Implement load balancing solution with constraints
We have three (3) clustered Postgres servers with an endpoint on each at Port 9201 that responds with the word master in the TCP response if that server is the Primary in the cluster telnet fred 9201 will responds with: HTTP/1.1 200 OK Content-Type: text/html Content-Length: 56 <html><body>PostgreSQL master is running.</body></html> Based on which instance responds as master we would like to direct all traffic to the k8s cluster that is closest to the master we have postgres databases in three data centers fred barney and bambam if fred responds with master then we would like Big-IP to direct all trafffic to fred.k8s.internal likewise barney responds with master direct all traffic to barney.k8s.internal Our team is struggling with how to implement this any suggestions. We can do this using either http response or tcp response both are valid. Any insight would be appreciated
How to Block Source IP for 24 Hours After TPS Violation (F5 DoS / iRule / SSL Proxy Setup)
Hi everyone, We are currently working on a traffic management requirement and would appreciate your input. Requirement: We want to implement a mechanism that blocks a source IP for 24 hours once it exceeds 5 TPS (Transactions Per Second). Even if the TPS drops later, the IP should remain blocked for the full 24-hour duration. Current Setup: SSL Proxy (Client and Server SSL enabled) - Frontend and Backend both on port 443 There are no other irules being used We are using a DoS profile on the F5, which blocks traffic based on a 5 TPS threshold. However, this blocking is dynamic — once the TPS drops below the threshold, the IP is allowed again. This behavior does not meet our requirement, as we want to enforce a fixed penalty (24-hour block) regardless of subsequent traffic rate. What We’re Looking For: A solution where: Once an IP exceeds 5 TPS, it gets blocked for 24 hours. Even if TPS drops below the threshold, the IP should not be allowed again until the full block duration expires. iRule Attempt: We tried using the below iRule to achieve this: ============== when RULE_INIT { set static::TPS_LIMIT 5 set static::BLOCK_DURATION 86400 ;# 24 hours in seconds } when HTTP_REQUEST { set src_ip [IP::client_addr] # If IP is already blocked, drop request if {[table lookup -notouch "blocked_$src_ip"] ne ""} { log local0. "Blocked IP $src_ip due to TPS violation" drop return } # Track TPS per IP set count [table incr "tps_$src_ip"] table timeout "tps_$src_ip" 1 if {$count > $static::TPS_LIMIT} { log local0. "TPS violation from $src_ip. Blocking for 24h." table set "blocked_$src_ip" 1 $static::BLOCK_DURATION drop } } =========== The above iRule gives an error like "insecure connection" Could the insecure connection error be related to trying to run this logic in the HTTP_REQUEST event on SSL traffic. and how to fix? Is there a better way to achieve this via iRules, DoS profiles, or a combination? Thanks in advance for your help!
Migration of complete ucs file of BIGIP 2000 LTM to r5800 creating tenant/ Using Journey APP
Hi , F5 Community, I need help to migrate complete BIGIP 2000 LTM ucs file/configurations by creating new tenant to r5800 series bigip device. I have researched about Journey app, but its only installed(i think) through Linux based system and furthermore need to install docker related items, but i dont have enough experience in docker and linux. Is there any other way using windows based machine to migrate complete ltm module file to r5800 creating new tenant on r5800.F5 XC and Service Policy/HTTP path
Hi Team, We are migrating some ASM policies to the XC platform. However, the customer has a long list of URLs allowed by the ASM policy. I understand that the Service Policy on XC is the functionality to use in this case, but I received an error message: "We found 1 error: Field 'Exact Values' in HTTP Path must contain no more than 16 item(s)." Perhaps some URLs can be changed to regular expressions, but I'm unsure how to reduce this to only 16 items. Any ideas or suggestion would be appreciated
R4800 snmp issues.
Hello , I have r4800 series , i have configured SNMP v2c with community string : xyzxyz v2c but it did not work //please do not hang on IP , FQDN name and snmp string. I modified them .. All snmp requests are reached our R4800 but no response Should someone similar issue or solutuon for this? DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 13:55:29.561550 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 13:55:32.564620 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:00:35.844921 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:00:38.845788 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:05:41.105963 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:05:44.136427 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:10:47.379016 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:10:50.413366 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:15:53.640026 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:15:56.673127 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:20:59.932637 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:21:02.939702 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:26:05.206669 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineTime.0 14:26:08.242604 IP 1.4.2.70.48310 > DE-AP22.cit.cmp.ss.snmp: C="xyzxyz" GetRequest(132) system.sysDescr.0 interfaces.ifNumber.0 system.sysUpTime.0 system.sysLocation.0 31.1.6.0 31.1.5.0 S:snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineBoots.0 S:Citrix iApps
Hi guys, I am working to deploy citrix via F5 APM. I got a behavior I do not understand. We working with multiple AD domains, In web browser access all is ok. But with Citrix App (Citrix Workspace) it works for one domain but no all. For my deployment I just implement the iApps template change the VPE to all my trusted domain. That all. Anyone got idea about this ? Thank you for you support The client pre-checkTCL Error possibly causing TCP Resets?
Good day all, Thanks for taking the time to read and hopefully respond with helpful suggestions on my issue. We are experiencing random TCP Reset / Forcibly closed connection issues from Windows Web Application Servers to our iPaaS DB servers and we are investigating traffic routing and a few other options. I've also recently discovered these "TCL Errors...." in our logs. Internet search suggests that improper iRules with [LB::server pool] configuration could cause TCP Resets. Based on the image of the logs below and the portion of irule that the logs reference, what is potentially incorrect with my code on lines 1 and 282?: iRule Lines 1 - 52: when HTTP_REQUEST { if { [HTTP::has_responded] } { return }; # X-Forwarded header clean-up if {[HTTP::header exists "X-Forwarded-Host"]}{ HTTP::header remove X-Forwarded-Host } if { [class match -- [string tolower [HTTP::header "User-Agent"]] contains "/Common/user_agent_blocklist"] } { log local0. "User_agent [HTTP::header "User-Agent"] is blocked. from: [IP::client_addr]" drop } if { [class match [string tolower [HTTP::host]] contains "/Common/user_agent_block_list_claudebot"] && [string tolower [HTTP::header "User-Agent"]] contains "claudebot" } { log local0. "User_agent [HTTP::header "User-Agent"] is blocked from: [IP::client_addr] for domain [HTTP::host]" drop } if { [HTTP::header "Referer"] contains "https://darknet-markets-onion.com"} { log local0. "Referer [HTTP::header "Referer"] is blocked. from: [IP::client_addr]" reject } if { [string tolower [HTTP::path]] contains "<redadcted>" && (![class match [IP::client_addr] equals "/Common/<redacted>"])} { log local0. "TDINTERNALWEBAPI dropping traffic from [IP::client_addr] to [HTTP::host][HTTP::uri]" drop } elseif { [string tolower [HTTP::uri]] starts_with "/<redacted>" || [string tolower [HTTP::uri]] starts_with "/<redacted>" } { if { !( [HTTP::header exists "X-Forwarded-Port"]) }{ HTTP::header insert X-Forwarded-Port [TCP::local_port clientside] } pool <pool_name> if { [class match "enabled" equals <redacted>] } { if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } { HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json" } else { HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate" } } elseif { [active_members [LB::server pool]] == 0 } { if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } { HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json" } else { HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate" } } } iRule Lines 272 - 294: else { pool <pool> if { [class match "enabled" equals <redacted>] } { if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } { HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json" } else { HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate" (line 282)} } elseif { [active_members [LB::server pool]] == 0 } { if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } { HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json" } else { HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate" } } } } I sincerely appreciate your time and energy in this. Thanks. - Paul C.
