f5 client certificate forwarding
i have website secure over F5 , it require client certificate which i need to forward it to the server. i don't f5 to validate the certifcate . just i need to pass it to sever.. i have add in ssl profile the client certificate as " require" , and i have add the root CA as Advertised Certificate Authorities because the client will use self sighn certificate .. in irule i did the below: CLIENTSSL_CLIENTCERT { if { [SSL::cert count] > 0 } { set client_cert [X509::whole [SSL::cert 0]] set session_cert $client_cert } } when HTTP_REQUEST { if {[info exists session_cert]} { HTTP::header replace "X-Client-Cert" $session_cert } now when i try to access the portal, certifcate popup is displayed and after choose the certifcate i got " the site can't provide a secure connection, err_ssl_protocol_error .. and in f5 i see the client certifcicate is attach to the header. so what might be the issue?
SSL Orchestrator and Layer 2 Service Integration
Has anyone encountered issues with rSeries Big IP Tenant with the integration of a layer 2 service? In my case, I cannot make the service to come up even though I have the exact VLAN name and tagging set in the OS bare metal, and exactly the same VLAN and tagging configured in the tenant.
F5 XC HTTP 404 rout_not_found / rsp_code 404
I would like to add more point about the HTTP 404 error: route_not_found / rsp_code 404 in an XC (RE + CE) deployment. 1. Even if XC has the correct host match value in the route, you might still observe a 404 response. In such cases, check the DNS configuration on the CEs. A possible reason could be that the CEs are unable to resolve DNS for host which is configured in route. 2. Even if XC has the correct host match value, the path might not match. For example, if you have a single route as shown below and the request comes as https://example.com/, you may see rsp_code 404 , as it is not matching any routes. Example : HTTP Method:ANY Path Match : Prefix Prefix:/hello Headers Host example.com Orginpool: example_orgin pool https://my.f5.com/manage/s/article/K000147490
Deleting an AS3 Tenant
Wanted to share the below method for deleting AS3 tenant's as it wasn't documented . You can use the HTTP delete method; but if an admin misses the tenant name after /declare/ it would wipe out all tenants! If you POST the below body to the 'https://{{bigip_mgmt}}/mgmt/shared/appsvcs/declare'; as its a blank declaration; AS3 will remove your partition / tenant. . { "class": "AS3", "action": "deploy", "declaration": { "class": "ADC", "schemaVersion": "3.1.0", "id": "tenant_name", "label": "tenant_name_via_AS3", "remark": "tenant_name_via_AS3", "CHANGE-ME-TO-TENANT-NAME": { "class": "Tenant" } } }Need clarification regarding how to navigate within techdocs
Hello Team, I have a doubt while navigating within the techdocs. For example, Let's take this article: https://techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-concepts-12-0-0.html here we can see, it's under "/kb/en-us/products/big-ip-dns/" path, but I am not able go into the root of it. where we should be able to find all the related articles related to BIG-IP DNS. can anyone please guide me on this? I found few useful ones, but it's still not solving my issues: - New and Updated Articles: - K000130285: F5 Product Manuals Index: https://my.f5.com/manage/s/article/K000130285 Thank you.Failed to execute iptable cmd: ," CMD="iptables -A SSH_ALLOW_RULES error
Hi Mates, After upgrading rseries F5 OS to 1.5.4, I observed the below error and I am unable to do SSH for my F5 OS machine version 1.5.4 from the network: 10.54.7.0/24. Rest all the networks are working fine and we are able to do SSH to the same F5 OS machine. Is it something that device was unable to update this entry into iptables. Do we have to manually re-configure this rule? ys-host-config[11678]: priority="Err" version=1.0 msgid=0x7001000000000062 msg="Failed to execute iptable cmd: ," CMD="iptables -A SSH_ALLOW_RULES -s 10.54.7.0/24 -p tcp -m state --state NEW --dport 22 -j ACCEPT -w &>/dev/null" ERR="EXITINFO: 4".
SSL Offloading and Backend pool https
Trying to setup a VIP without any SSL profiles and see a error as below client----https://abcd.xyz.com:8444 ----- F5 ---- Pool abcd1:8444 with HTTPS The VIP is configured with HTTPS and backened server has HTTPS pool, see the pool member up with https monitor. When trying to access I see the below Without Client SSL profile, I see 403 Request's Host header does not match with server's name. Will this be fixed if the abcd1 has abcd1 and abcd in its cert? With Client SSL Profile using wildcard cert, I see ERR_RESPONSE_HEADERS_TRUNCATED. What does this error mean? Applying a client and Server SSL profile gives the same error as above 403 Request host header Can someone point me to some good article explaining these errors and what happens between F5 and the backend pool member when there is no ssl server profile and we have only client ssl profile
F5 breaking Exchange authentication
We have Exchange 2016 going through our F5 BigIP. It works nicely. When we add our new Exchange 2019 server, clients are unable to authenticate using the desktop version of Outlook. Auth works fine without the F5 in the loop. Thanks in advance for any thoughts you might offer as our team as well as F5 support are stumped.Disastser Recovery
Hello everyone, need to implement a Disaster recovery solution for a customer. I read the solution K39543431 but there are some points that are not clear for me. In order to build it, I need to configure the same vlans that are present on active/stand-by to disaster recovery devices, so that I needs to configure, for each vlan, only self ip. To sum up: the disaster and recovery device needs to reach all vlan configurated on the active/stand by device . it needs to be add as peer and configured as part of traffic group - in this way is possible to sync everything. Is it correct ? Someone knows if there is a guide or tutorial that is possible to download for having major information about how to do it ? Many thanks everyone for your time and consideration. Awaiting news. Rgds,