So F5 license has always been kind of funky. I am not saying it's bad but I've just always wondered why the auto license update didn't work. Then recently we licensed ASM and again had to perform the manual license process, it went all well as it always had but we were not getting ASM signature updates?
So it was time to dive into the F5 and start troubleshooting. The first thing was to confirm that the F5 could resolve the DNS name for the service updates... Check!
Next, you need to check the routing, there are two routing tables the LTM table and the sys management routing table. The LTM routing table had a default route that was not able to access the internet. This was by design since the interface it was attempting to use was in a secure DMZ. This may not affect you if you allow your F5 to the internet directly but we did not have the luxury.
So this is where we were a little confused. One would think the License update and ASM Signature updates would be part of the sys-management routing table, unfortunately, that isn't the case. We discovered that the F5 attempts to reach out were following the LTM default route and not the defined sys management-route default.
One the issue was identified it was easily resolved by adding a route to the F5 services int he sys-management routing table, outlined in italic.
10.0.0.1 Is the internal gateway or next hop in this scenario.
104.219.104.0/21 Is the IP space for F5 services.
The rest should be self-explanatory.
sys management-route F5_Service_Route {
gateway 10.0.0.1
network 104.219.104.0/21
sysadmin@(f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)# create sys management-route F5_Service_Route network 104.219.104.0/21 gateway 10.0.0.1
sysadmin@(f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)#
sysadmin@(f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)# list sys management-route
sys management-route F5_Service_Route {
gateway 10.0.0.1
network 104.219.104.0/21
}
sys management-route tacacs2 {
gateway 10.0.0.1
network10.0.0.10/32
}
sys management-route tacacs1 {
gateway 10.0.0.1
network 10.1.1.10/32
}
sys management-route default {
gateway 10.0.0.1
network default
}
Lastley this article has alot of good info about setting ASM and attack signitures.
https://api-u.f5.com/support/kb-articles/K8217?pdf
After we added the sys management route were able to perform auto license retrievals and get our ASM signatures update. I hope this helps anyone also stumped with the same issue.
Enjoy!
Share On
