LTM
18478 TopicsICMP (Fragmentation needed) Between Firewall and LTM
We have been working for a while with Fortinet about an issue between the firewall and the LTM (r10600 with tenant 15.1.9.1), this issue is causing a loop with some ICMP packets. The flow goes like this: internet (ISP) --- firewall --- LTM --- customer network (client) So yes, the LTM is in the middle between the client and the firewall So to be much clear, the client is sufing the internet through the LTM up ot the firewall, and then traffic sent to ISP. The issue: When client tries to reach the internet, for some packets, we noticed a packets with fragmentation issue. Packets captured with "ICMP Frag Needed" on the firewall which has been sent to the LTM, for some reason the LTM is sending it back to the firewall, causing a loop. According to F5 the routing table, the next hop for 10.0.0.0/9 is the client, but it does not check the routing table for those kind of packets "ICMP Frag Needed" In F5 we see a lot of "need to frag" ICMP messages: [root@f5-r10600-abc:Active:Standalone] config # tcpdump -i Internet 'icmp[0] = 3' | grep "need to frag" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on Internet, link-type EN10MB (Ethernet), capture size 65535 bytes 14:15:25.497395 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= 14:15:25.497399 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= 14:15:25.498314 IP 72.246.151.171 > 10.51.131.240: ICMP 72.246.151.171 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= We are concerned that the F5 is not behaving accordingly to this kind of ICMP traffic. We read some articles about PMTUD while not being sure if this is the issue: https://my.f5.com/manage/s/article/K000138230 https://my.f5.com/manage/s/article/K13948 We tried the TAC support but we have 15.1.9.1 and it is EOS two weeks ago an upgrade will be done but only next month, and I don't this will be solved by an upgrade. Has anyone faced this issue? Thanks21Views0likes2CommentsHow are memory and disk allocated to different modules on bigip appliance?
hi, when doing "Resource Provisioning", the memory and disk space are auto allocated to LTM and ASM are shown as below. The amount of Memory and disk is minimum requirement, right? When a huge number of virtual server will be created later, will appliance auto allocate more spare memory and disk to the module? And what is he management module responsible for? Is it responsible for packet forwarding? should we set "Provisioning" to "Medium" or "Large" if the throughput is larger than 1Gbps? Can someone please advise? thanks in advance!29Views0likes4CommentsIs iQuery sent to each other among GTMs and LTMs? full mesh?
hi, we have 3 data centers and there are two LTM and one GTM at each data center. All GTM are configured in the same sync-group. And LTM are added to local GTM server list. For this setup, normally we shall see the iQuery are sent bidirectionally with full mesh, right? I saw one GTM A sent iQuery to GTM B, but no iquery from GTM B to GTM A, is it normal? please advise, thanks in advance!17Views0likes0CommentsView NAT / SNAT Sessions
Hi, I have recently enabled an SNAT in an iRule: switch -exact -- "1" [IP::addr [getfield [IP::client_addr] "%" "1"] equals 10.80.0.0/16] { snat automap } and I am trying to work out how many sessions are being SNAT'd as a result of this change. Issuing the commands: sho ltm nat sho ltm snat sho sys connection cs-client-addr 10.80.0.202 etc are not giving me any results. I am not so much interested in the details of the sessions, just totals so I can verify that I'm not exceeding the 64k limit but obviously doing something wrong. Thanks James2.3KViews0likes6CommentsiRule - Url rewrite and header replace and pool selection not working
I have a scenario where I need to perform a header replace and url rewrite and select a pool. I have several sites that I need to select a specific pool and they all have to come through the same virtual server. When I select a pool the content returned is not complete. The web page is missing formatting and content. If I define a default pool that would be used for the specific site the content returned is complete for that site but still missing content for the other sites not using a default pool. I have tried a /32 oneconnet profile and that made no difference. Below is my irule when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "mywebsite.test.edu" { switch -glob [string tolower [HTTP::uri]] { "/mytestsite1" { HTTP::redirect "https://mywebsite.test.edu/mytestsite1/Authentication/Login?" } "/mytestsite1/*" {if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite1/" "/differentname1/"} [HTTP::uri]] } pool mypool1 return } "/mytestsite2" { HTTP::redirect "https://mywebsite.test.edu/mytestsite2/Authentication/Login?" } "/mytestsite2/*" { if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite2/" "/differentname2/"} [HTTP::uri]] } pool mypool2 return } "/mytestsite3" { HTTP::redirect "https://mywebsite.test.edu/mytestsite3/Authentication/Login?" } "/mytestsite3/*" { if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite3/" "/differentname3/"} [HTTP::uri]] } pool mypool3 return } } } } }75Views0likes5CommentsLTM for load balance DNS queries with real IP addresses
Hello everyone, I’m seeking advice from experts. I’ve configured an LTM to load balance requests across multiple internal DNS servers. However, I’m facing a challenge: the DNS servers need to see the real client IP addresses in the requests, rather than the LTM’s IP. How can I achieve this? Please note that I only have an LTM license. Thank you in advance for your assistance!54Views0likes2CommentsPriority group activation on GTM.
Hello All, I need to configure active standby configuration on GTM pool level, only one VS should be UP and second should be standby if one vs is down then traffic should pass to another VS and i can see there is one option Minimum-up Members but i do not know how to use it as a priority group activation on GTM level. If any one has any article or config suggestion please share. Many thanks in advanced for your time and consideration.43Views0likes2CommentsNeed to restrict access to URLs
Hello team, I have a new https://xyz.com that needs to be published to internet. We are planning to launch its services in phases. For 1st phase I have received set of 29 URI paths (These are wildcard URI path i.e https://xyz.com/asdf/xyz/morning*) that needs to be accessible from internet public IPv4 & public IPv6 IPs. Any other URI paths than these 29 paths should be redirected to https://oldapplication.com when accessed from internet public IPv4 & public IPv6 IPs. Access to https://xyz.com from internal organization private IPs should be accessible without any URI path restriction. Please inform how I can achieve above requirement using iRule or LTM policy or WAF. Thanks in advance48Views0likes2CommentsRenew BIG-IP device SSL certificate
hello Team, I am going to renew our BIG-IP device SSL certificate, but this time we have GTM so we also need to update the GTM side. This is what I am planning Renew the BIG-IP device SSL certificate via cli on config/httpd/conf/ssl.crt/server.crt Restart the httpd service I am planning to update the GTM via GUI DNS -> GSLB -> Servers -> Trusted Server certificates -> Import -> Append -> paste the new cert Restart the big3d and gtm service Question is, is this correct way? also will this also update my cert on big3d (/config/big3d/client.crt)? If not, do I need to update the cert on big3d? Thank you!83Views0likes2CommentsMonitor multiple services on one service
Hi folks, I have a server serving web/smtp services, how to monitor multiple services on f5 having one backend server ? Also, which VS should I configure, to serve both services? instead of creating 2 VS with same ip but different ports. Thanks60Views0likes8Comments