B2tTbakNHsBoEb4E%3D&reserved=0.

therealnoof commented 4 years ago

Hello Sanjay, If you are going to use payg licensing then you will have to export the bigip config to a new byol image when you are ready. You cannot just apply the licenses. You are probably better off just releasing the license and re-applying.

Mikej81 commented 4 years ago

You CANNOT convert the licenses between PAYG and BYOL. You CAN export configurations between the two however.

You will not have many of the Add-On options from BYOL in PAYG Images if you are utilizing any of those.

saingle355 commented 4 years ago

Is there a more efficient way to release licenses? Currently, I have login to each f5 vm and click on the License-> revoke button. Many times I have to call support to release the licenses as the revoke does not work consistently.

From: therealnoof notifications@github.com Sent: Wednesday, March 11, 2020 4:19 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

Hello Sanjay, If you are going to use payg licensing then you will have to export the bigip config to a new byol image when you are ready. You cannot just apply the licenses. You are probably better off just releasing the license and re-applying.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-597847847&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C7251096220e94be2d06308d7c5f978b7%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195547571951659&sdata=ilfKXTPg8S%2Ftnkw8IRuIimcUc17yhF5RDAUx4jIUjEQ%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKEM7OOCUPNBJJXTQNDRG7W4HANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C7251096220e94be2d06308d7c5f978b7%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195547571961654&sdata=PWR6u9Qfg%2BdP9kU6Lq2fF7dT9CsHspgyolXCVIzyWuM%3D&reserved=0.

Mikej81 commented 4 years ago

BIG-IQ and/or Ansible has a module. You may be able to reverse engineer from Ansible. Thats a strong hint, nothing I would post on the internet...

saingle355 commented 4 years ago

I’m looking at deploying 2.6.1 as baseline. I see some additional parameters in the ARM template.

"Tier3DeclarationUrl": { "defaultValue": "NOT_SPECIFIED", "metadata": { "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.5.1/) declaration JSON file to be deployed. Leave as NOT_SPECIFIED to deploy without a service configuration." }, "type": "string" },

Is this where you specify your AS3 script, for example as3\byolsccaBaseline.json?

From: Michael notifications@github.com Sent: Wednesday, March 11, 2020 4:20 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

You CANNOT convert the licenses between PAYG and BYOL. You CAN export configurations between the two however.

You will not have many of the Add-On options from BYOL in PAYG Images if you are utilizing any of those.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-597848177&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C366b3e77adbd4991029208d7c5f9821a%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195547737566840&sdata=ct3pNrBVPoJV5pAiwpdRkhorJS4yTFU1LqT7uHi5cvs%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKEPVB7CAI4ZQO5FYMLRG7W5HANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C366b3e77adbd4991029208d7c5f9821a%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195547737576835&sdata=huGLpUw0mvgci%2F9SklJzjbbhegivMkLEoOgjCDWx3RM%3D&reserved=0.

therealnoof commented 4 years ago

Yes, if you wanted to deploy an additional AS3 declaration on the bottom tier F5's this is where you would paste in the URL.

saingle355 commented 4 years ago

I deployed the 2.6.1 version byol ARM template with the default network setting. I’m getting the following error (see below) in the BigIp1 and BigIp3. Any thoughts?

Enable succeeded: [stdout] tarting. 2020-03-13T03:10:14.145Z info: Initializing BIG-IP. 2020-03-13T03:10:14.163Z info: This is a BIG-IP 2020-03-13T03:10:16.085Z info: Waiting for device to be ready. 2020-03-13T03:10:16.499Z info: Waiting for BIG-IP to be ready. 2020-03-13T03:10:16.869Z info: BIG-IP is ready. 2020-03-13T03:10:16.870Z info: Creating vlan external on interface 1.1 untagged 2020-03-13T03:10:17.050Z info: Creating vlan internal on interface 1.2 untagged 2020-03-13T03:10:17.248Z info: Creating self IP self_2nic with address 192.168.2.5/24 on vlan external allowing default 2020-03-13T03:10:17.316Z info: Creating self IP self_3nic with address 192.168.3.5/24 on vlan internal allowing default 2020-03-13T03:10:17.363Z info: Setting default gateway 192.168.2.1 2020-03-13T03:10:17.397Z info: Saving config. 2020-03-13T03:10:20.808Z info: BIG-IP network setup complete. 2020-03-13T03:10:20.808Z info: Network setup finished. 2020-03-13T03:10:22.534Z info: /config/cloud/azure/node_modules/@f5devcentral/f5-cloud-libs/scripts/cluster.js called with /usr/bin/f5-rest-node /config/cloud/azure/node_modules/@f5devcentral/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host 192.168.1.9 --port 443 -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip 192.168.3.5 --join-group --device-group Sync --sync --remote-host 192.168.1.4 --remote-user svc_user --remote-password-url file:///config/cloud/.passwd 2020-03-13T03:10:22.552Z info: Cluster starting. 2020-03-13T03:10:22.554Z info: Initializing BIG-IP. 2020-03-13T03:10:22.570Z info: This is a BIG-IP 2020-03-13T03:10:24.432Z info: Waiting for device to be ready. 2020-03-13T03:10:25.227Z info: Waiting for BIG-IP to be ready. 2020-03-13T03:10:25.610Z info: BIG-IP is ready. 2020-03-13T03:10:25.611Z info: Setting config sync ip. 2020-03-13T03:10:26.498Z info: Joining group. 2020-03-13T03:10:26.511Z info: This is a BIG-IP 2020-03-13T03:10:28.311Z info: Waiting for device to be ready. 2020-03-13T03:10:39.127Z info: Checking remote host for cluster readiness. 2020-03-13T03:11:27.594Z info: Getting local hostname for trust. 2020-03-13T03:11:27.609Z info: Getting local management address. 2020-03-13T03:11:27.977Z info: Adding to remote trust. 2020-03-13T03:11:40.142Z info: Adding to remote device group. 2020-03-13T03:12:04.545Z info: Checking for datasync-global-dg. 2020-03-13T03:12:06.220Z info: Telling remote to sync. 2020-03-13T03:12:54.231Z info: Telling remote to sync datasync-global-dg request. 2020-03-13T03:12:54.702Z info: Waiting for sync to complete. 2020-03-13T03:13:19.138Z info: Sync complete. 2020-03-13T03:13:19.138Z info: Waiting for BIG-IP to be active. 2020-03-13T03:13:20.069Z info: Cluster finished. Loading configuration... /shared/vadc/azure/waagent/custom-script/download/0/f5.service_discovery.tmpl Loading configuration... /shared/vadc/azure/waagent/custom-script/download/0/f5.cloud_logger.v1.0.0.tmpl Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.2.1 0.0.0.0 UG 0 0 0 external default 192.168.1.1 0.0.0.0 UG 9 0 0 mgmt 127.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tmm 127.7.0.0 tmm-shared 255.255.0.0 UG 0 0 0 tmm 127.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tmm_bp 168.63.129.16 192.168.1.1 255.255.255.255 UGH 9 0 0 mgmt 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 external 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 internal ############################################### BASHSRG - Bash STIG/SRG Configuration Script Michael Coleman. M.Coleman@F5.com. Modified by r.eastman@f5.com on March 5, 2019 ############################################### Configuration Complete [stderr] 01020036:3: The requested Config Instance (/Common/snmpd /Common/comm-public community) was not found.

BigIp3 Enable succeeded: [stdout] is a BIG-IP 2020-03-13T03:13:01.965Z info: Waiting for device to be ready. 2020-03-13T03:13:02.394Z info: Waiting for BIG-IP to be ready. 2020-03-13T03:13:02.801Z info: BIG-IP is ready. 2020-03-13T03:13:02.802Z info: Creating vlan external on interface 1.1 untagged 2020-03-13T03:13:03.065Z info: Creating vlan internal on interface 1.2 untagged 2020-03-13T03:13:03.248Z info: Creating self IP self_2nic with address 192.168.7.5/24 on vlan external allowing default 2020-03-13T03:13:03.307Z info: Creating self IP self_3nic with address 192.168.8.5/24 on vlan internal allowing default 2020-03-13T03:13:03.349Z info: Setting default gateway 192.168.8.1 2020-03-13T03:13:03.374Z info: Saving config. 2020-03-13T03:13:06.929Z info: BIG-IP network setup complete. 2020-03-13T03:13:06.929Z info: Network setup finished. 2020-03-13T03:13:08.626Z info: /config/cloud/azure/node_modules/@f5devcentral/f5-cloud-libs/scripts/cluster.js called with /usr/bin/f5-rest-node /config/cloud/azure/node_modules/@f5devcentral/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host 192.168.1.11 --port 443 -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip 192.168.8.5 --join-group --device-group Sync --sync --remote-host 192.168.1.10 --remote-user svc_user --remote-password-url file:///config/cloud/.passwd 2020-03-13T03:13:08.642Z info: Cluster starting. 2020-03-13T03:13:08.644Z info: Initializing BIG-IP. 2020-03-13T03:13:08.672Z info: This is a BIG-IP 2020-03-13T03:13:10.579Z info: Waiting for device to be ready. 2020-03-13T03:13:11.428Z info: Waiting for BIG-IP to be ready. 2020-03-13T03:13:11.856Z info: BIG-IP is ready. 2020-03-13T03:13:11.856Z info: Setting config sync ip. 2020-03-13T03:13:12.744Z info: Joining group. 2020-03-13T03:13:12.761Z info: This is a BIG-IP 2020-03-13T03:13:14.676Z info: Waiting for device to be ready. 2020-03-13T03:13:47.503Z info: Checking remote host for cluster readiness. 2020-03-13T03:14:23.410Z info: Getting local hostname for trust. 2020-03-13T03:14:23.425Z info: Getting local management address. 2020-03-13T03:14:23.806Z info: Adding to remote trust. 2020-03-13T03:14:32.469Z info: Add to trust failed: tryUntil: max tries reached: socket hang up 2020-03-13T03:14:46.595Z info: Adding to remote device group. 2020-03-13T03:14:48.248Z info: Checking for datasync-global-dg. 2020-03-13T03:14:50.423Z info: Telling remote to sync. 2020-03-13T03:15:21.143Z info: Telling remote to sync datasync-global-dg request. 2020-03-13T03:15:21.616Z info: Waiting for sync to complete. 2020-03-13T03:15:24.873Z info: Sync complete. 2020-03-13T03:15:24.873Z info: Waiting for BIG-IP to be active. 2020-03-13T03:15:25.806Z info: Cluster finished. Loading configuration... /shared/vadc/azure/waagent/custom-script/download/0/f5.service_discovery.tmpl Loading configuration... /shared/vadc/azure/waagent/custom-script/download/0/f5.cloud_logger.v1.0.0.tmpl Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.8.1 0.0.0.0 UG 0 0 0 internal default 192.168.1.1 0.0.0.0 UG 9 0 0 mgmt 127.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tmm 127.7.0.0 tmm-shared 255.255.0.0 UG 0 0 0 tmm 127.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tmm_bp 168.63.129.16 192.168.1.1 255.255.255.255 UGH 9 0 0 mgmt 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt 192.168.7.0 0.0.0.0 255.255.255.0 U 0 0 0 external 192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 internal ############################################### BASHSRG - Bash STIG/SRG Configuration Script Michael Coleman. M.Coleman@F5.com. Modified by r.eastman@f5.com on March 5, 2019 ############################################### Configuration Complete [stderr] 2020-03-13T03:12:58.396Z error: Metrics upload error: customer id is required 01020036:3: The requested Config Instance (/Common/snmpd /Common/comm-public community) was not found.

From: Michael notifications@github.com Sent: Wednesday, March 11, 2020 5:56 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

BIG-IQ and/or Ansible has a module. You may be able to reverse engineer from Ansible. Thats a strong hint, nothing I would post on the internet...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-597897577&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7Ceccf81684b9b4727853208d7c606fb14%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195605595716272&sdata=tLQYS9ceHgy6cRpfC8b9hVotrkWsmWPJJ0tkeRqXE00%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKAEB2JQJPWLOQZWWPDRHACG3ANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7Ceccf81684b9b4727853208d7c606fb14%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195605595726269&sdata=BbID20QSlev3LXyXz6mRMwvp5WmqKT9o%2BiFuMP2uXHU%3D&reserved=0.

saingle355 commented 4 years ago

Here is a verbiage from Microsoft SACA https://docs.microsoft.com/en-us/azure/azure-government/compliance/secure-azure-computing-architecture

F5 SACA deployment Two separate F5 deployment templates cover two different architectures. The first template has only one layer of F5 appliances in an active-active highly available configuration. This architecture meets the requirements for VDSS. The second template adds a second layer of active-active highly available F5s. This second layer allows customers to add their own IPS separate from F5 in between the F5 layers. Not all DoD components have specific IPS prescribed for use. If that's the case, the single layer of F5 appliances works for most because that architecture includes IPS on the F5 devices.

It says that the F5s are configure in active-active but when I review both North and South F5s they are in active-stand by. Any thoughts? Thanks,

Sanjay Ingle Cloud Solution Architect (Microsoft Azure) Accenture Federal Services Mobile: 612 812 4380 Office: 571 414 2606 Email: sanjay.ingle@accenturefederal.commailto:sanjay.ingle@accenturefederal.com Security First: Know. Choose. Champion

From: Michael notifications@github.com Sent: Wednesday, March 11, 2020 4:20 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

You CANNOT convert the licenses between PAYG and BYOL. You CAN export configurations between the two however.

You will not have many of the Add-On options from BYOL in PAYG Images if you are utilizing any of those.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-597848177&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C366b3e77adbd4991029208d7c5f9821a%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195547737566840&sdata=ct3pNrBVPoJV5pAiwpdRkhorJS4yTFU1LqT7uHi5cvs%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKEPVB7CAI4ZQO5FYMLRG7W5HANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C366b3e77adbd4991029208d7c5f9821a%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637195547737576835&sdata=huGLpUw0mvgci%2F9SklJzjbbhegivMkLEoOgjCDWx3RM%3D&reserved=0.

Mikej81 commented 4 years ago

To the first question, the errors are coming from the STIG Script that is run automatically. Did you select 15.0 or the 14.1.2 for the image? It's just saying that the SNMP community string it tried to delete already did not exist, so that error is fine. The devices look to have completed deployment successfully, otherwise.

As to the other, you would need to add traffic groups to accept traffic on both BIG-IP's at the same time. The automated deployment only configures a Device Service Cluster.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-admin-11-6-0/10.html

saingle355 commented 4 years ago

Hi Michael – We made a lot progress in adding the EiTaaS specific customization to the 2.6.1 ARM template in the last 48 hours. Can you please review and validate this log file for BigIP0?

I set STIGDevice = false BigIPVersion = 15.0.100000 Tier1DeclarationUrl = “NOT SPECIFIED” Tier3DeclarationUrl = “NOT SPECIFIED”

Are we getting the error red below because Tier1DeclarationUrl and Tier3DeclarationUrl are “NOT SPECIFIED”

Enable succeeded: [stdout] : Waiting for ONBOARD_DONE 2020-03-16T14:36:34.698Z info: Network setup starting. 2020-03-16T14:36:34.701Z info: Initializing BIG-IP. 2020-03-16T14:36:34.720Z info: This is a BIG-IP 2020-03-16T14:36:37.712Z info: Waiting for device to be ready. 2020-03-16T14:36:38.181Z info: Waiting for BIG-IP to be ready. 2020-03-16T14:36:38.607Z info: BIG-IP is ready. 2020-03-16T14:36:38.608Z info: Creating vlan external on interface 1.1 untagged 2020-03-16T14:36:38.796Z info: Creating vlan internal on interface 1.2 untagged 2020-03-16T14:36:38.947Z info: Creating self IP self_2nic with address 172.22.192.68/26 on vlan external allowing default 2020-03-16T14:36:38.998Z info: Creating self IP self_3nic with address 172.22.192.132/26 on vlan internal allowing default 2020-03-16T14:36:39.053Z info: Setting default gateway 172.22.192.65 2020-03-16T14:36:39.081Z info: Saving config. 2020-03-16T14:36:43.081Z info: BIG-IP network setup complete. 2020-03-16T14:36:43.081Z info: Network setup finished. 2020-03-16T14:36:44.885Z info: /config/cloud/azure/node_modules/@f5devcentral/f5-cloud-libs/scripts/cluster.js called with /usr/bin/f5-rest-node /config/cloud/azure/node_modules/@f5devcentral/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host 172.22.192.4 --port 443 -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip 172.22.192.132 --create-group --device-group Sync --sync-type sync-failover --device bigip0.usgovvirginia.cloudapp.usgovcloudapi.net --network-failover --auto-sync --save-on-auto-sync 2020-03-16T14:36:44.901Z info: Cluster starting. 2020-03-16T14:36:44.904Z info: Initializing BIG-IP. 2020-03-16T14:36:44.923Z info: This is a BIG-IP 2020-03-16T14:36:47.145Z info: Waiting for device to be ready. 2020-03-16T14:36:48.468Z info: Waiting for BIG-IP to be ready. 2020-03-16T14:36:48.942Z info: BIG-IP is ready. 2020-03-16T14:36:48.942Z info: Setting config sync ip. 2020-03-16T14:36:49.927Z info: Creating group Sync 2020-03-16T14:36:53.026Z info: Waiting for BIG-IP to be active. 2020-03-16T14:36:53.391Z info: Cluster finished. Custom config was not a URL, continuing. Application deployment failed or custom URL was not specified. Deployment complete. Loading configuration... /shared/vadc/azure/waagent/custom-script/download/0/f5.service_discovery.tmpl Loading configuration... /shared/vadc/azure/waagent/custom-script/download/0/f5.cloud_logger.v1.0.0.tmpl Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 172.22.192.65 0.0.0.0 UG 0 0 0 external default 172.22.192.1 0.0.0.0 UG 9 0 0 mgmt 127.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tmm 127.7.0.0 tmm-shared 255.255.0.0 UG 0 0 0 tmm 127.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tmm_bp 168.63.129.16 172.22.192.1 255.255.255.255 UGH 9 0 0 mgmt 172.22.192.0 0.0.0.0 255.255.255.192 U 0 0 0 mgmt 172.22.192.64 0.0.0.0 255.255.255.192 U 0 0 0 external 172.22.192.128 0.0.0.0 255.255.255.192 U 0 0 0 internal Archive: Certificates_PKCS7_v5.5_DoD.zip inflating: Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.der.p7b inflating: Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.pem.p7b inflating: Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.sha256 inflating: Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD_DoD_Root_CA_2.der.p7b inflating: Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD_DoD_Root_CA_3.der.p7b inflating: Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD_DoD_Root_CA_4.der.p7b inflating: Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD_DoD_Root_CA_5.der.p7b inflating: Certificates_PKCS7_v5.5_DoD/DoD_PKE_CA_chain.pem inflating: Certificates_PKCS7_v5.5_DoD/README.txt [stderr]

Thanks,

Sanjay Ingle Cloud Solution Architect (Microsoft Azure) Accenture Federal Services Mobile: 612 812 4380 Office: 571 414 2606 Email: sanjay.ingle@accenturefederal.commailto:sanjay.ingle@accenturefederal.com Security First: Know. Choose. Champion

From: Michael notifications@github.com Sent: Friday, March 13, 2020 8:49 AM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

To the first question, the errors are coming from the STIG Script that is run automatically. Did you select 15.0 or the 14.1.2 for the image? It's just saying that the SNMP community string it tried to delete already did not exist, so that error is fine. The devices look to have completed deployment successfully, otherwise.

As to the other, you would need to add traffic groups to accept traffic on both BIG-IP's at the same time. The automated deployment only configures a Device Service Cluster.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-admin-11-6-0/10.htmlhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechdocs.f5.com%2Fkb%2Fen-us%2Fproducts%2Fbig-ip_ltm%2Fmanuals%2Fproduct%2Fbigip-device-service-clustering-admin-11-6-0%2F10.html&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C419e5c10d41843022e7108d7c74cef2f%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637197005553282807&sdata=OJb5JioNTgZboaGun77zYLtSAORdZJFD8WGkNKYMkNA%3D&reserved=0

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-598703783&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C419e5c10d41843022e7108d7c74cef2f%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637197005553282807&sdata=dz1PJVl84dCo2sk%2FrFKpKq5RANOiCveThK%2FlAvE6V98%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKHPEMUBIO7DWDSFXYDRHITUTANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C419e5c10d41843022e7108d7c74cef2f%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637197005553292800&sdata=5pNknrF8764vm0ysJid16vLjlsTy8WfFAn7BbJe%2FVOs%3D&reserved=0.

Mikej81 commented 4 years ago

I do not see any errors, did the deployment fail?

therealnoof commented 4 years ago

Sanjay, The log error is stating exactly that, there was no URL declaration specified...but the deployment looks to have succeeded and this would be the expected result.

saingle355 commented 4 years ago

No, the deployment was successful! We did check that the clustering is setup in Active/StandBy in both North and South. Are we missing anything?

Thanks, Sanjay

From: Michael notifications@github.com Sent: Monday, March 16, 2020 11:39 AM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

I do not see any errors, did the deployment fail?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-599605202&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C7b5ae9b0ddb842853ea008d7c9c01f66%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637199699370060222&sdata=CfoKHLCtuXP8n9fbMUBM%2BBFm4YVvZpcxzOzEc8W5%2Bek%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKCWMW6BTS4K5TA2F6DRHZBYRANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C7b5ae9b0ddb842853ea008d7c9c01f66%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637199699370070215&sdata=08kjqJ31ZB1pQ4tF7QJkOuv6UuWtZ5OX9cTTXl6Uojw%3D&reserved=0.

saingle355 commented 4 years ago

Ok. Thanks for confirming!

Sanjay

From: therealnoof notifications@github.com Sent: Monday, March 16, 2020 11:45 AM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

Sanjay, The log error is stating exactly that, there was no URL declaration specified...but the deployment looks to have succeeded and this would be the expected result.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-599608723&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C4448ba9ecf5e40b2096c08d7c9c10553%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637199703216102581&sdata=Ze3yAnRtr5flF2ezNS4bLGBpRNWloDEDzVV5yq%2Fg33Q%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKH3H3FVRDWFBJJSQ7LRHZCQTANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C4448ba9ecf5e40b2096c08d7c9c10553%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637199703216102581&sdata=jUqqpPafqdKosj4vQnmd94KNygfxfsyX0XOFPSggrJE%3D&reserved=0.

saingle355 commented 4 years ago

We’re unable to curl from the external BigIP.

[sanjay.ingle@bigip0:Standby:In Sync] ~ # curl https://www.bing.com curl: (7) Failed to connect to www.bing.com port 443: Connection refused

How should we address this?

Thanks, Sanjay

From: therealnoof notifications@github.com Sent: Monday, March 16, 2020 11:45 AM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

Sanjay, The log error is stating exactly that, there was no URL declaration specified...but the deployment looks to have succeeded and this would be the expected result.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-599608723&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C4448ba9ecf5e40b2096c08d7c9c10553%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637199703216102581&sdata=Ze3yAnRtr5flF2ezNS4bLGBpRNWloDEDzVV5yq%2Fg33Q%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKH3H3FVRDWFBJJSQ7LRHZCQTANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C4448ba9ecf5e40b2096c08d7c9c10553%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637199703216102581&sdata=jUqqpPafqdKosj4vQnmd94KNygfxfsyX0XOFPSggrJE%3D&reserved=0.

therealnoof commented 4 years ago

Hello Sanjay, I would recommend opening a support case.
1-888-882-7535

A support engineer will be able to help you troubleshoot your network issue. Please have your registration key ready. You will also need to have an account created if you do not have one already. You may be able to use another employees account.

Thank You

Mikej81 commented 4 years ago

@saingle355 quick question, are you having issues with the provided templates, or with customized templates? If you customize the templates, it may break all of the hidden tmsh commands for configurations in the ARM. There are a ton of things that can break outbound access, so a trouble ticket may be the best path.

saingle355 commented 4 years ago

Michael – Do you have an ETA on when you will have the SACA v3? I know you mentioned that the v3 will be refactored using TerraForm.

Thanks,

Sanjay Ingle Cloud Solution Architect (Microsoft Azure) Accenture Federal Services Mobile: 612 812 4380 Office: 571 414 2606 Email: sanjay.ingle@accenturefederal.commailto:sanjay.ingle@accenturefederal.com Security First: Know. Choose. Champion

From: Michael notifications@github.com Sent: Tuesday, March 10, 2020 2:16 PM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Author author@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

Which ARM was used? There are 3 templates at that directory; PAYG, BIGIQ, BYOL.

Also, it looks like the subnets were changed and there is a conflict with the subnetting.

These are not Single NIC images, so the management IP cannot reside on the same subnet as the Self-IPs.

01070392:3: Self IP 172.24.192.68 / 255.255.255.0: This IP shares a network with the management IP (172.24.192.4 / 255.255.255.192). 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (172.24.192.132);

So everything fails after that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%3Femail_source%3Dnotifications%26email_token%3DAOZIKKCL7AXWDHQQRYP5GRLRGZ7XLA5CNFSM4LFE7YFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOMR3DA%23issuecomment-597237132&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7Ca40ae04527bf4b64cbd108d7c51f234e%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C1%7C637194609835114520&sdata=2r7Ju%2BhpLiDPcKDiKk4oJCYEoK%2FtZ8j5cSN8ksT6CVs%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKCZNIZZXTFISPY3BPDRGZ7XLANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7Ca40ae04527bf4b64cbd108d7c51f234e%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C1%7C637194609835119510&sdata=wzjL9T%2BDje7VY94wqCcpCVTGzH%2F0frs%2BHubf5Mn1PLk%3D&reserved=0.

Mikej81 commented 4 years ago

@saingle355 if i remember correctly you were able to engineer a solution, closing this issue for now.

saingle355 commented 4 years ago

Yes, that is correct. Thanks for the follow up!

From: Michael notifications@github.com Sent: Tuesday, September 29, 2020 9:27 AM To: f5devcentral/f5-azure-saca f5-azure-saca@noreply.github.com Cc: Ingle, Sanjay sanjay.ingle@accenturefederal.com; Mention mention@noreply.github.com Subject: [External] Re: [f5devcentral/f5-azure-saca] Network setup failed errors (#96)

This message is from an EXTERNAL SENDER - be CAUTIOUS of links and attachments. THINK BEFORE YOU CLICK.

@saingle355https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsaingle355&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C41b0a5b4c08d4360d58308d8647b69d1%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637369828501660429&sdata=9V9WG6hFo%2Btmgol9ZRxjzcoX0eHFrnsDxJbG8kRN8Ag%3D&reserved=0 if i remember correctly you were able to engineer a solution, closing this issue for now.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ff5devcentral%2Ff5-azure-saca%2Fissues%2F96%23issuecomment-700702168&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C41b0a5b4c08d4360d58308d8647b69d1%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637369828501670398&sdata=omfpDdKLSmMWP0jzwaGBPMfXpC1ojlxolfp9yUduy1k%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOZIKKGKMSBQ2AGH3QHIAB3SIHOEBANCNFSM4LFE7YFA&data=02%7C01%7Csanjay.ingle%40accenturefederal.com%7C41b0a5b4c08d4360d58308d8647b69d1%7C0ee6c63b4eab4748b74ad1dc22fc1a24%7C0%7C0%7C637369828501670398&sdata=ZIwsAOQD432RMQ3yQu73V%2F%2BjZiIgJQZVFMP5imdgI4E%3D&reserved=0.