Not active oauth tokens after reboot
Hi, I have an oauth profile what generates opaque oauth tokens with long lifetimes. I originally thought the tokens where invalidated after an upgrade or even a failover. Now after testing they are indentified as "Not active" in the APM log. The tokens work just right after generating them. Also, despite the long lifetime setup in the oauth profile, the tmsh commands lists the tokens with same dates on issue and expiry, for both access and refresh tokens. So the tokens seem to be generated with wrong expiry dates. I've noticed this in the production cluster, and am able to test in a standalone non-production device. I have several cases escalated with F5 support but I have no real significant replies and tests to do since weeks. So I am unfortunately asking here to see if anybody has ideas to test or troubleshoot. Thanks. Lloyd
replace URL branching against Datagroup
Hello, is there any possibility to use a datagroup instead of URL branching object in APM per request policy? I want to find an easy way to maintain a URL filter list for MFA on specific paths. Could it be possible via iRule Event -> ACCESS_POLICY_AGENT_EVENT? If yes has someone a code snippet for this job? Thanks & BR René
[APM] URL stops working , location : /my.policy?ORG_URI=1f931c35
hello Team , We have a strange issue . User is able to access the url but sometimes the url doesn't work and when he checks in developer tool it has a status code of : 302 Found. After 10-15min it starts to work without any intervention. Response Headers : Connection : close Content-Length:0 Location : /my.policy?ORIG_URI=1f931c35 We are using APM for ACL and URL filtering , so where can I find my.policy ? I did not find any logs with this id 1f931c35 in cat apm or cat ltm logs , cat pktfilter logs , cat urlfilter logs .. Kindly please advice .APM Local DB multiple groups
Hi, I'm using APM with localdb authentication and performing a group lookup and resource assign ACLs based on the localdb group. It works well with one group and one set of ACLs per group. But what if I want a user to have ACLs from more than one group? do I assign multiple groups to the user? I've sort of tried this but it did not work. Only ACL from one group are applied. Is this sort of functionality supported or is the group field in localdb meant for only one group?
F5OS share APM VPN licence across tenant clusters
Hello, I have deployed a pair of r5900 series appliances. On these appliances, I have an Active/Standby tenant cluster of F5 BIG IP running with the APM module provisioned and an APM configuration dedicated to SSL VPN using the F5 Edge Client. The F5OS chassis are using 3 licences : r5900 Best bundle APM 1000 VPN Users (x2) This means that the production environment can handle up to 2000 concurrent users connected at the same time, on the APM-enabled BIG-IP tenants. My question is the following : Can I create 2 new tenants running BIG-IP with APM module and create a new APM configuration for VPN testing purposes ? How are the "APM 1000 VPN Users" licence shared across tenants running on the same r5900 chassis ? In the official F5OS documentation, I have noticed that every tenants inherits the licences provisionned on the F5OS chassis. But there is no explanation regarding the sharing of the VPN seats included in the APM VPN licences. Thank you.F5 APM / Connection to Provider via explicit proxy
Hi guys, we need to configure the APM module to use authentication provider (Okta, AzureAD). Because the f5 is not an edge device, we have to use an explitzit proxy for the connection of the f5 APM module to the public clouds. Any ideas how to configure it? During the federation configuration and the VE policy I don't see any possbility. The proxy db variable does not work for this kind of traffic. A layered VIP does not connect with an "HTTP connect" to the pool member which could be an explicit proxy..... Thank you
APM combine check for ldap group plus IP ACL
Hi, A client wishes to create an APM policy that will, amongst other things, do the following - The client has a group of users that have to meet two conditions to access the resource. We need to check in combination that the user is both a member of an AD group and that the group also matches an IP ACL. Can this be done using only APM, and if so, how? Or do we need to combine an IRULE and if so, is there a simple way to do this? (we have 30 groups that need to be matched to ACLs). Thanks, Vered
Mdm server internal error
Hi All, I have a F5 APM with End point Management Systems configured to make connection with microsoft intune to update the mdm complaince database in the F5. We have running this configuration for many years and since 14 feb, the F5 is not able to make connection to microsoft intune to update the mdm complaince database. in tthe GUI i see the following error message: "Mdm server internal error". The hardware is running on version 15.1.8.2. Has anyone the same issue or have solve the issue. Thanks.
Issues with F5 appliance black holeing traffic
Hi wondering if anyone can help or has seen an issue similar to this? 2 tenants on 1 Host One tenant has the issue, the other doesn't. All upstream networks and devices assurance checked and logs analysed. Issue only present on Hostname: dcnn-lb01-int.circlehealthgroup.co.uk Key Info: CPU in the control plane consistently spikes at 100% (5-10 times per min) Outbound traffic is blackholed if session starts during CPU spikes. All outbound traffic types all affected - ICMP from tmos, Node polling, F5 sync messaging, snmp messages....etc If session starts outside of CPU spikes then issue isn't present - ICMP started will run continuously without drops Symptoms last < 2secs per "CPU event". Symptoms present as if the default route drops/changes, gateway is unreachable or traffic is blackholed. Repeating here but essential to note that this is only for newly established sessions during that window. Established sessions (e.g. continuous ICMP from tmos) are not affected during the same blackholing event window where new sessions are. Thanks in advance DaveOrder of resource assignment when user assigned multiple network access resources
Good day, What logic or method is used by the F5 APM to choose which network access resource takes affect when a user is assigned multiple network access resources? In my environment (BIG IP Virtual Edition APM+LTM 16.1.4 two node cluster) we are assigning different network access resources based on group membership. Some users are members of multiple groups that are being assigned different resources, which often is resulting them in having the "general user" settings and address pool take affect instead of the Executive settings and pool, to which they are also assigned. I haven't been able to determine the logic that APM is applying to determine which resources take precedence. It doesn't appear to be the order in the Advanced Resource assignment. It almost looks alphabetical. Thanks Chris
