Technical Forum topics

F5 gtm last resort pool DNS Record problem

GrazianoSommariva — Wed, 27 May 2026 09:47:30 GMT

Hello,

Big Ip v 17.1.X

I've found that when there is a GTM last Resort DNS Respone, and the DNS clients asks to a Microsoft DNS Server, Microsoft DNS server gives a NXDOMAIN response ( once every 3 ) .

If the DNS Client always asks directly to F5 DNS there is no problem.

I'm trying to figure out why.

Graziano

BIG-IQ CM Logs Not Receiving

Niranjan_biswas — Sat, 23 May 2026 06:43:27 GMT

Once the disk space has been released, you need to rectify the condition below by running the provided command

# for idx in $(curl -ks -u admin:admin https://localhost:9200/_cat/indices | awk '{print $3}'); do if [ $idx != ".opendistro_security" ]; then curl -k -u admin:admin -X PUT "https://localhost:9200/$(echo $(echo $idx | cut -d\+ -f1)*)/_settings?pretty" -H 'Content-Type: application/json' -d'{"index.blocks.read_only_allow_delete": false}'; fi; done

Dynamic import of data groups

Guillaume_Rouss — Fri, 22 May 2026 11:24:40 GMT

Hello.

We use data groups for various kind of black lists, such as undesirable user agents, for instance. That's really efficient, but requires a BigIP administrator intervention for any update. We'd like to switch authoritative origin for those lists to an external location, such as an internal git repository, in order to allow trusted people without access to the administration interface to update those lists in auditable manner, as we do for instance with our firewalls using "dynamic list" feature.

There seems to be no such native fonctionality in BigIPs, as even "external" dynamic lists actually relies on files hosted on local filesystem, not to arbitrary URLs. We could probably use a cron task to implement a pull-based update mechanism, or use the API to periodically push changes, but I'm not sure of the reliability of such ad-hoc mechanism, and the potential consequences in case of failure.

Is there any alternative for such kind of configuration delegation ?

Regards,

Guillaume

Trial License for F5 virtual edition in eve-ng

AP84 — Fri, 22 May 2026 09:36:02 GMT

Does anyone know the process around how to get trial license for F5 virtual edition in eve-ng? Thanks

certitcate error

Najm — Thu, 21 May 2026 17:07:46 GMT

we have issue when enable new certitcate this error it observed

ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

* CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (OUT), TLS alert, Server hello (2):

* SSL certificate problem: unable to get local issuer certificate

* Closing connection 0

curl: (60) SSL certificate problem: unable to get local issuer certificate

More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn't adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

the -k (or --insecure) option.

[M.Najm@BIGIP01:Active:In Sync

about create wide ip,

nvhoanhai — Thu, 21 May 2026 07:54:12 GMT

i create generic host (Firewall) server and virtual server for wide ip,
i use health monitor is gateway_icmp but server and virtual server It keeps flapping between up and down, and the status is unstable.
i was cli device F5 ping test to device generic host ok, its ok, its dont have lost or packet loss
can you help me check issue

APM URL encoding Hardening?

Ted-Nordvall — Thu, 21 May 2026 07:44:48 GMT

Some companies still use on-prem Sharepoint.. and Sharepoint is what it is.
We have had multiple servers deployed for quite some while now with ASM tuned for its quirks and so on.

However - after upgrading to version 17.5.1.6 from 17.5.1.5 we noticed some rather strange behaviors.

Like the edit modal button stopped working on certain sites, the upload button stopped working amongst some of the stuff. After some testing and stripping of functions we noticed that it started working when removing the APM policy. So the cogs started turning, what could be the issue with APM?
Finally figured out that the links which did not work where not encoded, and the links which worked were.

So after some tweaking I got to building a simple http request rewrite iRule for simply encoding the stuff before sending to server.

But I do have some qualms about it - Are there any security risks according to you dear people that I might introduce by deploying this externally? Would you have solved it in any other way?

basically it's this:

when HTTP_REQUEST {
# Re-encode characters that are illegal in URIs per RFC 3986 §2.2 / §3.4
set orig_uri [HTTP::uri]
    set new_uri [string map {
        "\{" "%7B"
        "\}" "%7D"
        "|" "%7C"
        "\\" "%5C"
        "^" "%5E"
        "`" "%60"
        " " "%20"
    } $orig_uri]

    if { $new_uri ne $orig_uri } {
        HTTP::uri $new_uri
}
}

Layered ASM for APM login page protection

Zeeshan_Mohsin — Thu, 21 May 2026 00:30:45 GMT

Has anyone successfully implemented

https://my.f5.com/manage/s/article/K000149701

Full VPN clinets stop working after this implementation.

I can see below errors

Client machines interface IPs are not falling under a private subnet or exception subnet ranges provided by the APM server

The connected network is vulnerable of tunnel crack as LocalIP falls under the public IPs

How to send statistics for a specific pool by email

User100000 — Wed, 20 May 2026 22:53:45 GMT

Hello,

We need to send this specific view, as shown below, by email every two hours

We need have the status of a specific virtual server, the related pool, with the pool members' status and statistics every two hours

What I mean by statistics here is like what we see in BIG IP GUI, as below

Bits (In/Out)

Packets (In/Out)

Connections (Current/Maximum/Total)

Requests (Total)

How can it be done from BIG IQ if exist and how can it be done from BIG IP itself?

Sync error because Default logging profile and Custom profile both use local logging.

abaraip — Wed, 20 May 2026 19:18:51 GMT

Hi.

I am trying to setup a custom logging profile for bot manager because the default logging profile does not cover all the logging options that I need. I detached the default profile from the virtual server and attached my profile but it wont sync because of the error in the title. What are my options ? I can't setup remote logging at the moment.

Need BIG-IP VE Lab License for Personal Study/Learning

rohitkmr302 — Wed, 20 May 2026 16:02:30 GMT

Hi F5 Community,

I am setting up a personal home lab to learn.
F5 BIG-IP for certification preparation.

I have deployed BIG-IP VE but need a lab license.
to access the management GUI.

Could anyone help me get a free lab/evaluation?
license for personal learning purposes?

Thank you.

BBRv3 Support

Vladimir_Akhmarov — Wed, 20 May 2026 11:38:42 GMT

Hello, Community!

According to

https://my.f5.com/manage/s/article/K50411377 BBR is supported on F5 boxes since TMOS 14.1.0

According to

https://github.com/google/bbr BBR version 3 should be used currently

Does someone know which BBR version F5 devices use?

Guest Role User Lost Visibility in ASM/WAF Module – LTM Working Fine

A_hassanein — Wed, 20 May 2026 07:40:19 GMT

Hi community,

I'm troubleshooting a strange issue on our F5 BIG-IP and hoping someone has run into this before.

Environment:

- Module: ASM (WAF)

- User Role: Guest

- Partition Access: All Partitions

Problem:

A user with the Guest role and access to all partitions suddenly lost the ability to view any information in the ASM module. When navigating to Security > Application Security > Policies, the table shows "No records to display" — even though policies exist and are active and viewable from other non-guest accounts.

The strange part: LTM is working perfectly fine for this user. They can view virtual servers, pools, nodes, etc. without any issue. The problem is isolated to ASM only.

Any pointers would be greatly appreciated. Happy to share outputs if needed.

Thanks!

Disk capacity on F5 rSeries

romolo82 — Wed, 20 May 2026 13:25:24 GMT

A customer of mine has F5 iSeries with LTM, DNS, APM, and ASM/AFM licenses. Disk capacity is 465 GB. He purchased F5 rSeries on which to set up a tenant, and the disk capacity reserved for tenants is only 294 GB.

I believe the new devices lack space, since the /config folder on the old ones is 75% full.

This is the output on rSeries:

df -h /var/F5/system/cbip-disks

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/partition_tenant-root 294G 36G 244G 13% /var/F5/system/cbip-disks

What do you think about that?

Logging F5 response via Logging profile

kruszi123 — Tue, 19 May 2026 20:13:14 GMT

Hi,

I am preparing a rule which limits requests per second based on IP and endpoint. There is also prepared response logging profile which sends logs to specific server with Elastic via TCP. Request limit in my rule is 3 per 1 second which triggers HTTP::respond with 429 status code but in my logs I can't see it. How possibly could I modify my iRule to log it too?

Migrate HW GTM 2600

SuppEsp_AX — Mon, 18 May 2026 08:30:39 GMT

Hi,

I need to migrate 2 cluster Active/Passive frrom serie i to serie r. They are LTM (active standby) and GTM-DNS.

I was thinking about adding two new members to the cluster and temporarily expanding it to a 6-node cluster. Then, on the day of the intervention, we could bring them online and remove two of the i-series nodes. To do this i have to ask for new SELF-IPS, new cables.....etc

Anyone knows the best procedure to replacement these GTM/LTM nodes?

Error in AWAF v17.1 DoS Dashboard

TravisLoke — Mon, 18 May 2026 05:51:31 GMT

Hi all,

I'm running v17.1.3.2 and provisioned for AWAF and LTM. After testing the DoS attack, the event had been detected. The issue is when I click on the Attack ID from the DoS Event Reporting, directing to DoS Dashboard, the Dashboard is showing the errors below and nothing is shown on the Attack Duration widget.

Tested this with previous version v17.1.1.3, it shows exactly the same errors.

Anyone had experienced this for AWAF with version 17.1? Are there any solutions for this.

Thank you.

CLI Tool for BIG-IP - f5 cli

bitwisecook — Sun, 17 May 2026 10:34:41 GMT

I'm releasing a CLI tool for inspecting and manipulating configuration. It’s a whole suite of tools in one, from `f5 grep` through to the advanced jq-style `f5 query`

This tool is based on my last 20 years of using and abusing BIG-IP, and the ideas behind all the tooling I built along the way.

https://github.com/bitwisecook/tcl-lsp/blob/main/INSTALL-cli.md

https://github.com/bitwisecook/tcl-lsp/tree/main/docs/references/f5_query

https://github.com/bitwisecook/tcl-lsp/tree/main/samples/for_f5_query

there’s lots of documentation, worked examples, KCS style docs covering it, contending help including shell completion support.

It requires Python 3.10+ for now.

feel free to discuss here or raise issues on GitHub.

This is part of my much larger work on an LSP, MCP, and AI tooling for all editors and harnesses to improve f5 tooling.

The `query` verb can do stuff like

api.example.com api_app_pool api_vs /Common/api_pool 10.0.2.20 8443 api.example.com api_app_pool api_vs /Common/api_pool 10.0.2.21 8443 www.example.com example_app_pool web_vs /Common/web_pool 10.0.1.10 80 www.example.com example_app_pool web_vs /Common/web_pool 10.0.1.11 80

Question about source persistence across traffic group

AmineZAKARIA — Sat, 16 May 2026 07:45:24 GMT

Hello,

Hope you are doing great!

I would like to know if it is supported to mirror persistence between 2 DC's across 2 Traffic Groups, each one is Active on a DC.

DC 1 Active on TG1
DC 2 Active on TG2

Client established connection on DC1, if it reconnected in DC2 traffic should be rerouted to DC1 backend. (There's no application level session synchronization)

Any suggestions would be appreciated!

Thank you.

Regards!

Functionality questions regarding commands that we're using in a DNS_REQUEST related iRule

OATI_Network_S1 — Fri, 15 May 2026 22:09:53 GMT

I opened a ticket w/F5 regarding this but they recommended I try DevCentral instead, so here we are :)

We're currently in the process of creating and testing an iRule/configuration in a test environment with the intent of eventually applying it to the listeners in our F5 DNS/GTM production environment that will forward DNS requests made to our production F5 DNS/GTM environment with only specific criteria to a separate Windows DNS server to answer back through our production F5 DNS/GTM environment.

What we have so far which appears to be working:

when DNS_REQUEST {

# Check if the query is for a TXT record and matches a specific FQDN

if { ([DNS::question type] equals "TXT") and ([string tolower [DNS::question name]] contains "_acme-challenge") } {

# Forward to a specific pool of DNS servers

DNS::disable dns-express

snat automap

translate address enable

pool /Common/dns_fwdtxttest_pool

}

In order for us to get it to work we had to add the following commands to the iRule that we found online:

DNS::disable dns-express

snat automap

translate address enable

In both our test and production F5 DNS/GTM environments we:

-Do use dns-express

-Have source address translation set to none on our listeners

-Have address translation disabled on our listeners

My questions are in regard to how those 3 commands may/may not affect other requests/traffic made to our production F5 DNS/GTM environment NOT being processed by the iRule when it gets triggered during and post completion.

Will the features/settings affected by those commands only apply to the request/traffic that triggers and is processed by the iRule, or all traffic?

Will the features/settings affected by those commands automatically revert back to how they are currently set/functioning prior to implementation in our production F5 DNS/GTM environment (DNS Express - enabled, source address translation - none, address translation - disabled) again once the iRule completes processing the triggered request/traffic, or do they need to be toggled back manually at the end of the iRule in some way again as well?

We're just trying to make sure we have all our bases covered and are accounting for as much as we can before going live with it and potentially running into other unexpected issues with production requests/traffic upon implementation.

All that being said - is there anything else that we may be missing/overlooking?

Anyone out there have any thoughts/suggestions/guidance at all?

Thanks in advance and hope all is well!