VIP in https that redirect to another vip in https
Hi, I have a VIP in https with a certificate that have a policy LTM attached. In the policy, if the path is /prova, i'm trying to redirect to another VIP in https, but this doesn't work. Usually I redirect the calls only to VIPs in HTTP. There's a solution for use all the VIPS in HTTPS? Thanks
VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.
Hi all, I have an F5 VE running 17.5.1.3 in my lab environment for learning purposes. As back-end I installed the phpauction webpage and all configuration works flawlessly if only the LTM module is enabled. This in the most simple form: Virtual server on port 80. TCP profile HTTP profile Pool Automap When I add another module, for example ASM, the vip stopped working although it's still green/up and not even a security policy has been attached to the vip. Captures show that the SYN is reaching the F5 but I do not get a response from it: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type EN10MB (Ethernet), capture size 65535 bytes 16:24:51.691462 IP 192.168.1.100.64282 > 192.168.2.10.80: Flags [S], seq 5173934, win 65535, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis= port=1.1 trunk= 16:24:51.942738 IP 192.168.1.100.64625 > 192.168.2.10.80: Flags [S], seq 1642892817, win 65535, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis= port=1.1 trunk= I checked the back-end connection as well but the F5 is not sending out the SYN to the webserver. So it looks like it's blackholing my traffic. When I disable ASM and use only LTM, everything starts to work again. Even when trying with different modules like APM, the same issue happens. VIP is not responding after only enabling APM or AFM. I tried the following: - Factory reset the machine. - Upgrade to 17.5.1.3. - Enable RST CAUSE. (but there isn't any because the SYN isn't there in the first place) - Force reload config on the mcpd process. - Enabled ltm debugging without receiving any logs about the connection. - Looked into the dos and bot defense logs to see if traffic is dropped at an earlier point in the chain. - Enabled tmm debug without getting any relevant logs. - Changing the vip from standard to fastl4. - Remove http profile. I did play a lot with other modules as well like ASM, APM, AFM, SSLO, DNS, so that's why I though it was a configuration issue at first. But make the machine factory default, did not solve it. Is it possible there are some left overs during my learning path on this machine? Do you know what additional steps I can take to solve this issue? Thanks. Best regards, Mitchel
TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)
Hello DevCentral Team, I am troubleshooting a server-side TLS issue where BIG-IP intermittently fails to establish a TLS connection to a backend service. Observed behavior: Client to BIG-IP TLS handshake completes successfully. BIG-IP to backend TLS handshake fails. Backend responds with a TLS alert: Level Fatal, Description Decode Error. Failure occurs very early in the handshake, immediately after ClientHello. Configuration details (sanitized): Backend service listens on HTTPS using TLS 1.2. BIG-IP is operating in full-proxy mode. The default serverssl profile has been removed. A custom Server SSL profile is attached with an explicit server-name configured and server-side SNI enabled. No client certificate authentication is required by the backend. Validation already performed: Direct openssl s_client testing from BIG-IP to the backend succeeds. TLS version and cipher suites are compatible. Backend certificate chain appears valid when tested outside BIG-IP. The issue appears specific to BIG-IP initiated server-side TLS. Questions: Can a backend return a fatal decode_error even when BIG-IP sends SNI correctly? Are there known cases where certain TLS extensions sent by BIG-IP but not by OpenSSL trigger this error? Are there Server SSL settings commonly associated with decode_error responses? Any recommended BIG-IP specific debugging steps beyond tcpdump and ssldump? Thanks in advance for any guidance or similar experiences.
Cisco TACACS+ Config on ISE LTM Pair
I'm trying to add TACACS+ configuration to my ISE LTMs (v17.1.3). We use Active Directory for authentication. The problem is when I try to create the profile, the "type" dropdown does not show "TACACS+". APM is not provisioned either, not if that is needed. I provisioned it on our lab, but no help.Illegal Metacharacter in Parameter Name in Json Data
Dears, Can someone tell what is the issue here as the BIG IP is reporting the illegal metacharacter "#" in parameter name but the highlighted part of the violation doesnt contain metacharacter # in the first place and the parameter which BIG IP displayed in the highlighted part is actually not a parameter. I believe the issue is with the BIG IP only. Any suggestions here, please? I think issue is that BIG IP is not paring the Json payload properlySSL Bridging and FQDN rewrite Policy
We are trying to deploy a VIP that will do SSL Bridging but also rewrite the fqdn to the server... So Client goes to https://www.example.com and is terminated on the F5 VIP and then send the traffic on the server as https://www.myexample.com with the F5 terminating both TLS connections. I have tried several profile combinations, but I see that the traffic going the server as the original domain and not being rewritten. If this would be easier to do with an iRule I am ok with that as well but have tried to use more policies than iRules recently. Thanks, Joe
How can I get started with iCall
Hi all . Recently, I want to learn how to use iCall to do some automated operations work, but I haven't seen any comprehensive tutorials about iCall on askf5. Are there any good articles I can refer to for learning? Do I need to systematically learn Tcl first? I still have a question about iCall. What is the difference between using iCall and using shell scripts with scheduled tasks to achieve automated management and configuration of F5? Best RegardsCould not communicate with the system. Try to reload page.
I am trying to check for live updates of attack signatures in F5, but I am getting a message. In passive devices, the signature list does not display — it keeps loading and never shows the updated signatures. Has the destination or location of the signature updates changed in version 17?
