OCSP AUTH AGENT
Hello everyone, I'm facing a situation and I need your input to figure it out what's wrong. I have a VIP where mtls is configured in the client SSL profile with the issuer's certificate as CA (we call it CA_1), and it works well. (Per info, the client cert is issued by CA_1, which is also issued and signed by a higher authority CA_2.) I wanted to make OCSP checks for client certificates so I created a simple APM policy as follows : Client --- > on-demand cert agent ---> OCSP Auth Agent ---> Allow or deny The OCSP responder is configured with the same CA_1 that's configured in the in the Client authentication in the ssl profile, and a responder (ocsp.example.com). The error I'm facing is OCSP Auth agent: Failure status 'Error querying OCSP responder host ocsp.example.com. To troubleshoot, I did few tests and we can eliminate the following possibilities: Connectivity and DNS: I can reach the responder in the http port using the FQDN. Blocked traffic : no Firewall inspection between the BIG IP and the responder. The responder is not treating the request as it should: openssl ocsp verification works fine and gets me the wanted result from the ocsp responder. The famous "missing host header" : the header is well included in the request sent by the big ip to the responder; moreover, i compared this request to the one sent when using openssl ocsp and the one sent when i test from my own computer using openssl, and they are identical when it comes to the OCSP date in the request and response frames. What's more interesting is when I capture the response sent by the responder when the apm sends the ocsp verification request, i can clearly see that's stating the status of the certificate (which is revoked in my case), but the APM logs doesn't show that; instead, when debugging, it says that the on-demand cert agent is executed (i can see the client cert and the issuer cert CA_1 as well) and then it moves successfully to the OCSP auth agent and then directly it says the querying error. Could you please tell me if you see anything i could do to troubleshoot more ? Any ideas ? PS 1 : I tried also using the CA_2, a bundle of CA_1 and CA_2, a cert chain of both, but no luck ! PS 2 : when i use the CRLDP agent, i can see the status (revoked) in the APM logs. Thank you in advance !
Load balanced RDP VIP use in APM
HI I have a VIP on port 3389, load balancing to two rdp servers. RDP directly to that VIP IP works well. Now I created this as an rdp in apm, I used the dns name that the vip is resolving to as the destination address for the rdp, the apm url has a trusted cert. It gets as far as logging on then it throws the error: The connection has been terminated because an unexpected server authentication certificate was received from the remote computer Seems like the client connects to apm and gets the apm cert - trusted then they click the rdp icon and get the rdp file downloaded, the file has the gateway address of apm with trusted cert, and then the dns name of the rdp vip but then they get the servers real cert which doesn't match the vip dns name and errors. Can I proxy this connection on the F5? I have tried a combination of client and server profiles and the only way I get as far as a login prompt is to have no client or server profile in the vip. I would like the F5 to present its own apm cert to the client , I don't have the ability to put new SAN certs on the servers (not sure that would solve it anyway)
After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs
After upgrading from PeopleTools 8.59.09 to 8.61.11 F5 APM is not rewriting all the internal urls for PeopleSoft Portal Application that also has Home page tiles from HRMS 9.2. Clicking on these tiles takes us to Internal URL instead of F5 externally resolvable url. How to troubleshoot this. I have a case opened with F5 support, but interested in any one else using F5 APM for peoplesoft and seeing similar error.APM VPN LDAP POOL can't contact ldap server.
Hi, I have a question regarding APM VPN and LDAP authentication. When I configure the LDAP server using the direct LDAP Server IP, the authentication works fine. However, when I use a Pool with the same LDAP Server IP, it shows the error message: "Can't contact LDAP server." From the packet capture, it seems that no traffic is being sent out at all. Is there any specific configuration I need to adjust for LDAP Pool settings? Thank you.
APM webtop – problem with websockets for Serverside Blazor app
Dear community, We have a web application built with Blazor server side rendering that utilizes SignalR (websockets) and runs on a Windows server with IIS (i.e. not web assembly). Virtual sever: the site runs as intended! Webtop + virtual sever: The site will render and SSO works, but any page using SignalR will loose interactivity as the websocket handshake times out. We have tried to disable websockets on the server which makes SignalR use long polling as a fallback. The web browser displays a different error message but behaves the same otherwise (have not dug deeper as we intend to use websockets in production). I would greatly appreciate any guidance on what to do! This is the log from the blazor web app (behind webtop + virtual server): 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection XQNqGM4oGkm0P1v4NECJ9g created. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Establishing new connection. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Handshake was canceled. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Waiting for the client to close the socket. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket closed. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager Removing connection xVt0cL2a0gpMOiJROyJxhw from the list of connections. This is the log from the same blazor web app when it works as intended 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection c0CR_c-7xa0QydeddE5HcA created. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Found protocol implementation for requested protocol: blazorpack. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Completed connection handshake. Using HubProtocol 'blazorpack'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "0", Target: "StartCircuit", Arguments: [ https://testsite.com/, https://testsite.com/counter, [], CfD...m ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "EndInvokeJSFromDotNet", Arguments: [ 2, True, [2,true,null] ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "UpdateRootComponents", Arguments: [ {"batchId":1,"operations":[{"type":"add","ssrComponentId":1,"marker":{"type":"server","prerenderId":"80...9c8","key":{"locationHash":"....","formattedComponentKey":""},"sequence":0,"descriptor":".... ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "OnRenderCompleted", Arguments: [ 2, ], StreamIds: [ ] }. This is the output in the web browser console when accessing the site via (webtop + virtual server): 2025-09-18T14:50:28.565Z Information: Normalizing '_blazor' to 'https://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:28.609Z Information: WebSocket connected to wss://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor?id=xVt0cL2a0gpMOiJROyJxhw. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Connection disconnected with error 'Error: Server returned handshake error: Handshake was canceled.'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Error: Server returned handshake error: Handshake was canceled. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Failed to start the circuit. blazor.web.js?F5CH=J:1
Checkpoint Web Smartconsole behind reverse proxy.
Does anyone have any experience at trying (and hopefully suceeding) to put a Checkpoint (CP) FW Provider-1 based web smartconsole behind a reverse proxy. The thing is that CP use local IP addresses to identify one of a selection of management module instances. And they use webtransport/websockets to connect from these mgmt modules back to a browser for displaying FW policies and log data etc. That all seems fairly OK but they don't anchor it using the connection ID and so the raw IPs (of what they call the domain blade/instance) get passed to the browser. But we would prefer to NAT/hide/reIP the server (domain) side IPs and not have the internal server/domain IPs sent along to the browser. Part of the conversation, and some wrapper text from me, from the server to the client follows: *** We wish to use access to various customer domains using the /smartconsole web interface. But the access has to be behind a reverse proxy (F5 vIP) and after the initial logon using the CMA IP behind a vIP (so address the browser sees is a service public one) you get a screen where the domain is listed and after selecting continue you get redirected seperately to the CMA IP in an internal JSON/javascript message. Hence breaking the attempt to have the CMA behind a reverse proxy. *** {"data":{"loginToDomain":{"transportOtt":"107ad894-253d-4638-aa31-1c3e7d23172a","transportUrl":"https://100.64.20.29:443/smartconsole/transport","__typename":"LoginToDomainResponse"}}} ***
