FAQ¶
Application Errors¶
Q. Why do I see an error “Failed to reach the container” on the application GUI?
The application back end is running as a Docker container on ACI’s APIC server.
For legacy apps, the health-thread APIC checks the health of Gluster-FS (APIC filesystem). If it passes, it checks to ensure the app’s Docker container is able to access it’s data folder under Gluster-FS. If it is not able, it restarts the application container.
There are a few other reasons why the ACI app framework might restart an app’s backend container. In these cases, the application GUI will show the error “Failed to reach the container.”
After the container restarts, a new container runs the application’s back end. The application does a stateful restart and any data available before the restart should be available when the new container is launched. As a result, even though the application might be momentarily unavailable during the restart and show the error, it should recover gracefully.
Expected downtime:
- If an APIC cluster size changes and the APIC cluster node - Hosting Application container - reboots, you can expect up to three minutes of downtime for the application. It takes three minutes for APIC cluster to bring up a new container on the other currently available APIC nodes. The same thing happens when the APIC node undergoes Commission/Decommission.
- If all APIC cluster nodes are rebooted accidentlly at the same time, it may take up to twenty minutes for the application to be up.
Q. In the app, why do I see the error “BIG-IP session timed out. Please log in again.”? (Only applicable to v1.0)
Every BIG-IP session on the app has an operation-idle time out of 10 minutes. If you do not carry out any operations on a BIG-IP session of the application for 10 minutes, you will see the above error. This timeout check is triggered only on tab switch, or on left-hand menu item click for logged in BIG-IP devices.
Q. In the app, why do I see the error “ERROR : Request failed due to server side error” on APIC?
If App UI is accessed from 2 parallel browser tabs with certificate warnings enabled from only one of the tabs, it may generate this error: “Error: Request failed due to server side error”
Workaround: Login to APIC again
Q. For an app operation, why do I see a ConnectTimeout or Timeout error?
All F5 ACI ServiceCenter operations in-turn perform REST API calls to BIG-IP or APIC. If any of those API calls take longer than 1 minute, the app will timeout those calls and display the timeout error on the UI.
Workaround: 1. Try the operation again. 2. Ensure that BIG-IP is up and responding properly to UI login.
Q. I’m able to see only the last 100 errors/warnings in ‘View Faults’. How can I see older faults for my BIG-IP? (View Faults feature is available in versions 2.4+)
The F5 ACI ServiceCenter UI will show the last 100 errors or warnings which were observed on a particular BIG-IP. To check the older errors/warnings, please ssh to the APIC server which has the app container. The faults logs for BIG-IPs are available at location data2/logs/F5Networks_F5ACIServiceCenter/faults.
Q. What if I accidentally delete some log files from the logs folder /data2/logs/F5Networks_F5ACIServiceCenter on the APIC? New log files are not generated by the app.
In order to recreate the deleted log files, disable and re-enable the application from the APIC Apps tab. Once the app is re-enabled, the logging should work correctly.
Q. Why do I see a ‘Request timeout’ error on the F5 ACI ServiceCenter UI?
The application UI may show the ‘Request timeout’ error, if the application or APIC is receiving a lot of traffic. You can retry the same operation that displayed the error and it should be successful after one or more retries.
Q. Why do I see the error “Error from BIG-IP: X-F5-Auth-Token does not exist” when performing a BIG-IP login from FASC app?
If the version of BIG-IP has changed, and you attempt to re-login to the BIG-IP from the FASC app, you may see this error.
Workaround: Delete the BIG-IP from the FASC app UI and re-login to the BIG-IP.
Visibility¶
Q. Why do VLANs from the F5 ACI ServiceCenter application visibility table vanish if I destroy and re-create service graph template of my VIRTUAL Logical Device on Cisco APIC?
For virtual ADC logical devices, if you did the following steps
- Take snapshot
- Delete service graph template
- Revert to snapshot config
The VLAN encap values associated with logical interfaces of the LDEV change and do not remain the same. The application detects this change and shows a warning on the L2-L3 stitching LDEV info page that displays VLANs. You can click the warning to update the VLAN tag.
After a VLAN tag is updated on BIG-IP, the visibility vlan table will start showing the VLANs again.
Q. Why don’t I see all the VLANs/VIPs/Nodes from the BIG-IP in the visibility tables?
Visibility tables display only those entries from BIG-IP which have corresponding constructs on APIC. For example, a VLAN from BIG-IP will only be displayed if that VLAN also belongs to some Tenant|App Profile|EPG or Tenant|LDEV on APIC. Similarly, a node will only be displayed if it exists as an operational endpoint in one or more of the EPGs on APIC.
Q. In Visibility tables, why don’t I see Common partition entries in VLAN/VIP/Node table when I select a different partition?
The F5 ACI ServiceCenter Visibility tables have an option to select the Partition. The VLAN/VIP/Node tables will only display entries from the selected partition and will not include Common partition entries (although the BIG-IP UI does provide this feature where any partition selected will also show entries from the Common partition).
Note: This is a new behavior in FASC v2.6 and above. The previous versions do show Common partition entries along with the selected partition entries.
Visibility Dashboard¶
Q. Why is the BIG-IP Endpoint Details section on the Visibility Dashboard blank? (Applicable to v2.7+)
BIG-IP Endpoint Details section on the Visibility Dashboard may not display information due to the MAC address table getting flushed on the BIG-IP.
Workaround: Send an ARP request to the host or check the connectivity with the host using the ping command.
Q. Why is the ‘Interface’ column blank in the BIG-IP endpoint details section on the Visibility Dashboard? (Applicable to v2.7+)
The Interface column in the BIG-IP Endpoint Details section on the Visibility Dashboard will be blank for vCMP guests since the behavior of the vCMP Guest BIG-IP also is the same; i.e. no interface information for VLANs.
Q. Why are the pool members displayed on Visibility VIP table, and the pool members displayed on the Visibility VIP dashboard not the same?
The Visibility VIP table displays the pool members from a BIG-IP VIP, only if they are also present on the APIC. However, the Visibility dashboard shows all the pool members (and associated stats) that are present on the BIG-IP even if they may or may not be present on the APIC. Hence both the outputs may be different.
Q. What does the field ‘Route Domain’ on the Visibility Dashboard indicate?
It displays the default route domain for the partition to which the Virtual Server (VIP) or Node belongs.
Q. Why don’t I see the scrollbar for the ‘View Logs’ window on the Visibility Dashboard?
If you encounter this issue, use the ‘zoom out’ option on your web browser. For example, on Windows, hold the Ctrl key, and then click - (the dash/minus key).
L2-L3 stitching¶
Q. Why do I get an error for VLAN/self IP delete operation from the App?
This is a known issue for BIG-IP v 12.x. If a pool with nodes is associated with a self IP of the same subnet, BIG-IP doesn’t allow user to delete that self IP. As a result, the VLAN delete operation also fails with the error.
Workaround:
- Delete the corresponding pool member from BIG-IP.
- Perform the VLAN/self IP delete from App.
- Recreate the pool member on BIG-IP.
Q. When I try to stitch a VLAN tag, why do I see “VLAN not available for stitching”? Not able to configure the VLAN.
For a single BIG-IP device, after a VLAN tag is stitched for a particular logical device (say LDEV1), the same VLAN tag is not available for stitching again for a different Logical device (say LDEV2). This is because the VLAN tag is already present on the BIG-IP device and re-creating it for a different logical device is not allowed. In order to proceed with stitching, delete the original VLAN from the stitched LDEV, which is mentioned in this VLAN card’s info message.
Note
For a different BIG-IP login, this stitched VLAN tag will still be available for configuration.
Q. Why don’t I see the pre-existing BIG-IP VLANs and self IPs that have a different naming convention than the application?
The application does not support pre-existing VLANs that have a different naming convention than the app. It is able to detect VLANs that have been created and managed from the application only.
Although, after uninstalling and reinstalling the application, if the app database is lost, the application will be able to detect the previously created application VLANs by reading BIG-IP information and show them as Out-of-sync VLANs. The users will also be able to sync them to the application to rebuild App Database.
The application displays APIC VLAN tags for a particular Logical Device Cluster on the L2-L3 stitching page. If there is an out-of-band VLAN with different naming convention but same VLAN tag on the BIG-IP device, the application detects it and shows it in the Out-of-sync information too. But the only action available for such a VLAN or self IP will be deletion of that object from BIG-IP. It cannot sync to application, since it has a different naming convention. The application also does not detect out-of-band information for any of the other VLAN tags that are not a part of APIC VLAN list.
L4-L7 Application Services¶
Q. Why is my L4-L7 Configuration tab disabled?
For the L4-L7 configuration tab to work correctly, f5-appsvcs RPM version 3.19.1 or later is required. Installation steps are available here: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/installation.html#installation
Q. Why is there a warning about “f5-appsvcs package” installation when I log in to my BIG-IP device?
See above.
Q. Why do I see error code 503 with the message “Error: Configuration operation in progress on device <BIG-IP IP>, Please try again in 2 minutes” on the ‘Pending tasks’ table of the app?
If a BIG-IP is already processing an AS3 asynchronous task, it displays this message for any successive async operations. Once the asynchronous operation is completed, it is possible to perform the next operation like create/update/delete partition or application. Wait for a few minutes and try the configuration again.
It is also possible that you may see an error message such as ‘HTTPError’ object has no attribute ‘message’. Wait for a few minutes and try the configuration again.
Q. For all L4-L7 App Services operations, why do I see the message “BIG-IP is processing the request. Please click the ‘Pending Tasks’ icon to check the status of the pending request.”?
All the L4-L7 App Services are processed in an asynchronous manner in the background. This message is displayed for every operation done on this tab. The Pending Tasks icon shows the status of last few such pending requests and their status. Also, once any such pending task is completed on the BIG-IP, the UI reloads the data to display the latest AS3 information about partitions and applications.
For more details, see: https://clouddocs.f5.com/f5-aci-servicecenter/latest/l4-l7.html#as3-async-task-processing
Q. Why do I see warning signs against APIC Endpoints in View EPs table?
It is possible that the BIG-IP’s AS3 plugin is unable to sync the dynamic endpoints and create them as BIG-IP pool members due to various unsupported configurations, such as:
- A duplicate node with the same IP as the endpoint is already present in another partition.
- More than 60 endpoints have been added to this BIG-IP pool. AS3 currently supports only a maximum of 60 endpoints in an AS3 application pool.
- The node IP is a substring of another node IP.
Check if you have done any unsupported configurations. For details, refer to https://clouddocs.f5.com/f5-aci-servicecenter/latest/release-notes.html#dynamic-endpoint-attach-detach
Q. I deleted an application services declaration from the F5 ACI ServiceCenter application. Why do I still see partitions in the declaration?
If your AS3 declaration contains “optimisticLockKey” mentioned explicitly, the AS3 configuration may not be deleted completely, even after multiple attempts from the application UI. However, the configuration gets removed from the BIG-IP device.
Workaround: Upload one more AS3 sample declaration to the app and then perform a Delete all operation. (Use View AS3 Declaration and click Delete.)
Q. For L4-L7 App Service tab, why does the partition get deleted when I delete the last application belonging to that partition?
If there is a single application in a particular partition, and if that application is deleted through the application, the partition that has no other applications under it will be deleted from the BIG-IP device. This is standard F5 BIG-IP behavior. You will be warned about this in the delete confirmation prompt.
Q. When I create an AS3 application using the L4-L7 Application Services → Application → Basic tab, I don’t see this application listed under L4-L7 Application Services → Application → Advanced tab. How shall I view the raw JSON of this AS3 application?
The Basic and Advanced sub-tabs of ‘L4-L7 Application Services → Application’ tab list only the applications created from the respective tabs. If you wish to view details (raw JSON) of any AS3 application, please go to L4-L7 Application Services → Application Inventory tab which lists all the applications. Traverse to row with the application of interest and click on the “View Application JSON” icon in the “Action” column to view the raw JSON.
Q. When I create an AS3 application using the L4-L7 Application Services → Application → Basic tab, can I update this application via Application Services → BIG-IP tab?
The application created through the L4-L7 Application Services → Application → Basic tab should be updated through the same tab. If for some reason it needs to be updated via the BIG-IP tab; For example, if the virtual server address is to be updated from X to Y, then the same value needs to get updated from X to Y in the Constants → appsvcsFormData section of the application JSON from the BIG-IP tab. If the constants section is not updated, it will show inconsistent values when traversed back to Basic tab.
Q. While deleting Partition OR Application using L4-L7 Application Services, why do I get the error “All objects must be removed from a partition <Partition-Name> before the partition may be removed”?
This issue is observed when there are additional objects created under a BIG-IP Partition. In order to see if which objects are present in this partition: 1. Login to BIG-IP using ssh and as root user 2. cd to “/partitions/<Partition-Name>/” and check the contents of the file “bigip.conf” 3. This file should shows the details of the objects that you need to remove to be able to successfully delete the partition from BIG-IP
Dynamic Endpoint Attach Detach¶
Q. When new dynamic endpoints get added on APIC, the nodes aren’t getting updated on BIG-IP devices.
There is a websocket connection between the F5 ACI ServiceCenter and APIC to listen to new endpoint creation/deletion. If there is an issue with the websocket or the endpoint notification subscriptions, those errors will get logged in the log files on APIC. So please check the files for more details about end point attach detach.
User may observe the error “Unrecoverable error occurred while creating APIC websocket….” on UI or in websocket error log file: /data2/logs/F5Networks_F5ACIServiceCenter/f5_apic_websocket.log
OR
User may observe the error: “Failed to get a new subscription. Subscription Refresh Thread stopped for APIC for…” on UI or in subscription errors log file: data2/logs/F5Networks_F5ACIServiceCenter/f5_apic_subscription.log
Workaround: For any of the above errors in log files: please disable and re-enable the F5 ACI ServiceCenter application to fix the dynamic endpoint attach detach functionality. This will not affect the state of the F5 ACI ServiceCenter and all the data and configuration will still be intact after the disable and re-enable steps.
Other¶
Q. How can I change the management port of a BIG-IP device which is already added in the F5 ACI ServiceCenter?
Click the delete (X) icon next to the BIG-IP to delete it. Re-add the BIG-IP to F5 ACI ServiceCenter with the changed port (For example, from the default 443 to 8443). The BIG-IP data will still be retained after the delete and re-add.
Q. F5 ACI SeviceCenter is taking longer time to respond or has hanged.
If F5 ACI ServiceCenter UI is taking more than 3 minutes to display response, then check f5.log file, which may display a warning: “Acquiring a bigipdict RWlock has taken more than 180 seconds. Executing reader_release() to unlock the lock”. Once this warning is observed, F5 ACI ServiceCenter will resume the stuck operation become responsive again.
Q. F5 ACI ServiceCenter throws ‘Database is locked’ error.
If F5 ACI ServiceCenter throws database is locked error, then retry the operation that caused this error and the operation should proceed without errors.
Q. What is the best way to delete LDEV from APIC?
Do not delete Logical devices from APIC directly. Instead, as a first step, delete self IPs, VLANs and routes from the BIG-IP device by using the application. When you are done, you can delete the Logical Device from APIC. This ensures there are no stale self IP, VLAN, and route entries on BIG
Q. What browsers are supported?
The app has been tested with IE11, Mozilla FireFox 56 and Google Chrome v72.
Q. What scale numbers were tested with the app?
| Particulars | Scale |
|---|---|
| Number of BIG-IPs | 60 |
| Per BIG-IP paritions | 100 |
| Per BIG-IP Virtual IPs | 100 |
| APIC logical devices | 60 |
| Per BIG-IP nodes members | 4 |
| Concurrent app operations | 4 BIG-IPs |
Q. What is the Compatibility Matrix for the various features supported by F5 ACI ServiceCenter?
Note:
- APIC minimum version supported for 3.2.x: 3.2(7f)
- APIC minimum version supported for 4.1.x: 4.1(1k)
- APIC minimum version supported for 5.0.x: 5.0(1k)
Note: To enable the L4-L7 App services tab, you must be using AS3 version 3.19.1 or higher.
Note: To enable the Telemetry Statistics, you must be using Telemetry plugin version 1.17.0 or higher.
| BIG-IP Type | Visibility | L2-L3 Network Management | L4-L7 App Services | Dynamic Endpoint Attach Detach | |
|---|---|---|---|---|---|
| Physical/VE Standalone | Yes | Yes | Yes | Yes (BIG-IP v13.0 and above) | |
| Physical/VE High Availability | Yes | Yes | Yes | No | |
| vCMP Host Standalone | VLAN table only | VLAN only | No | No | |
| vCMP Host High Availability | No | No | No | No | |
| vCMP Guest Standalone | Yes | Self IP/Default Gateway only | Yes | Yes (BIG-IP v13.0 and above) | |
| vCMP Guest High Availability | Yes | Self IP/Default Gateway only | Yes | No | |