SNI Sites not taking correct certificate.
I have configured one VIP with two certificate aks.test.com aks4.test.com On SSL profile for aks.test.com i have enabled SNI feature and aks.test.com is working fine taking correct certificate (aks.test.com). but aks4.test.com having not secure error on browser and taking the certificate of (aks.test.com). Could someone please help what could be the issue in this case.How to implement LTM forward proxy client to determine the diversion pool based on the domain name
Through testing, I found that if I simply use all-zero virtual services and use standard mode, I must use the client SLL profile to obtain the SIN domain name in the TLS handshake message sent by the client. However, I don’t know what the domain name certificate that the client needs to access is for the client Internet exit. It is not fixed, and these certificates may not exist on my device. If I use a self-signed domain name certificate, the intranet client will prompt "Do not trust the domain name site". Does anyone have a better solution for this? The F5 forward proxy needs to know what the domain name requested by the client is or provide irules events or commands! Thank you for every reader’s reply! when CLIENTSSL_HANDSHAKE { binary scan [SSL::extensions -type 0] {@9A*} sni_name log local0. "$sni_name" pool ChinaRadioTelevisionPool } } #This method currently lacks remote certificate issues, prompting unsafe trust. Is there any other way to obtain the domain name information sent by the client for diversion? ltm virtual OverseasApplications { destination 0.0.0.0:https ip-protocol tcp mask any profiles { ForwardClientSSL { context clientside } ForwardServerSSL { context serverside } Forward_HTTP { } apm-forwarding-client-tcp { } } rules { OutboundIRules } source 0.0.0.0/0 source-address-translation { pool ChinaRadioTelevisionSNATPOOL type snat } translate-address disabled translate-port disabled vlans { internal_vlan_13 } vlans-enabled vs-index 3 }
F5 LTM listening on 3306
Hello Everyone, Wanted to see if anyone can confirm if its okay to see F5 listening on default mysql port "3306". tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:42724 127.0.0.1:3306 ESTABLISHED tcp 1 0 127.0.0.1:38276 127.0.0.1:3306 CLOSE_WAIT tcp 0 0 127.0.0.1:3306 127.0.0.1:42724 ESTABLISHED
PKI PIN works for users from one network, not the other.
We have external users and internal users accessing a virtual server. It's fronted by an APM policy, that asks for the DoD PKI/pin, does an OCSP check, LDAP check, and then sends users on their way to LTM. (there's no SSO, or anything involved) When being load balanced to the application, the end application prompts the users for their PKI/PIN at the app again for access. For the internal network users, this works. For the external network users, their PIN is not being accepted. Is there something I'm missing on the F5 side of things? I even disabled APM for that FQDN through the VS and it still has the same result.
An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains reserved tls extension values. (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtmltls-extensiontype-values-1). The Client Hello request in the SSL Handshake was captured and contained an Extensions list, which included a reserved TLS Extension value (17156), which the F5 isn't presenting in Server Hello. I need an irule that can allow that Extension to be added on the client ssl profile so the ssl handshake doesn't fail.
HTTP 413 error
Hi everyone, I have a specific problem and I want to know if you already see that and if you have a solution. I need to do HTTP POST on a reverse proxy. But I have sometimes the following return : 413 Request Entity Too Large All works fine directly on the serveur. But when I do the HTTP POST on the URL (so the traffic pass by the F5 BIG IP), I have the HTTP error. The file does 10Mo. Thanks a lot in advance. Best regards, AgatheDoes the iHealth upgrade advisor consider iRule configuration
Hi all, I am currently preparing an upgrade from 11.6.1 to 13.1.0.8 for a customer. I noticed there a lot of large iRules configured. Does the upgrade advisor consider the iRules collected in the qkview file? I can't seem to find any information about this. Any help is appreciated! With regards, JeroenStandby Has Fewer Online VIPs Than Active – Requires Manual Monitor Reset
Hello F5 community, I’ll preface this by saying that networking has been verified as fully routable between the Active and Standby units. Both devices can ping and SSH to each other’s Self-IPs, and rebooting the Standby did not resolve the issue. Issue: Discrepancy in Online VIPs Between Active & Standby Despite being In-Sync, the Active and Standby units show a different number of Online VIPs. If I randomly select one or two VIPs that should be online, remove their monitors, and then re-add them—BOOM, the VIP comes online. The VIPs in question were both HTTPS (443). Side Note: Frequent TCP Monitor Failures In my environment, I also frequently see generic ‘TCP’ monitors failing, leading to outages. While I understand that TCP monitoring alone isn’t ideal, my hands are tied as all changes must go through upper management for approval. Has anyone encountered a similar issue where VIPs don’t come online until the monitor is manually reset? Any insights into potential root causes or troubleshooting steps would be greatly appreciated! Thanks in advance.Update OWASP score task failed.
Hello, Just realized that my LTM is filling with restjavad logs, I'm getting error: Update OWASP score task failed. OWASP Compliance Score generation task next iteration scheduled to run in 60 minutes from now. It seems that it's connected with WAF module, which I'm not using currently. Also, just checked for network issues, and it seems everything is ok. Does anyone have any idea? Thanks in advance!! (full log below). LTM version: 16.0.0 0.0.12 [I][458273][05 Feb 2021 04:40:05 UTC][8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Update OWASP score task failed. [I][458274][05 Feb 2021 04:40:05 UTC][8100/tm/asm/owasp/task OWASPTaskScheduleWorker] OWASP Compliance Score generation task next iteration scheduled to run in 60 minutes from now. [SEVERE][458275][05 Feb 2021 05:40:05 UTC][com.f5.rest.workers.asm.AsmConfigWorker] nanoTime:[15761351310149764] threadId:[21] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused) at org.apache.thrift.transport.TSocket.open(TSocket.java:185) at com.f5.asmconfig.client.AsmClient.<init>(AsmClient.java:42) at com.f5.asmconfig.client.AsmClient.<init>(AsmClient.java:50) at com.f5.rest.workers.asm.WrapAsmClient.getClient(AsmConfigWorker.java:306) at com.f5.rest.workers.asm.AsmConfigWorker.restCallWithRetry(AsmConfigWorker.java:170) at com.f5.rest.workers.asm.AsmConfigWorker.forwardCall(AsmConfigWorker.java:200) at com.f5.rest.workers.asm.AsmConfigWorker$1.run(AsmConfigWorker.java:156) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622) at java.lang.Thread.run(Thread.java:748) Caused by: java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:580) at org.apache.thrift.transport.TSocket.open(TSocket.java:180) ... 13 more ]client:[7182705]
