Service Mapping F5 load balancer issue

nashv
Kilo Contributor

Horizontal discovery is working fine.But when I run the Service mapping discovery by providing the management IP it is giving the following error:

Permission issues: SSH authentication failed. Verify that credentials have been correctly define for host 1X.XXX.XXX.XX. SSH authentication failed on host 1X.XXX.XXX.XXX. Failed to initialize SSH connection to host. Verify that the host can be access through SSH.

Why do we need SSH credentials for for load balancers ?

Why It is not able to discover even though SNMP port 161 is open ?

9 REPLIES 9

bernyalvarado
Mega Sage

Hi Nash,



ServiceMapping requires ssh access to F5s only these have iRules.



Thanks,


Berny


bernyalvarado
Mega Sage

Here goes what the documentation states regarding the access required for F5:



CIRights and permissions
BIG-IP Local Traffic Manager (LTM ) F5 (on F5 BIG-IP) and BIG-IP Global Traffic Manager (GTM) F5Provide a user with either Administrator or Resource Administrator user role necessary to run:
  • bigpipe commands (for BIG-IP LTM F5 or BIT-IP GTM F5 version 9)
  • bigpipe and tmsh commands (for BIG-IP LTM F5 or BIT-IP GTM F5 version 10)
  • Traffic Management Shell (TMSH) commands (for BIG-IP LTM F5 or BIT-IP GTM F5 version 11)
  • Traffic Management Shell (TMSH) advanced commands (for BIG-IP LTM F5 or BIT-IP GTM F5 version 10, 11, and 12)


source: Rights and permissions required for Service Mapping



Thanks,


Berny


bernyalvarado
Mega Sage

Hi nashv, do you have any further questions?



Would you mind marking the responses as helpful/correct so that we can close this thread?



Thanks,


Berny


Marlos
ServiceNow Employee
ServiceNow Employee

Hi Nash, SSH is required to run tmsh scripts. The MID server uses SNMP and SSH credentials to gather information from the F5 devices. In the F5 LTM/GTM you have the web interface account and the OS account (admin and root by default respectively), the SSH credential is for the OS account (F5 custom OS version). In this case if the customer wants to restrict the OS account they can either create a sudo account or use external credential storage. In the BIG IP screen below you see the SSH credential we need in the MID Server credential:



Screen Shot 2017-08-28 at 5.18.34 PM.png



There are some extra flexibility I listed below if you want to restrict SSH credentials:



Below is the F5 doc explaining how to create a sudo account:



https://support.f5.com/csp/article/K519



Below is the external credential storage guide:



https://docs.servicenow.com/bundle/istanbul-it-operations-management/page/product/discovery/concept/...



Finally, one other option is to use F5 REST API (iControl if I'm right), but that would require you to configure new sensors and probes.