PKI PIN works for users from one network, not the other.
We have external users and internal users accessing a virtual server. It's fronted by an APM policy, that asks for the DoD PKI/pin, does an OCSP check, LDAP check, and then sends users on their way to LTM. (there's no SSO, or anything involved) When being load balanced to the application, the end application prompts the users for their PKI/PIN at the app again for access. For the internal network users, this works. For the external network users, their PIN is not being accepted. Is there something I'm missing on the F5 side of things? I even disabled APM for that FQDN through the VS and it still has the same result.Questions about F5 BIG-IP Multi-Datacenter Configuration
We have an infrastructure with two datacenters (DC1 and DC2), each equipped with an F5 BIG-IP using the LTM module for DNS traffic load balancing to resolvers, and the Routing module to inject BGP routes to the Internet Gateways (IGW) for redundancy. Here’s our current setup (based on the attached diagram): Each DC has a BIG-IP connected to resolvers via virtual interfaces (VPI1 and VPI2). Routing tables indicate VPI1->DC1 and VPI2->DC2. Each DC has its own IGW for Internet connectivity. Question 1: Handling BIG-IP Failures If the BIG-IP in one datacenter (e.g., DC1) fails, will the DNS traffic destined for its resolvers be automatically redirected to DC2 via BGP? How can BGP be configured to ensure this? Is it feasible and recommended to create a HA Group including the BIG-IPs from both datacenters for automatic failover? What are the limitations or best practices for such a setup across remote sites? Question 2: IGW Redundancy Currently, each datacenter has its own IGW. We’d like to implement redundancy between the IGWs of the two DCs. Can a protocol like HSRP or VRRP be used to share a virtual IP address between the IGWs of the two datacenters? If so, how can the geographical distance be managed? If not, what are the alternatives to ensure effective IGW redundancy in a multi-datacenter environment? Question 3: BGP Optimization and Latency We use BGP to redirect traffic to the available datacenter in case of resolver failures. How can BGP be configured to minimize latency during this redirection? Are there specific techniques or configurations recommended by F5 to optimize this? Question 4: Alternatives to the DNS Module for Redundancy We are considering a solution like the DNS module (GSLB) to intelligently manage DNS traffic redirection between datacenters in case of failures. However, this could increase costs. Are there alternatives to the DNS module that would achieve this goal (intelligent redirection and inter-datacenter redundancy) while leveraging the existing LTM and Routing modules? For example, advanced BGP configurations or other built-in features of these modules? Thank you in advance for your advice and feedback!
Question regarding F5 Viprion Configuration Migration to VE.
Requires suggestion regarding migration process-from F5 Viprion (B2250 /vCMP Guest -LTM Module) to F5 VE (On VMWare) in same datacenter. Both on F5 version 17.1.1 1.Is there any migration guide available , which includes detailed step by step process ? 2.This will be phased migration (few VS at a time ) or all configuration can be moved to VE at once ? 3.What due care needs to be taken before , during & after migration.
Issue while migrating config from 4000s to r4600
Hi All, we are trying to migrate config from 4000s to r4600. We have created UCS on 4000s but while loading it on a tenant on r4600, we got an error saying ""load sys partition all platform migrate " - failed -- 010713d0:3: Symmetric Unit key decrypt failure - decrypt failure, configuration loading error: high-config-load-failed". Before loading the UCS from 4000s device to tenant, we copied the master key to the new tenant and verified it as well. The command used to load the UCS : load sys ucs <file name> no-license platform-migrate Didn't see any other error logs in /var/log/ltm. Could someone suggest how to resolve this issue ? Please note we are using a CA device certificate and not self signed certificate for the device. Also the management IP, trunk name and number of trunk ports in the UCS are different from those on the tenant.
Horizon View iApp - Big-IP 17.5
I have a client deploying an r4650 pair. The plan is for it to handle Exchange, LDAPS & Horizon View. I’m in the process of initial setup on the pair of boxes now. It’s been a long time since I've deployed Horizon View on F5. I see that the iApp is still maintained so yay! Question: is the current 1.5.9 version of the iApp supported in Big-IP 17.5? The KB article states 17.1 but the article hasn’t been updated in a while. F5 recommends the latest version of 17.5 but I don't want to hit any snags as we deploy. Thanks in advance, Mattcross platform migration issue
Hi, we want to migrate the config from iseries 4K to rseries 5k . The current software version on iseries is 13.x.. I tried to run bigip v15.x on rseries, then export the config from iseries and import it into rseries, but not successful, there were some errors. Can someone please advise how should I do to make the migration successful? Thanks in advance!
TCL error: _cgc_pick_clientside
Hi, in an ASM-LTM (Perimeter) Setup I see frquently the following logs: ***err: tmm3[19962]: 01220001:3: TCL error: _cgc_pick_clientside - unknown cgc sni: f5-bei1.xxxx.xx (line 49) invoked from within "CGC::sni $tls_servername"*** Any idea what this TCL error causes? The clientssl is quite Basic: one certificate chain, no Server Name set. Thanks, RolfList all F5 macs?
I'm trying to track down a couple of mac addresses sent to me by the CyberOps team and haven't been able to find them. I've checked our F5s (OUIs are 00:0a:49 and 00:23:e9), but don't see any macs with those. A couple of our test F5s were recently decommissioned, and I'm wondering if the macs may have belonged to one of them. The command I'm using to display the macs on each of our F5s is... tmsh show sys mac-address Does this command return a complete list, or are there some macs it misses? Is there another command I need to use as well? Thanks!
