Hi all. Is this actually possible? I'm trying to license automatically (via API) and despite setting this; tmsh modify sys db proxy.host value hostname 'host_name' tmsh modify sys db proxy.port value port_number 8080 and doing this in bash; export http_proxy=/">/ export https_proxy=/">/ I'm not getting anywhere. Initially DNS lookup was failing (shouldn't be used via a proxy right). To fix that I did this; modify sys global-settings remote-host add { activate.f5.com { addr 208.85.210.4 hostname activate.f5.com } } I now don't see errors of any kind in /var/log/ltm but a tcpdump filtering on the proxy and 208.85.210.4 address doesn't produce any output. Am I missing something?

DC managled the bash proxy settings bit, just ignore anything after the :8080 on each line.

Doesn't work with the proxy.host and .port values reset to defaults either. Doesn't work whether I make the API call on the box or remotely. Fails immediately.

I had this issue back in Nov 2013. It seemed that it was at the server side. If you make a request through a proxy you get a 400 Invalid URI response. If you don't use a proxy, you get a 200 OK. Looks like it's still the same. A proxy style HTTP request: openssl s_client -connect activate.f5.com:443 ...certs etc... --- HEAD https://activate.f5.com/license/services/urn:com.f5.license.v5b.ActivationService HTTP/1.1 SOAPAction: "" Host: activate.f5.com Connection: close HTTP/1.1 400 Invalid URI Date: Tue, 30 Dec 2014 11:42:54 GMT Connection: close ... A non-proxy style HTTP request: openssl s_client -connect activate.f5.com:443 ...certs etc... --- HEAD /license/services/urn:com.f5.license.v5b.ActivationService HTTP/1.1 SOAPAction: "" Host: activate.f5.com Connection: close HTTP/1.1 200 OK Date: Tue, 30 Dec 2014 11:43:48 GMT Content-Length: 179 Content-Type: text/html; charset=UTF-8 ... I just used HEAD because it's easier to manually debug it that way. One for F5 I guess. I'll try and open another support ticket. You may be able to get around it if you can use transparent proxies, but it really does need fixing at the server side.

your licensing traffic may be trying to egress via the management interface, especially if you're not seeing traffic to the proxy via tcp dump. You may need to add a static route on the managment interface. I had to do this for my F5s to reach my NTP servers via the managment interface.

Automatic Licensing via Proxy

What_Lies_Bene1
Cirrostratus
Dec 10, 2014
DC managled the bash proxy settings bit, just ignore anything after the :8080 on each line.
What_Lies_Bene1
Cirrostratus
Dec 10, 2014
Doesn't work with the proxy.host and .port values reset to defaults either. Doesn't work whether I make the API call on the box or remotely. Fails immediately.
Mahmoud_Eldeeb_
Cirrostratus
Dec 16, 2014
it doesn't work
philh_127905
Nimbostratus
Dec 30, 2014
I had this issue back in Nov 2013. It seemed that it was at the server side. If you make a request through a proxy you get a 400 Invalid URI response. If you don't use a proxy, you get a 200 OK.

Looks like it's still the same.

A proxy style HTTP request:

openssl s_client -connect activate.f5.com:443 ...certs etc... --- HEAD https://activate.f5.com/license/services/urn:com.f5.license.v5b.ActivationService HTTP/1.1 SOAPAction: "" Host: activate.f5.com Connection: close HTTP/1.1 400 Invalid URI Date: Tue, 30 Dec 2014 11:42:54 GMT Connection: close ...

A non-proxy style HTTP request:

openssl s_client -connect activate.f5.com:443 ...certs etc... --- HEAD /license/services/urn:com.f5.license.v5b.ActivationService HTTP/1.1 SOAPAction: "" Host: activate.f5.com Connection: close HTTP/1.1 200 OK Date: Tue, 30 Dec 2014 11:43:48 GMT Content-Length: 179 Content-Type: text/html; charset=UTF-8 ...

I just used HEAD because it's easier to manually debug it that way.

One for F5 I guess. I'll try and open another support ticket. You may be able to get around it if you can use transparent proxies, but it really does need fixing at the server side.
- What_Lies_Bene1
  Cirrostratus
  Jan 15, 2015
  Thanks. I have asked an SE but I don't have high hopes.
Cthulhucalling_
Cirrus
Jan 05, 2015
your licensing traffic may be trying to egress via the management interface, especially if you're not seeing traffic to the proxy via tcp dump. You may need to add a static route on the managment interface. I had to do this for my F5s to reach my NTP servers via the managment interface.
- What_Lies_Bene1
  Cirrostratus
  Jan 15, 2015
  Thanks for the suggestion but it was supposed to be going via the mgmt interface. :-)
philh_127905
Nimbostratus
Jan 05, 2015
It happens from any box, not just a BIG-IP. You don't even need a proxy, just the proxy style request is enough to trigger it. Also, we know the traffic's getting there because we get a response from the server.
Shep_52546
Historic F5 Account
Feb 04, 2015
Hi, I did some checking. On SOL15000 it states for activate.f5.com "The BIG-IP system does not support the use of HTTP Proxy servers when configuring automatic updates." It looks like the db key for host.* is used for the IP Reputation subscription service. On further investigation this has been raised as a RFE (Request For Enhancement) and assigned to ID502197.
- What_Lies_Bene1
  Cirrostratus
  Feb 04, 2015
  Thanks!
- philh_127905
  Nimbostratus
  Feb 06, 2015
  That's great news, thanks.

Forum Discussion

Automatic Licensing via Proxy

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

Decrypting BIG-IP Packet Captures Automatically

Upcoming Action Required: F5 NGINX Plus R33 Release and Licensing Update

DEVCENTRAL END-USER LICENSE AGREEMENT

Proxy Protocol v2 Initiator

F5 NGINX Plus R33 Licensing and Usage Reporting

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS