AFM 11.6.0 HF5 error after virtual rename
I have a pair of VE (BEST) in HA, that I'm using to test version 11.6.0 HF5, pending their use in a new datacenter we are setting up The system has LTM, AFM, ASM and APM provisioned at 'nominal' The current configuration has no policies in both ASM and AFM, I'm still testing LTM & APM. Then I did the following: root@(myhost01)(cfg-sync In Sync)(Active)(/Common)(tmos) modify /sys db mcpd.mvenabled value true root@(myhost01)(cfg-sync Changes Pending)(Active)(/Common)(tmos) save sys config Saving running configuration... /config/bigip.conf /config/bigip_base.conf /config/bigip_user.conf Saving Ethernet mapping...done root@(myhost01)(cfg-sync Changes Pending)(Active)(/Common)(tmos) mv ltm virtual ZSVR_TEST_SECURE_10443 VSVR_TEST_APM root@(myhost01)(cfg-sync Changes Pending)(Active)(/Common)(tmos) Jul 16 18:33:03 myhost01 emerg pccd[12228]: 015d0000:0: Transaction failed. root@(myhost01)(cfg-sync Changes Pending)(FIREWALL UPDATE FAILED)(/Common)(tmos) OOPS! Apparently the AFM broke. I can return it back to green by issuing the command: restart sys service pccd But I don't know if this error can have consequences for future operations... I know the rename function is in 'early access' mode, so little or no support can be expected, but do you think I need to reset the config from scratch? Thanks, Angelo.
Different file size and checksum for BIG-IP images
Hi, Is it normal that BIG-IP image files are different size on active and standby units in a cluster (same hardware platform): [jay@F5-4000-a:Active:In Sync] images ls -la | grep 11.4.1.608 -rw-r--r-- 1 root root 1484894208 Oct 30 02:59 BIGIP-11.4.1.608.0.iso [jay@F5-4000-b:Standby:In Sync] images ls -la | grep 11.4.1.608 -rw-r--r-- 1 tomcat tomcat 1575387136 Mar 11 2014 BIGIP-11.4.1.608.0.iso Both units are in active/standby cluster and failover works. Cheers, Jay
blocking port 80 with a policy at the global level not working
Hi, I am trying to block port 80 on bigip AFM using following rule. But some reason its not getting hit. curl -sk -u admin:admin https://192.168.6.158/mgmt/tm/security/firewall/policy/ocpolicy/rules -H 'Content-Type: application/json' -X POST -d '{"name": "dport80","action": "drop","ipProtocol": "tcp","place-before": "first","destination": {},"source": {"ports": [{"name": "80"}]}}' If I apply a rule saying block tcp protocol it just works fine. curl -sk -u admin:admin https://192.168.6.158/mgmt/tm/security/firewall/policy/ocpolicy/rules -H 'Content-Type: application/json' -X POST -d '{ "name":"dtcp","action":"drop","ipProtocol":"tcp","place-before":"first","destination":{},"source":{}}' I am using the BIG IP in a l2 bridge mode, I have 2 vlans and created a vlan group and added a self IP to vlan group.
F5 Viprion power supply log
Hi Guys, Currently, we are planning to install F5 VIPRION 4480N along with one Blade 4300 type. Because of limited number of source power, we are planning to use 2 power supplies per-chassis. Power supply 1 and 4. Today, we powered-up this VIPRION on our lab. And found out that the power supply alarm and led keep blinking though we had cleared it several time before. The system displayed below log continously: Jun 9 03:40:02 slot1/localhost emerg system_check[11423]: 010d0006:0: Chassis power supply 2 has experienced an issue. Status is as follows: STATUS=bad. Jun 9 03:40:02 slot1/localhost emerg system_check[11423]: 010d0006:0: Chassis power supply 3 has experienced an issue. Status is as follows: STATUS=bad my question: 1. Is it okay to use only 2 power supplies only out of total 4? 2. Is there any way to disable this alarm? Thank you for any input
After upgrading Symantec can not go through F5 SSL
Dear All Seeking support on after upgrading Symantec end point client can not go through F5; any idea why. Seems multiple error: [log_id2015011310152754b47fbf9fd55] => [detected_av] => Array ( [av_1] => Array ( [agent_id] => OPSWAT_AV [data_version] => 1.0 [protect] => [update] => [need_update] => [expression_id] => [name] => MicrosoftAS [features] => 2 [engine_version] => 1.1.10201.0 [database_version] => 1.165.1076.0 [database_signature] => [database_time] => 2014.01.03 08:02:19 [monitor] => disabled [last_scan] => undefined [gui_state] => hidden [description] => Windows%20Defender [database_age] => 375 [r_log_0] => Criteria failed - not an antivirus ) [av_2] => Array ( [agent_id] => OPSWAT_AV [data_version] => 1.0 [protect] => [update] => [need_update] => [expression_id] => [name] => NortonAV [features] => 3 [engine_version] => [database_version] => [database_signature] => [database_time] => undefined [monitor] => enabled [last_scan] => undefined [gui_state] => hidden [description] => Symantec%20Endpoint%20Protection [database_age] => unknown [r_log_0] => Criteria failed - older than 30 days: unknown ) [summary] => Array ( [count] => 2 ) ) Thanks SimonsciControlREST: issue with security DOS path
I see, when doing curl -k -u https:///mgmt/tm/security/dos/device-config { "items": [ { "dosDeviceVector": [ { "defaultInternalRateLimit": "100000", "detectionThresholdPercent": "500", "detectionThresholdPps": "10000", "name": "arp-flood" }, when doing curl -k -u https://localhost/mgmt/tm/security/dos/device-config/stats { "entries": { "https://localhost/mgmt/tm/security/dos/device-config/ARP%20flood/stats": { "nestedStats": { "entries": { "common.attackCount": { "value": 0 }, Note: "arp-flood" is now "ARP flood" Then calling curl -k -u https://localhost/mgmt/tm/security/dos/device-config/ARP%20flood/stats I get { "code": 404, "errorStack": [], "message": "01020036:3: The requested DoS Device configuration (/Common/ARP) was not found." }
TCP Traffic Path Diagram
Hi all, It's bugged me ever since I looked at the ADF exam blueprint that there still wasn't a definitive document or diagram available that described or showed the TCP Traffic Path and Order of Operations of a packet passing through an F5. I'm aware of the BigIP Path Graph v1.7 from Red Education but that's five years old and hasn't been subject to any review. To that end I've recently started my own as you can see below. Comments and more importantly corrections or queries are encouraged. Note as it stands I've not added many iRule events as I'd like to get the flow and order sorted first. I'm pretty sure what I've done is mostly correct but I'd love some review before I continue and finish off the server side operations. Many thanks in advance. You may need to right-click, open image/in new tab to see it full size. New version - December 2015:
F5 Load balancer not working, but all the configurations are successful
I have configured f5 lb, one node and one pool , and two members in the pool. and Virtual Server is configured . I can see everything is working , (every place it is Green ), but when i use the VIP to connect my webserver, it is not getting resolved in my browser. can you pls throw some light on this issue. what to check and where to check ? I am Stuck with this issue for a long time. p.s i have not configured irules, i have used default pool in Virtual server configuration
