For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Danny_Arroyo's avatar
Danny_Arroyo
Icon for Cirrus rankCirrus
Sep 16, 2014

How to increase connection timeout for a specific source ip address or range

We have a CAS server that makes an ldaps connection to our Active directory Ldap server via an F5 VIP. The particular application that is utilizing the CAS server requires the initial ldap connection (per application user) to stay open throughout the user session. The default timeout is closing the ldaps session after 300 seconds. I know I can increase the default, but how can I increase the default for just one or a range of ip address'?

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security

9 Replies

  • Danny_Arroyo's avatar
    Danny_Arroyo
    Icon for Cirrus rankCirrus
    Sep 16, 2014

    I forgot to mention we are running BigIP 2000 Series on version 11.4.1 in an HA pair.

     

    • Danny_Arroyo's avatar
      Danny_Arroyo
      Icon for Cirrus rankCirrus
      Sep 17, 2014
      This is interesting. So the F5 won't allow traffic originating from the specified source address/range in the additional virtual server to go through the original virtual server?
    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      Sep 17, 2014
      Correct, there is an order of precedence for virtual server matching, so a packet will be processed by the F5 listener that most closely matches the incoming packet based on F5's order of precedence for VS matching. Source addresses came into play in 11.3.
    • Danny_Arroyo's avatar
      Danny_Arroyo
      Icon for Cirrus rankCirrus
      Sep 17, 2014
      This is interesting. So the F5 won't allow traffic originating from the specified source address/range in the additional virtual server to go through the original virtual server?
    • shaggy_121467's avatar
      shaggy_121467
      Icon for Cumulonimbus rankCumulonimbus
      Sep 17, 2014
      Correct, there is an order of precedence for virtual server matching, so a packet will be processed by the F5 listener that most closely matches the incoming packet based on F5's order of precedence for VS matching. Source addresses came into play in 11.3.
  • Danny_Arroyo's avatar
    Danny_Arroyo
    Icon for Cirrus rankCirrus
    Sep 29, 2014

    I tried both methods and chose the irule method because it did not require an additional VIP/Profile to be created. However both methods provided the desired result.

     

    Thanks for your help guys.