ARP issues between Nexus 7K and F5 LTM
Hi Team, We have faced a weird issue in our environment. issue: loadbalancer-1 failedover to Load balancer-2. Whereas all the production traffic flow did not failover properly to load balancer-2 for around 25 minutes. After 25 minutes load balancer-2 started getting production traffic to the VIPs. Does anyone have experienced similar ARP issue between F5 LTM and Nexus 7K at the time of fail-over? Is there any workaround to this issue meaning any configuration change on LTM and the time of issue? Is there any configuration change on LTM which would help to trigger GARP request two or three time to the upstream N7K? Regards, Thiyagu534Views0likes2CommentsMicroservices priority, Blocked Request (Redirect URL)
Hi, please, I have two little questions about microservices (BIG-IP / WAF / ASM) for example: Policy: WAF-TEST.xyz Contain microservices (both transparent-mode): *.test.xyz/* *.dev.test.xyz/* 1.Q: When I have definied separe microservice: dev.test.xyz , it will work? Or it will take the settings from microservice: test.xyz ? 2.Q: Currently I would like to turn on blocking on dev and set the redirect url (blocking responses), but I can't find that there is a different blocking page for a different microservices. Is it even possible? e.g. https://www.test.xyz/block_pg.php?support_id= <%TS.request.ID()%> https://www.dev.test.xyz/block_pg.php?support_id= <%TS.request.ID()%> thank you very much for any advice!Solved68Views0likes2CommentsF5 BIG-IP password is hashed during Form based Client Initiated SSO
Hi, I'm having trouble setting up a seemingly simple SSO configuration for a portal. I have an initial logon page with AD authentication and an SSO credential mapping block to expose the user credentials in the session variables session.sso.token.last.username and session.sso.token.last.password. The problem is that when the password is injected into the app's login page, it is hashed (example: $CK$$XVGtyxu5Eni4DyNzJlVz1+UK/7NIy+00). I've also tried enabling the "secure" option in the form's configuration, but when it is enabled, the only password the app receives is "f5-sso-token". I will attach a screenshot below with the APM configuration. Thanks in advance.Solved13Views0likes1CommentPacket based load balancing instead of connection based (default)
Hi everyone, I have a requirement to load balance iso 8583 echo messages across two servers in a pool. I used a performance Layer 4 virtual server to attempt achieving this because I reckon that is the type of virtual server that could fulfill the requirements of load balancing all the requests across the 2 servers in the pool. However, requests are only being sent to one pool member. I also tried to craft an iRule (see below) to do this, still requests are only sent to one pool member. when CLIENT_ACCEPTED { log local0. "ACCEPTED !!" TCP::collect } when CLIENT_DATA { log local0. "DATA !!" #to get the length of messagein hexadecimal,the length info can be get from the first 2 byte binary scan [TCP::payload] H4 len log local0. $len #convertlentodecimal scan $len %x len log local0. $len #totalmessage length is length + 2 set len [expr { $len + 2} ] if {[TCP::payload length] < $len} { TCP::collect [expr {$len - [TCP::payload length]}] return } TCP::release $len TCP::notify request TCP::collect } when LB_SELECTED { log local0. [LB::server] } when SERVER_CONNECTED { log local0. "Server Connected !!" TCP::collect } when SERVER_DATA { log local0. "response: [TCP::payload]" TCP::release TCP::notify response TCP::collect } Has anyone done packet-based load balancing before? Any ideas?80Views0likes5CommentsDifferent Route's for Different Subnets on the same partition
Hi Guys, When someone set up our F5 they created multiple partitions for different segments. We are trying to reconfigure the F5 to all everything running from the common partition. We currently have our public wifi authentication happening via the F5 on a subnet REDACTED That is working fine because we have a route with REDACTED to the correct gateway. I also want to create VS with the subnet REDACTED Now we have the self ip's in place, and the Vlans are in the same route domain (0). The issue I am facing is I can get to the back end of the VS, however if I remove the default route for the public wifi and add the gateway for the REDACTED network I can then access that but not the public Wi-Fi. Can anyone help or provide a suggestion as to how I can get both subnets working on the same partition?635Views0likes7CommentsNeed to Re-ip the VIPs, Self-ips and mgmt IPs
Hi Experts, I have following requirement: I have to re-ip some VIPs which are currently on 4.x.x.x/24 network to 10.x.x.x/24. Can I reconfigure the old VIPs with new IPs I have self-ip(static and floating) in External and Internal Vlans , which are also need to be re-ip to 10.x.x.x/24 segment. Can I change the IPs or do I need to create new self-Ips for external and internal VLans. I have a default route on my LTMs pointing to L3 switch : list /net route all-properties net route /Common/Gateway { description none gw 4.x.x.1 mtu 0 network default partition Common } Do I need to delete this default route and create a new route which will be a L3 SVI in 10.x.x.1 Can I keep the old default route and create a new for 10.x.x.1 , will that work. Can I use forwarding VIP. Also if I remove the old self-ips and the old default G/w , will it create any outage.. I am planning to do the configuration changes on Standby device first and then make it as Active and once tested successfully, I will sync the devices. Kindly assist.. It will be great help and much appreciate it !85Views0likes2CommentsObserved mode
By searching for observed mode we can see the definition "Observed load balancing is ratio load balancing where the ratios are dynamically assigned by the F5 every second based on connection counts." Wondering is I can see which is the current ratio assigned for the nodes by the Observed mode. The ratio I can see inside the pool is the default and all nodes show the value of 1, in my scenario. Does anyone knows a command to show the actual ratio assigned to nodes inside a pool with observed mode?23Views0likes0CommentsProblem with big packets using http2
Hi workmates, an application that passes through my F5 BIG-IP, requires for large post request, increasing the maximum header size from the default of 32k to 65k, and everything works perfectly, but only if I use http1.1.If i also enable the http2 profile, the packets are dropped by F5. Do you know if it is possible to use packets bigger than 32k using http2? My F5 version is this BIG-IP 15.1.633Views0likes0CommentsTwo security policies for one virtual server
Hello, Many applications are served by a virtual server. Every application except one has UTF-8 as its character set, the other one serves data in ISO-8859-1. They are all protected by the same security policy defined in UTF-8. The ISO application is sometime blocked by the BIP-IP ASM because of its ISO encoding. I created a second security policy in ISO that would be unique the ISO application and associated with its hostname. The hostnames for the applications in UTF-8 are associated to the UTF-8 applications. When I try to add the new security policy in section Local Traffic >> Virtual Server List I get an error message: 010716fd:3: Virtual Server '/Common/iso.abc.com-https-vs' cannot contain policies with conflicting controls. How can I add the new ISO security policy to the virtual server? Thank you Ghislain Pelletier27Views0likes1Comment