LTM
19051 TopicsUnstable communication L2 and ARP
Hi, I have a very wired problem with one of our F5. This is a single armed partition, so the LB VS and pool members and everything is all on the same L2 network segment. The thing is, the pool memebers (four) are going down every other minute, and then come back after a while, maybe a few minutes. Digging into the issue, I found that I am not able to ping those nodes from the F5 tmsh when they are down, while I can ping them from my workstation just fine. Just the F5 looses communication for a reason. I checked the ARP table, and the entries for those hosts are in there with the right MAC address. However, when the problem occurs, as soon as I clear the ARP table entry for any of these hosts, I am immideately able to ping them again - for some minutes, then the ping dies again. Clearing the ARP again brings them back to life right away - and so on. As I said, I can see the correct ARP table entry when the ping is not working, so I dont get why clearing the ARP entry brings them back to life. All other communication to those hosts is just running fine, e.g. I run a RDP session from my workstation to them which just runs fine while they are not ping-able from the tmsh. Question is, whats up with the F5 it looses communication. I tried to add static ARP entries for those pool members as I am running out of ideas, but that didnt change anything. Also, we have the same set up in our dev environment, same F5, same versions, all the same, which just runs fine. Any help or ideas are appreciated, Tx&Greetings, JoSolved30Views0likes3CommentsNeed iRule to block the traffic for specific URL
Hello Can somebody help on this please? I have LTM appliance &Virtual server 'https://www100.test.com' hosted. The requirement I have is to block all the traffic destinated to one of the application 'https://www100.test.com/ce' - is this something achievable by iRule If so do you have any idea on the iRule? Would appreciate somebody can help. Have seen this - https://support.f5.com/csp/article/K74012450 but that is looking too complex to me. Thanks1.9KViews0likes6CommentsF5 r10800 not connected to Cisco Nexus 9000
10G and 25G interfaces on F5 rSeries 10800 (F5os version 1.5.2 ) port fail to establish links with Cisco Nexus switches C93360YC-FX2 (nxos version 9.3.5) both side module model are: type is SFP-H25GB-SR name is F5 NETWORKS INC. part number is OPT-0053 is ther a solution to this problem??67Views0likes4CommentsIssue while migrating config from 4000s to r4600
Hi All, we are trying to migrate config from 4000s to r4600. We have created UCS on 4000s but while loading it on a tenant on r4600, we got an error saying ""load sys partition all platform migrate " - failed -- 010713d0:3: Symmetric Unit key decrypt failure - decrypt failure, configuration loading error: high-config-load-failed". Before loading the UCS from 4000s device to tenant, we copied the master key to the new tenant and verified it as well. The command used to load the UCS : load sys ucs <file name> no-license platform-migrate Didn't see any other error logs in /var/log/ltm. Could someone suggest how to resolve this issue ? Please note we are using a CA device certificate and not self signed certificate for the device. Also the management IP, trunk name and number of trunk ports in the UCS are different from those on the tenant.48Views0likes4CommentsF5 Whatsapp group move to Telegram
Good day, I hope someone can assist. There was a note out a while back regarding an F5 Whatsapp group. Shortly thereafter a response stated the group was full. The next response stated was going to move to Telegram. Just wanting to know if the group setup utilizing Telegram happened and if so, if someone could advise how to find/join the group. Cheers Paul2.3KViews0likes8CommentsUri Rewrite and relative Uri's/Links
Hello Folks, I think it's more an theoretical question, but with a practical background. I've the following secenario. Client side is requesting "https://www.domain.com/app Proxy performs a HTTP:uri rewrite from /app to "/" (content on backend system is in the root directory). That's working fine -> I'll get a Login mask and then I'll get some incomplete content back in the browser. After looking the site source code I'll find a lot of "relative links" <!DOCTYPE html> <html lang="en"><head><meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <base href="/" /> <link href="css/rich-text/bundle.min.css" rel="stylesheet"> <link href="css/rich-text/css/dx.light.css" rel="stylesheet"> <link href="css/rich-text/bundle-richedit.min.css" rel="stylesheet"> <script src="_framework/blazor.webassembly.js"></script> <script src="_content/MudBlazor/MudBlazor.min.js"></script> <script src="_content/Dsm.Blazor.Components/common.bundle.js"></script> <script src="_content/Dsm.Blazor.Components/contextmenu.bundle.js"></script> and so on. The problem is, the browser is requesting all these links without the subdirectory /app https://www.domain.com/css/rich-text instead of https://www.domain.com/app/css/rich-text A search on the WWW says that the usage of subfolders + rewrites with relative paths should not really be a problem. Or rather, this was described as a workaround. According to my understanding of relative links, these should simply be added to the existing browser URL during the request. Do I have a problem understanding relative links here or could be the <base href="/" /> the problem (because all paths are relative to / [root path] thus removing the /app path from subsequent requests)? Thanks in advance for you help. rschwarz26Views0likes2CommentsWays to correlate client side and server side connections
Hi all, Wondering if there are any new methods to correlate client side and server side connections? Say I have the client IP and ephemeral source port is there any feature that allows me to see the end to end conversation ? I am aware of the tcpdump with verbosity parameters, flow id, but I was wondering if there are any other ways easier that this above. Thanks in advance!Solved32Views0likes4CommentsUnequal loadbalancing for a UDP VIP
We've an UDP VIP configured with udp-datagram profile enabled. We're observing a strange behaviour the way LTM routes the packets to the backend server. There are 5 servers in the pool and most of connections are routed to one server due to this behaviour the resource on that perticular server getting exhausted. I am not sure when we've enabled on data-gram profile. I am assuming the some of the old connections still in the connection table and being handled without data-gram. I tried clear the connection table using below tmm script and did not have any success. Please let us know if there are any other way to clear the connection table. tmsh show sys connection ss-server-addr <server-ip> | grep tmm | awk '{split($1, client, ":"); print "tmsh delete sys conn cs-client-addr " client[1] " cs-client-port " client[2] " cs-server-addr <VIP> cs-server-port 1813"}' | sh25Views0likes3CommentsLTM SSL handshake failuer (40) with IIS SSL setting Accept
I had an issue that communication from client PC failed with one of pool members. Clinet PC can directly access to the problem member without any issue. If it is accessed through VS, the failure happened. As investigated with packet capture, following error caused the communication failure. Transport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 26 Alert Message Level: Fatal (2) Description: Handshake Failure (40) As I investigated, I found the problem member's IIS SSL setting is set as "Accept". Other working members are set as "Ignore". As I changed the setting to "Ignore", the problem was gone. The IIS SSL setting "Accept" is to accept clinet certificate if it is provided by client. If client did not provide client cetificate, IIS still establish connection. On the VS, SSL server profile is used. the profile setting is almost default. Do you know why BIG-IP fails the SSL communication if the IIS SSL setting is "Accept"?25Views0likes4Comments