HA Active/Standby add 2nd Floating IP from a different Vlan
I have 1 HA Active/Standby pair, I am looking to add a second floating IP for management access from our Management Vlan. We are wanting to access the configuration GUI from an internal URL and get to the Active F5 no matter which one is the active F5 Currently we have a floating self IP and a non floating IP on each of the pairs. What considerations do I need to take to accomplish this? Is this feasible? Do I need to add/change the SNAT pool? Will this affect config-sync or failover? SNAT pool: internal-snatpool 10.1.20.20 Current setup Example. prd1 10.1.20.1 - traffic-group-local-only, internal 10.20.30.213 - traffic-group-local-only, external 10.20.30.215 - traffic-group-1, external, port lockdown set to None 192.168.1.22 - traffic-group-local-only, HA prd2 10.1.20.2 - traffic-group-local-only, internal 10.20.30.214 - traffic-group-local-only, external 10.20.30.215 - traffic-group-1, external, port lockdown set to None 192.168.1.23 - traffic-group-local-only, HA possible setup example. prd1 10.1.20.1 - traffic-group-local-only, internal 10.20.30.213 - traffic-group-local-only, external 10.30.30.213 - traffic-group-local-only, external 10.20.30.215 - traffic-group-1, external, port lockdown set to None 10.30.30.215 - traffic-group-1, external, port lockdown set to default 192.168.1.22 - traffic-group-local-only, HA prd2 10.1.20.2 - traffic-group-local-only, internal 10.20.30.214 - traffic-group-local-only, external 10.30.30.214 - traffic-group-local-only, external 10.20.30.215 - traffic-group-1, external, port lockdown set to None 10.30.30.215 - traffic-group-1, external, port lockdown set to default 192.168.1.23 - traffic-group-local-only, HA88Views0likes5CommentsNot able to change virtual server traffic group from traffic-group-local-only to traffic-group-1
We have two LTM device in which i observe one virtual server is missing in secondary device. I checked the virtual server configuration in primary that virtual server configure in traffic group from traffic-group-local-only now i am changing the traffic group but it is not changing. Is there any way to change it?Solved53Views0likes1CommentAny way to do DNS loadbalancing without BIG-IP DNS module?
Hi, In our environment we have a number of domain controllers which act as DNS servers for everything internally. Now, we have one specific type of client that is only able to be configured with a single IP address for its DNS server and this causes problems when a DNS server is down for maintenance. We run BIG-IP VE v16.1.4 with LTM, but not DNS, provisioned. I'd like to solve thiswithout provisioning the BIG-IP DNS module in this particular instance, by doing this: 1. Creating a new Stateless VS to receive DNS queries on port 53/udp 2. Assign a UDP protocol profile with "datagram" enabled (so it LBs every single packet) to the VS 3. Create a pool of DNS-servers 4. Create an internal DNS record that will be used to check that a DNS server responds with the correct RR. 5. Assign a "DNS" monitor to the pool and configure it to check service status by sending a DNS query for the RR I created the and seeing if the response is correct. However, the "DNS" monitor puts every server in the DOWN state. By using tcpdump on the BIG-IP VE I can see that the BIG-IP doesnot send any DNS query packets from this monitor to the DNS servers in the pool. I see a lot of other DNS queries from the BIG-IP (the servers in question is also the DNS servers for the BIG-IP). SO - should it even be possible to create a normal LTM pool containing DNS serversand having the BIG-IP monitor the service state of each member using the "DNS" monitor?Solved76Views0likes5CommentsHelp with iRule
Good day all! I have the following iRule: when HTTP_REQUEST { if { ([HTTP::host] eq "lists.example.com") and ([HTTP::uri] eq "/cgi-bin/wa?INDEX" || [HTTP::uri] eq "/cgi-bin/wa?MOD" || [HTTP::uri] eq "/cgi-bin/wa?SYSCFG" || [HTTP::uri] eq "/cgi-bin/wa?OWNER" || [HTTP::uri] eq "/cgi-bin/wa?INDEX=" || [HTTP::uri] eq "/cgi-bin/wa?LOGON" || [HTTP::uri] eq "/cgi-bin/wa?LOGON=INDEX" || [HTTP::uri] eq "/cgi-bin/wa?LOGON=" || [HTTP::uri] eq "/cgi-bin/wa?ADMINDASH" || [HTTP::uri] eq "/cgi-bin/wa?LSTCR1") } { switch -glob [class match [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] { "1" { return } default { HTTP::redirect "https://www.google.com/" } } } else { return } } As you can see, it is inefficient, and it doesn't account for all possibilities. Let me explain what I am aiming. If an `HTTP_REQUEST` comes to "lists.example.com" (`[HTTP::host]`), and the URI (`[HTTP::uri]`) isn't "/cgi-bin/wa?SUBEDIT1*" (that is, "cgi-bin/wa?SUBEDIT1", and anything after it), redirect it unless it is from an IP on the "LISTSERV-TST_Allowed_IPs", in which case, allow anything on the URI and continue to it. What would you do?Solved163Views0likes15Commentshealth monitor without hostname
hi guys, i have a health monitor without hostname GET /icap/AV HTTP/1.1\r\nConnection: Close\r\n\r\n we have 2 backend nodes . Just wnat to know what will be the hostname when traffic is sent to backend servers. will this add original FQDN from client traffic or it adds server IP address .etc69Views0likes6CommentsReset cause
Hello, someone can help me with this? I've a F5 LTM VM and the sho /net rst-cause command displays this situation: TCP/IP Reset Cause RST Cause: Count ------------------------------------------- Flow expired (sweeper) 103387 No flow found for ACK 339414 No pool member available 0 RST from BIG-IP internal Linux host 659163 SSL handshake timeout exceeded 3 TCP RST from remote system 114027 TCP retransmit timeout 48 TCP zero window timeout 136 Unknown reason 57 handshake timeout 52912 I have tried enabling the logs on LTM in order to understand the handshake timeout resets cause but I am quite confused. I can't figure out the cause of the TCP handshakes or how increase them in the tcp profile. The LTM log returns me this error: RST sent from 10.109.120.228:35681 to 10.1.29.237:8403, [0x2f3864d:271] {peer} handshake timeout Thank you for your support.142Views0likes2CommentsUnable to login to F5 Big-IP CLI console after data centre move
Hello, I am looking for any help! We currently have Big-IP 17.1 Best Bundle running on VE in ESXi. After moving data centres, I am unable to login on to the CLI via console to amend the management interface on to the new network that's been put in place. When I try to login as root it hangs and then presents the message "gethostbyname: Unknown host" and then reverts back to the username login prompt without asking for the password. I have tried rebooting but without being able to get past the login prompt there's not much more I can do! I'm assuming it maybe trying to do some DNS resolution at logon but being as it's on a new network it can't get out until I change it. Thanks for any help114Views0likes1Comment