Search code examples
big-ip

Connection refused trying to access REST endpoint on BigIP

Attempting to connect to the REST endpoint of my BigIP:

curl https://10.1.0.69/mgmt/shared/appsvcs/info
curl: (7) Failed to connect to 10.1.0.69 port 443: Connection refused

I've seen some posts online stating that this could be due to icrd not being enabled, so to check the status:

admin@(ip-10-1-0-69)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys service icrd
Couldn't find service: icrd

Next, I've tried enabling:

admin@(ip-10-1-0-69)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys service icrd add
Couldn't find service: icrd

My version info:

admin@(ip-10-1-0-69)(cfg-sync Standalone)(Active)(/Common)(tmos)# show /sys version

Sys::Version
Main Package
  Product     BIG-IP
  Version     15.1.0.2
  Build       0.0.9
  Edition     Point Release 2
  Date        Fri Mar 20 21:06:24 PDT 2020

I've also seen some posts stating that I can do the following:

touch /etc/bigstart/scripts/scim
bigstart add --default icrd
bigstart enable icrd
bigstart start icrd

However,

admin@(ip-10-1-0-69)(cfg-sync Standalone)(Active)(/Common)(tmos)# run /util bash
[admin@ip-10-1-0-69:Active:Standalone] ~ # touch /etc/bigstart/scripts/scim
[admin@ip-10-1-0-69:Active:Standalone] ~ # bigstart add --default icrd
Couldn't find service: icrd

Also:

[admin@ip-10-1-0-69:Active:Standalone] ~ # bigstart status restjavad restnoded
restjavad    run (pid 6549) 49 minutes
restnoded    run (pid 5650) 49 minutes

Also, it appears the rest api is running but on port 8100:

[admin@ip-10-1-0-69:Active:Standalone] curl http://localhost:8100/mgmt/shared/appsvcs/info
{"code":401,"message":"Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/shared/appsvcs/info Referrer:Unknown Sender:Unknown","referer":"Unknown","restOperationId":6611305,"kind":":resterrorresponse"}

No ports are bound to 443:

[admin@ip-10-1-0-69:Active:Standalone] ~ # netstat -nalt | grep 443
tcp        0      0 127.0.0.1:44352         127.0.0.1:6666          ESTABLISHED
tcp        0      0 127.0.0.1:6666          127.0.0.1:44352         ESTABLISHED
tcp6       0      0 :::8443                 :::*                    LISTEN

Any ideas?

Solution

  • You don't need to manually start the REST interface anymore (icrd), that was an artifact from pre-11.x versions.

    Single NIC installs move the management port to 8443 to keep 443 available for public use on virtual IPs. Firewall ACL's then keep 8443 to mgmt nets. This changes with multi-nic deployments.

    For your needs, you can grab a token for use with the API with:

    {
"username": "remote_auth_user",
"password": "remote_auth_password",
"loginProviderName": "tmos"
}
    • at URL: https://:8100/shared/authn/login (for remote API calls where mgmt is hidden)
    • or URL: https://:8443/shared/authn/login

    (I'll reverify this just for my sanity)

    Once you get the token, store it and you're off to the races for that session.

    For the first URL you were trying to access .../shared/appsvcs/.... do you have the AS3 installed on BIG-IP? If it's not installed that URL isn't available.

    Here's the AS3 overview and install instructions just in case: F5 Application Services Extension 3 Documentation

    It's different from the standard module-based iControlREST for BIG-IP.

    If you're still having issues, lemme know and I'll update this answer.