4
votes
Accepted
SSL offloading apache BigIP
As far as I know roughly three approaches are possible.
Don't do any URL remapping at the level of Apache, place all such logic on the F5. The F5 is aware of the original protocol and will generate ...
- 82.5k
4
votes
Accepted
Pulling HTTP codes from a F5 Load Balancer
If you don't have the fastHTTP profile applied you won't see stats on that oid. Normal HTTP profiles use these oids:
[root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-SYSTEM-MIB::...
- 396
4
votes
Accepted
How to tune TCP for high-frequency connections between two nodes
In our data center we have an F5 running on BigIP hardware that acts as single ingress point for HTTPS requests from client machines in our various office locations across the country.
If this single ...
- 9,642
3
votes
How to tune TCP for high-frequency connections between two nodes
Although I also think adding more IP addresses is the simplest way forward, have you considered exploring reusing TCP connections between the F5 and the Traefik nodes instead of creating a new one per ...
- 6,662
3
votes
How to prevent a user access to a website using server.domain.com but allowing thru the vip.domain.com?
This is simple to do with an iRule:
when HTTP_REQUEST {
if { [HTTP::host] equals "servername.domain.com" } {
# send a TCP reset
reject
# alternatively, redirect somewhere else
# ...
- 2,052
2
votes
Accepted
How to prevent a user access to a website using server.domain.com but allowing thru the vip.domain.com?
The simplest way is to set up a firewall that will block the port 9000 from any host other than the loadbalancer IP (provided it's not dynamic)
simple rules :
iptables -A INPUT -p tcp --dport 9000 -...
- 812
2
votes
F5 bigip network access application failed to run on Linux Mint 19 (Ubuntu 18.04 LTS based) distro
It's a bug in QT and openssl -
https://bugreports.qt.io/browse/QTBUG-68156
The workaround for last error -
Gtk-Message: 13:18:49.885: Failed to load module "appmenu-gtk-module"
fixed by running ...
- 41
2
votes
SSL offloading apache BigIP
Since you are offloading SSL, it's often easier to "offload" the fix in the redirects, as @HBruijn said you can use an iRule, but you can also simply use the "Redirect Rewrite" option on the HTTP ...
- 511
2
votes
Is it possible to set a scheduled tasks to run both directly before and directly after a windows update?
Good Question!
How do you plan to patch the IIS Servers? What tool do you use? WSUS? SCCM? BigFix? Altiris? or any other?
The WAY of SCOM - Its possible to trigger a script on a specific event ID.
...
- 177
2
votes
Accepted
What happens to IIS when I reboot my server?
IIS does not "gracefully" close connections during a schedule shutdown. User sessions will be reset and if you're not managing the BIG-IP, sessions will still be sent to the downed server node until ...
- 419
2
votes
Why do redirects from my subdomain end up on my primary domain?
When using both an F5 and apache mod_rewrite and/or mod_proxy, where should subdomain handling, redirection, and/or SSL configurations be managed?
As long as you decide to do so in one single ...
- 82.5k
2
votes
How to tune TCP for high-frequency connections between two nodes
Turns out there was a very simple solution to this problem after all, which we figured out after working with the Traefik vendor for a while. Turns out also that the fact that we are running Traefik ...
- 203
2
votes
Creating an F5 Pool And Assign Multiple Health Monitors To It
If you want to attach multiple monitors to the pool you are creating, you need to put them in parentheses:
create ltm pool p1 members add { 10.1.1.1:80 10.1.1.2:80 } monitor "http https"
or, if you ...
- 396
2
votes
Accepted
How to solve "Bad Certificate" error on kubernetes pod?
I found the issue.
It appears that within the deployment YAML file it was possible to set a --insecure=true flag.
This forced the device to not check the certificate, and successfully connect to the ...
- 155
2
votes
Does F5 HTTP/2 profile need tuning?
So, should we tune this value up from 10 to say 100?
I would definitely set it to 100+ as performance-wise this a much better value to make the most of HTTP/2 parallelism.
What effects will that ...
2
votes
Accepted
F5 BIG-IP workaround to CVE-2020-5902 vulnerability
F5 seems to be digging themselves deeper and deeper with this issue. Their initial workaround didn't actually fix the issue. i get it, it happens. Then it turns out their second workaround didn't fix ...
- 36
1
vote
How to solve "Bad Certificate" error on kubernetes pod?
Modify the certificate, and add an IP Address, as a SAN in addition to your DNS name SANS
See screenshot attached.
- 46
1
vote
Migrate ESXi vm to qcow2 with settings preserved?
The BIG-IP license will "become" invalid because the software detected a hardware signature change and it no longer matches is initial dossier state when it was created (system hash for a deployed ...
- 419
1
vote
Migrate ESXi vm to qcow2 with settings preserved?
Am I doing something wrong like exporting or converting the wrong
file?
You're literally only converting the virtual disk file, not the VM description file - for a VMware VM that data is in a .vmk ...
- 102k
1
vote
Accepted
SSL Renegotiation trigger - F5 iRule
There isn't a specific event for renegotiate that I can see in the docs... However have you tried logging any CLIENT_HANDSHAKE or SERVER_HANDSHAKE events?
It's not specifically mentioned that ...
- 26
1
vote
Can we have multiple SNAT pools configured under a single VIP?
This is pretty straightforward with an iRule:
when LB_SELECTED {
if { [IP::addr [LB::server addr] equals 10.0.0.0/24] } {
snatpool snat-1
} else if { [IP::addr [LB::server addr] equals 10.0.0....
- 396
1
vote
How to assign multiple pools to single virtual server [VIP] in F5
Dexirian is correct above - but I think this more correctly answers based on your need for multiple pools due to multiple clients:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
...
- 46
1
vote
How can I report on hosts that are using TLS 1.1 or older?
You can set iRule that will log connections to remote log server. That will require syslog server and a pool that contain it. You can log all TLS types to know which hosts are ok and which require ...
- 248
1
vote
How to automate F5 saas_idp template on BigIP from Ansible
I found out where was the trap to avoid - Ansible replaced yes value by True python boolean object before submitting variable - so discarding expected string:
variables:
- name: ...
- 969
1
vote
Can't connect to Internet while F5 VPN is connected
Building on HBruijn's comment:
There are a few reasons this would not work:
Split Tunneling is not allowed and the VPN routes are preventing web browsing while on a full VPN tunnel (or policy is ...
- 419
1
vote
Accepted
How Call routed in F5 Box from => Client - Virtual Server - Pool - Pool Member and back to client
There are many options available, depending on your architecture and your traffic needs. There are layer 2 modes available, but I'll focus here on layer 3.
Routed. In routed mode, you have routes for ...
- 396
1
vote
Accepted
F5 LTM The time between a node going down and a health check failing
Your health checks should be configured to be 3n+1, n being your polling interval. Say you have an interval of 5 seconds, so the timeout is 16 seconds. So you have the potential for upwards of 16 ...
- 396
1
vote
Pulling HTTP codes from a F5 Load Balancer
In order for the F5 to start gathering metrics in regards to HTTP response codes I had to provision the AVR module on the F5. Then I just need to simply apply the default HTTP profile to my pool of ...
1
vote
Accepted
What happens to existing virtual server connections when I update an iRule?
Your assumption is correct, when you save the iRule, existing connections will continue to use the old version, while new connections will use the update.
https://support.f5.com/csp/article/K13253
- 396
1
vote
Why Ping Latencies in VE LTM so high on F5 Networks LTM?
My experience says that you'd be better off running F5 VE under VMware Player/Workstation/ESX. I'm running a VE under VMware ESX and even from a remote location connected by 600M I'm getting <1ms ...
- 90
Only top scored, non community-wiki answers of a minimum length are eligible