LTM
18492 TopicsSNI Sites not taking correct certificate.
I have configured one VIP with two certificate aks.test.com aks4.test.com On SSL profile for aks.test.com i have enabled SNI feature and aks.test.com is working fine taking correct certificate (aks.test.com). but aks4.test.com having not secure error on browser and taking the certificate of (aks.test.com). Could someone please help what could be the issue in this case.94Views0likes7CommentsHow to implement LTM forward proxy client to determine the diversion pool based on the domain name
Through testing, I found that if I simply use all-zero virtual services and use standard mode, I must use the client SLL profile to obtain the SIN domain name in the TLS handshake message sent by the client. However, I don’t know what the domain name certificate that the client needs to access is for the client Internet exit. It is not fixed, and these certificates may not exist on my device. If I use a self-signed domain name certificate, the intranet client will prompt "Do not trust the domain name site". Does anyone have a better solution for this? The F5 forward proxy needs to know what the domain name requested by the client is or provide irules events or commands! Thank you for every reader’s reply! when CLIENTSSL_HANDSHAKE { binary scan [SSL::extensions -type 0] {@9A*} sni_name log local0. "$sni_name" pool ChinaRadioTelevisionPool } } #This method currently lacks remote certificate issues, prompting unsafe trust. Is there any other way to obtain the domain name information sent by the client for diversion? ltm virtual OverseasApplications { destination 0.0.0.0:https ip-protocol tcp mask any profiles { ForwardClientSSL { context clientside } ForwardServerSSL { context serverside } Forward_HTTP { } apm-forwarding-client-tcp { } } rules { OutboundIRules } source 0.0.0.0/0 source-address-translation { pool ChinaRadioTelevisionSNATPOOL type snat } translate-address disabled translate-port disabled vlans { internal_vlan_13 } vlans-enabled vs-index 3 }71Views1like7CommentsF5 LTM listening on 3306
Hello Everyone, Wanted to see if anyone can confirm if its okay to see F5 listening on default mysql port "3306". tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:42724 127.0.0.1:3306 ESTABLISHED tcp 1 0 127.0.0.1:38276 127.0.0.1:3306 CLOSE_WAIT tcp 0 0 127.0.0.1:3306 127.0.0.1:42724 ESTABLISHED18Views1like1CommentPKI PIN works for users from one network, not the other.
We have external users and internal users accessing a virtual server. It's fronted by an APM policy, that asks for the DoD PKI/pin, does an OCSP check, LDAP check, and then sends users on their way to LTM. (there's no SSO, or anything involved) When being load balanced to the application, the end application prompts the users for their PKI/PIN at the app again for access. For the internal network users, this works. For the external network users, their PIN is not being accepted. Is there something I'm missing on the F5 side of things? I even disabled APM for that FQDN through the VS and it still has the same result.2Views0likes0CommentsAn Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains reserved tls extension values. (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtmltls-extensiontype-values-1). The Client Hello request in the SSL Handshake was captured and contained an Extensions list, which included a reserved TLS Extension value (17156), which the F5 isn't presenting in Server Hello. I need an irule that can allow that Extension to be added on the client ssl profile so the ssl handshake doesn't fail.2.2KViews0likes26CommentsHTTP 413 error
Hi everyone, I have a specific problem and I want to know if you already see that and if you have a solution. I need to do HTTP POST on a reverse proxy. But I have sometimes the following return : 413 Request Entity Too Large All works fine directly on the serveur. But when I do the HTTP POST on the URL (so the traffic pass by the F5 BIG IP), I have the HTTP error. The file does 10Mo. Thanks a lot in advance. Best regards, Agathe3.5KViews1like20CommentsDoes the iHealth upgrade advisor consider iRule configuration
Hi all, I am currently preparing an upgrade from 11.6.1 to 13.1.0.8 for a customer. I noticed there a lot of large iRules configured. Does the upgrade advisor consider the iRules collected in the qkview file? I can't seem to find any information about this. Any help is appreciated! With regards, Jeroen177Views0likes2CommentsStandby Has Fewer Online VIPs Than Active – Requires Manual Monitor Reset
Hello F5 community, I’ll preface this by saying that networking has been verified as fully routable between the Active and Standby units. Both devices can ping and SSH to each other’s Self-IPs, and rebooting the Standby did not resolve the issue. Issue: Discrepancy in Online VIPs Between Active & Standby Despite being In-Sync, the Active and Standby units show a different number of Online VIPs. If I randomly select one or two VIPs that should be online, remove their monitors, and then re-add them—BOOM, the VIP comes online. The VIPs in question were both HTTPS (443). Side Note: Frequent TCP Monitor Failures In my environment, I also frequently see generic ‘TCP’ monitors failing, leading to outages. While I understand that TCP monitoring alone isn’t ideal, my hands are tied as all changes must go through upper management for approval. Has anyone encountered a similar issue where VIPs don’t come online until the monitor is manually reset? Any insights into potential root causes or troubleshooting steps would be greatly appreciated! Thanks in advance.53Views0likes4CommentsUpdate OWASP score task failed.
Hello, Just realized that my LTM is filling with restjavad logs, I'm getting error: Update OWASP score task failed. OWASP Compliance Score generation task next iteration scheduled to run in 60 minutes from now. It seems that it's connected with WAF module, which I'm not using currently. Also, just checked for network issues, and it seems everything is ok. Does anyone have any idea? Thanks in advance!! (full log below). LTM version: 16.0.0 0.0.12 [I][458273][05 Feb 2021 04:40:05 UTC][8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Update OWASP score task failed. [I][458274][05 Feb 2021 04:40:05 UTC][8100/tm/asm/owasp/task OWASPTaskScheduleWorker] OWASP Compliance Score generation task next iteration scheduled to run in 60 minutes from now. [SEVERE][458275][05 Feb 2021 05:40:05 UTC][com.f5.rest.workers.asm.AsmConfigWorker] nanoTime:[15761351310149764] threadId:[21] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused) at org.apache.thrift.transport.TSocket.open(TSocket.java:185) at com.f5.asmconfig.client.AsmClient.<init>(AsmClient.java:42) at com.f5.asmconfig.client.AsmClient.<init>(AsmClient.java:50) at com.f5.rest.workers.asm.WrapAsmClient.getClient(AsmConfigWorker.java:306) at com.f5.rest.workers.asm.AsmConfigWorker.restCallWithRetry(AsmConfigWorker.java:170) at com.f5.rest.workers.asm.AsmConfigWorker.forwardCall(AsmConfigWorker.java:200) at com.f5.rest.workers.asm.AsmConfigWorker$1.run(AsmConfigWorker.java:156) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622) at java.lang.Thread.run(Thread.java:748) Caused by: java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:580) at org.apache.thrift.transport.TSocket.open(TSocket.java:180) ... 13 more ]client:[7182705]1.4KViews0likes8CommentsCookie persistence and source address fallback
I wonder what will be result of such setup: LB set to Round Robin Default Persistence Profile: Cookie (Cookie Insert) Fallback Persistence Profile: Source Address Source IP same for all requests (SNATed) My assumption is: First new TCP connection established, no cookie present Fallback Persistence used, no Persistence Record (PR) found No persistence is applied because none exist so connection will be directed to first member What will happen then? Persistence Record for source IP will be created pointing to first server? In HTTP response cookie is inserted pointing to first pool member Then second connection from the same IP comes, assuming that PR was created and did not time out then LB will be ignored and connection will be directed to first server In HTTP response again cookie pointing to first server will be inserted Then all returning connections (with cookies set) will be directed to first server, LB in fact will not be used, except for situation when there is enough period of inactivity between connections to allow PR to expire, but will then new connection be send to second server according to RR or not necessarily? Is above correct? PiotrSolved853Views0likes19Comments