GTM Essentials Prepared and presented by Lin Jing
GTM Essentials Prepared and presented by: Lin. Jing V 1. 0 www. myf 5. net
2 Updates Version Date Description Author/Eidt V 1. 0 2010/3/27, 28 Original Lin Jing V 1. 1 2010/4/17 Correct p 40/41, about syncronization linjing V 1. 2 201/06/22 P 39. Add a case about private address of vs LINJING
4 GTM关键点 p GTM中的对象关系 p Listener决策策略 p 证书交换机制 p Add new GTM to sync group八步法 p iquery结构关系 p gtmd、big 3 d的选举 p Monitor及path metric collection p 私有地址server情形下的NAT处理 p Named. conf, zone, wideip. conf, persistence的同步 p Zone. Runner & BIND p GTM配置十步法 p 日志检查及排错
5 GTM中的�象关系 • • • Virtual server Server Datacenter Pool Wideip Link
8 Listener决策策略 • 如果listener地址是self ip,意味着listener配置不 能在HA�同步,此�的listener配置存在于 bigip_local. conf中,且unit id=0 # cat bigip_local. conf virtual address 10. 4. 10. 253 { floating disable unit 0 } virtual vs_10_4_10_253_53_gtm { destination 10. 4. 10. 253: domain ip protocol udp translate address disable translate service disable profile dns udp } [root@gtm 2: Active] config #
9 Listener决策策略 • 如果listener地址是floating ip或独立IP,意味着� listener配置可以在HA pair�同步 • BIG-IP Self IP Address: self 10. 4. 10. 253 { netmask 255. 0. 0 vlan External allow default } • The GTM listener Virtual Address: virtual address 10. 4. 10. 190 { } • The GTM listener Virtual Server: virtual vs_10_4_10_190_53_gtm { destination 10. 4. 10. 190: domain ip protocol udp translate address disable translate service disable profile dns udp }
12 证书交换机制 F 5的证书- Cont. • • 缺省情况下,以上三个位置的��完全相同 cat /dev/null > /config/gtm/server. crt cat /dev/null > /config/big 3 d/client. crt 上面两个命令可以将两个��内容恢复�缺省内 容(=http的��) • /config/gtm/server. crt = GUI上 Global Traffic— servers—trusted server certificates • /config/big 3 d/client. crt = GUI上 system—device certificates –trusted device certificates
17 证书交换机制 : gtm_add 做了什么? • �份/config/gtm/server. crt ->server. backup • 将�端GTM的device certificate拷到自己的 client. crt的�部中 • 将自己的device certificate拷�到�端GTM的 /config/gtm/server. crt及/config/big 3 d/client. crt中 • 与�端GTM建立iquery • 拷��端的/config/gtm/server. crt整个文件覆盖本 地的/config/gtm/server. crt • 使用sync_zone, syncer同步named wideip zone 完了�?
20 添加新GTM到同步�中八步法 • • • Define VLANs Define Self IPs Create default route Define NTP servers Create new GTM server object on donor (existing) GTM • Configure sync group on donor (existing) GTM • Run gtm_add on CLI of new GTM • Define the GTM listener on new GTM
21 Certificates related SOL Tips • openssl s_client -tls 1 -showcerts -connect <IP address of remote BIGIP>: 4353 -cert /config/httpd/conf/ssl. crt/server. crt -verify /config/gtm/server. crt -key /config/httpd/conf/ssl. key/server. key 在GTM上手 模�与其他bigip���行SSL通信�程 • SOL 9114 - Creating an SSL device certificate and key pair using Open. SSL • SOL 6353 - Updating an SSL certificate on a BIG-IP GTM or Link Controller system • SOL 8187 - Troubleshooting BIG-IP LTM and GTM device certificates • SOL 7754 - Renewing self-signed device certificates • SOL 4146 - Creating a self-signed certificate that expires in a different value than the default value of 10 years
22 iquery结构关系 • • 正确交�完��是iquery mesh�构建立的前提 Iquery F 5私有��,使用TCP: 4353, V 9. 2以上版本使用SSL加密通信 ����的是gzip��的XML block data Iquery��bigip�monitor、heartbeat、path metric collection result、 persistence的交�或同步,是各种configurations( wideip. conf, named. conf, zone)同步的触�者 • Big 3 d在所有self ip,内部接口包括mgmt 上�听tcp: 4353 (udp 4353 是 3 dns�代��) • Iquery是gtmd与big 3 d之�的通信,所以iquery mesh是gtm与gtm,gtm 与ltm(lc)之�的mesh。非gtm之�无需iquery通信(�ppt不��WA等 其他��中的iquery)
23 iquery结构关系 • • • [root@gtm 2: Active] config # netstat -na | grep : 4353 tcp 0 0 10. 30. 0. 1: 4353 0. 0: * LISTEN tcp 0 0 127. 1. 1. 1: 4353 0. 0: * LISTEN tcp 0 0 172. 24. 18. 11: 4353 0. 0: * LISTEN tcp 0 0 127. 2. 0. 2: 4353 0. 0: * LISTEN tcp 0 0 127. 10. 0. 0: 4353 0. 0: * LISTEN
24 iquery结构关系 GTM 1 GTM 2
25 iquery结构关系 • • • [root@gtm 2: Active] config # lsof -i -P |grep 4353 | grep -i est big 3 d 12744 root 8 u IPv 4 3850569 TCP 10. 30. 0. 1: 4353 ->10. 30. 0. 1: 42933 (ESTABLISHED) gtmd 12771 root 8 u IPv 6 3850565 TCP 10. 30. 0. 1: 42933 ->10. 30. 0. 1: 4353 (ESTABLISHED) gtmd 12771 root 9 u IPv 6 3850799 TCP 10. 30. 0. 1: 42950 ->38. 1. 1. 10: 4353 (ESTABLISHED) gtmd 12771 root 10 u IPv 6 7490416 TCP 10. 30. 0. 1: 49989 ->38. 1. 1. 11: 4353 (ESTABLISHED) gtmd 12771 root 11 u IPv 6 3850801 TCP 10. 30. 0. 1: 42952 ->10. 30. 0. 2: 4353 (ESTABLISHED) • • • Red:gtm自己上gtmd和big 3 d之间的iquery连接 Blue:该gtm与另一dc中的gtm及ltm的iquery连接 Green:该gtm与本dc中的ltm的iquery连接 • • [root@ltm 2: Active] config # lsof -i -P |grep 4353 | grep -i est big 3 d 26130 root 8 u IPv 4 25628301 TCP 10. 30. 0. 2: 4353 ->10. 30. 0. 1: 42952 (ESTABLISHED) • 结合上一张slide,能看出什么问题吗?
26 iquery结构关系 • Iqdump能�明iquery mesh是否建立好�? • 不能。Iqdump�行�,会独立的�建一个�接,它 并不能�明�有的mesh是否正常。 • Iqdump所�示的是�端��上big 3 d的广播内容 • • [root@gtm 2: Active] config # lsof -i -P |grep 4353 | grep -i est big 3 d 12744 root 8 u IPv 4 3850569 TCP 10. 30. 0. 1: 4353 ->10. 30. 0. 1: 42933 (ESTABLISHED) gtmd 12771 root 8 u IPv 6 3850565 TCP 10. 30. 0. 1: 42933 ->10. 30. 0. 1: 4353 (ESTABLISHED) gtmd 12771 root 9 u IPv 6 3850799 TCP 10. 30. 0. 1: 42950 ->38. 1. 1. 10: 4353 (ESTABLISHED) gtmd 12771 root 10 u IPv 6 7490416 TCP 10. 30. 0. 1: 49989 ->38. 1. 1. 11: 4353 (ESTABLISHED) gtmd 12771 root 11 u IPv 6 3850801 TCP 10. 30. 0. 1: 42952 ->10. 30. 0. 2: 4353 (ESTABLISHED) iqdump 31986 root 3 u IPv 6 11179495 TCP 10. 30. 0. 1: 57617 ->10. 30. 0. 2: 4353 (ESTABLISHED) • Iqdump可以�明iquery是否可以建立,可以�听 big 3 d当前广播的内容
31 Monitor及path metric collection • GTM上的monitor承担着�内服�器的可用性及性 能数据的采集 作 • monitor和patch metric collection是独立的两回事 • 可以在GTM上的以下�面配置monitor: • Virtual server • Server • Pool member • Pool • Link
32 Monitor及path metric collection • �于�些monitor存在以下��关系: • server和virtual server 如同LTM上的Node 和pool member关系 • pool和pool member 如同LTM上的pool和pool member 关系 • pool 和 server �是与关系 • 配置重叠的monitor没有任何好�,�仔��理 monitor�的关系
33 配置monitor的最佳�践 • 不要在virtual server�面定�monitor • 在server�面定��通性的monitor方法,例如 gateway_icmp,当然如果是bigip server,一定使 用bigip monitor • 在pool�面定���content或�用的monitor,如 果pool member是来自bigip-based或host-based 的混合,那么可以只在host-based的pool member 上指定��的monitor,而pool �面不定�monitor • 小心部分monitor是关�具体端口的,你的vs或 pool member端口会和�个monitor冲突�?
35 path metric collection LDNS GTM 1 DC 1 GTM 2 DC 2 GTMD BIG 3 D
40 Named. conf, zone, wideip. conf, persiste nce的同步 • 在gtm�的iquery中相互通信�heartbeat信息,包含了named,wideip, persistence的timestamp,每 10秒�送一次 • • [root@gtm 1: Active] config # iqdump 38. 1. 1. 12 lab 2_team 2 | grep -i "_timestamp" <wideip_timestamp>1269224525</wideip_timestamp> <named_timestamp>1268986383</named_timestamp> <persist_timestamp>1269224606</persist_timestamp>------Earlier versions of GTM (pre 9. 3. 0 and 9. 4. 2)使用,�已�弃! • 如果wideip或者named文件有更新那么���戳将会�生�化,接到 �化通知的gtm将会启�相关同步程序�行配置文件的同步 • Wideip_timestamp表示当前wideip. conf文件的最新修改��,如果� ���新,将触�named. conf等文件同步 • Named_timestamp表示named. conf文件的最新修改��,如果��� 心,将触�named. conf以及zone文件的同步 • Persistence的同步��复� • 因此首先第一步配置NTP服�器是GTM中非常关�的一步
45 Zone. Runner & BIND • See SOL 7176: F 5 Networks support for Zone. Runner, BIND, and the named daemon
46 GTM配置十步法 1. Define VLANs 2. Define Self IPs 3. Create default route 4. Define NTP servers 5. Define GTM listeners 6. Create data centers 7. Create Server objects 8. big 3 d_install or bigip_add for BIG-IP servers 9. Create GTM pool Objects 10. Create Wide. IPs
47 日志检查及排错 • Gtm日志保存在/var/log/gtm中 • 当需深入排��,可以打开gtmd的一些高�日志 GTM. Query. Logging = enable //default disable GTM. Debug. Probe. Logging=enable //default disable Log. GTM. Level = debug //default notice Log. Big 3 d. Level = debug //defualt notic
48 日志检查及排错 • • [root@b 1500 -930 -1 b: Active] config # tail -f /var/log/gtm |grep 172. 24. 9. 15 Jul 22 13: 55: 20 b 1500 -930 -1 b gtmd[1036]: 011 ae 039: 7: Check probing of IP: Port 172. 24. 9. 15: 80 in DC dc 3 Jul 22 13: 55: 20 b 1500 -930 -1 b gtmd[1036]: 011 ae 03 a: 7: Will not probe 172. 24. 9. 15: 80 in DC dc 3 because will be done by other GTM (gtm 2 dc 2. training. com: 172. 24. 9. 12) Jul 22 13: 55: 31 b 1500 -930 -1 b gtmd[1036]: 011 ae 03 d: 5: Probe from 172. 24. 9. 13: buffer = <monitor> <name>tcp</name> <addr>: : ffff: 172. 24. 9. 15</addr> <port>80</port> <trans_addr>: : ffff: 172. 24. 9. 15</trans_addr> <trans_port>80</trans_port> <monitor_state>6</monitor_state> <node_type>4</node_type> <monitor_type>2</monitor_type> <why>state: timeout</why> </monitor> Jul 22 13: 55: 31 b 1500 -930 -1 b gtmd[1036]: 011 ae 0 f 2: 1: Monitor instance tcp 172. 24. 9. 15: 80 UP --> DOWN from 172. 24. 9. 13 (state: timeout) Jul 22 13: 55: 31 b 1500 -930 -1 b gtmd[1036]: 011 a 6006: 1: SNMP_TRAP: VS 172. 24. 9. 15: 80 (Server dc 3_ext- host_training_server) state change green --> red (VS dc 3_ext- host_training_server: Monitor tcp from 172. 24. 9. 13 : state: timeout) Jul 22 13: 55: 31 b 1500 -930 -1 b gtmd[1036]: 011 a 5004: 1: SNMP_TRAP: Server dc 3_ext- host_training_server (ip=172. 24. 9. 15) state change green --> red (Server dc 3_ext- host_training_server: No enabled VS available) [root@b 1500 -930 -1 b: Active] ucs # tail -f /var/log/gtm |grep Wide Jul 22 13: 55: 31 b 1500 -930 -1 b gtmd[1036]: 011 a 3004: 1: SNMP_TRAP: Wide IP ww 1. acme. com state change green --> red (Wide IP ww 1. acme. com: No enabled pools available)
49 日志检查及排错 • • [root@b 1500 -925 -1 a: Active] ucs # tail -f /var/log/gtm |grep 172. 24. 9. 15 Jul 22 13: 55: 26 b 1500 -925 -1 a gtmd[987]: 011 ae 039: 7: Check probing of IP: Port 172. 24. 9. 15: 80 in DC dc 3 Jul 22 13: 55: 26 b 1500 -925 -1 a gtmd[987]: 011 ae 03 b: 7: Will probe 172. 24. 9. 15: 80 in DC dc 3 Jul 22 13: 55: 26 b 1500 -925 -1 a gtmd[987]: 011 ae 03 d: 5: Probe to 172. 24. 9. 13: buffer = <monitor> <name>tcp</name> <addr>: : ffff: 172. 24. 9. 15</addr> <port>80</port> <trans_addr>: : ffff: 172. 24. 9. 15</trans_addr> <trans_port>80</trans_port> <timeout>120</timeout> <probe_interval>1</probe_interval> <probe_timeout>5</probe_timeout> <probe_num_probes>1</probe_num_probes> <probe_num_successes>1</probe_num_successes> <reverse>0</reverse> <transparent>0</transparent> <node_type>4</node_type> <monitor_type>2</monitor_type> <mon_param> <pkey>SEND=</pkey> <ptype>1</ptype> <pvalue><![CDATA[]]></pvalue> </mon_param> <pkey>RECV_I=</pkey> <ptype>3</ptype> <pvalue><![CDATA[]]></pvalue> </mon_param> </monitor> Jul 22 13: 55: 31 b 1500 -925 -1 a gtmd[987]: 011 ae 03 d: 5: Probe from 172. 24. 9. 13: buffer = <monitor> <name>tcp</name> <addr>: : ffff: 172. 24. 9. 15</addr> <port>80</port> <trans_addr>: : ffff: 172. 24. 9. 15</trans_addr> <trans_port>80</trans_port> <monitor_state>6</monitor_state> <node_type>4</node_type> <monitor_type>2</monitor_type> <why>state: timeout</why> </monitor> Jul 22 13: 55: 31 b 1500 -925 -1 a gtmd[987]: 011 ae 0 f 2: 1: Monitor instance tcp 172. 24. 9. 15: 80 UP --> DOWN from 172. 24. 9. 13 (state: timeout) Jul 22 13: 55: 31 b 1500 -925 -1 a gtmd[987]: 011 a 6006: 1: SNMP_TRAP: VS 172. 24. 9. 15: 80 (Server dc 3_ext- host_training_server) state change green --> red (VS dc 3_ext- host_training_server: Monitor tcp from 172. 24. 9. 13 : state: timeout) Jul 22 13: 55: 31 b 1500 -925 -1 a gtmd[987]: 011 a 5004: 1: SNMP_TRAP: Server dc 3_ext- host_training_server (ip=172. 24. 9. 15) state change green --> red (Server dc 3_ext- host_training_server: No enabled VS available)
50 日志检查及排错 • Mar 17 05: 55: 48 gtm 3 gtmd[1260]: 011 ae 03 c: 7: getconfig_put: Could not find my own box, will not continue with auto discovery. 把LTM加入到GTM,iquery都建立了,却没有vs被 ��,如果有此日志�明gtm自己没有被加入到 server中
51 日志检查及排错 • Iqdump peer_ipaddress sync_group_name • 不跟sync_group_name只能看到基本的心跳和 server��信息,无法看到vs信息 • Dig或nslookup得到�似AUTHORITY: 2的flag,意 味着�果是由BIND�出。
53 日志检查及排错 • SOL 8187: Troubleshooting BIG-IP LTM and GTM device certificates • SOL 8195: Overview of the BIG-IP GTM big 3 d_install, bigip_add, and gtm_add utilities • SOL 4039: Overview of i. Query communication between BIG-IP and 3 -DNS version 4. x and BIGIP LTM and GTM version 9. x • SOL 5965: The BIG-IP GTM is unable to monitor BIG-IP version 4. x
55 Topology • https: //support. f 5. com/kb/enus/solutions/public/9000/600/sol 9620. html • https: //support. f 5. com/kb/enus/solutions/public/10000/700/sol 10721. html
57 与排�相关的更多�源 • • GTM配置关�点及排���. pptx �篇文档在�channel 的�料U�上有 超超的GTM 2 days training - v 2. pptx http: //www. adntech. com/bbs/viewthread. php? tid =1476&highlight=GTM • GTM部署模型方案�� • http: //www. adntech. com/bbs/viewthread. php? tid =982&extra=page%3 D 1
- Slides: 59