LTM Policy for HTTP Host rewrite
We have a policy to rewrite the http host from the original client request to what the backend servers are expecting in the host header. I have noticed that I get a CORs error when going to a full swagger page. Is there a way within the profile to rewrite the response header back to what the client originally requested. Thanks, Joe
CPU/vCPU sizing on rseries
Hi , I am working on sizing an F5 rSeries platform for a telecom-scale deployment and need expert guidance on CPU/vCPU allocation and platform selection. Traffic profile: L3/L4 traffic (AFM use case): ~100 Gbps L7 traffic (AWAF use case): ~50 Gbps Questions: What is the recommended approach to estimate required vCPU for such mixed workloads? Is r10900 sufficient, or should we consider multiple appliances or VELOS? Any best practices for tenant sizing and separation for AFM + AWAF? Appreciate any real-world sizing guidance or reference architectures.
f5 r5600 appliance issue with adding trunk to vlan
So i get this error when I'm trying to add trunk to the ha vlan that i created- ERROR: Unable to find interface object for configured trunk member 3.0 What does this mean? When i look under the interfaces for the tenant (17.5.0) i do not see the actual interfaces which are supposed to be 1.0, 2.0, 3.0 - - - - 10.0 instead i only see 0.1, 0.2, 0.3 - - 0.6 is that the reason why it shows the error? Also why does it even show 0.1, 0.2 - - - 0.6 instead of the 1.0, 2.0, 3.0, - - - - 10.0?? This makes no sense to me. Thank You
SSL Forward Proxy, iRules and Client Hello
Hi all, I am seeing odd behaviour using SSL fwd proxy (SSLO): My intention is to use the client hello (SNI) to influence SSSL profile selection. I have 2 SSSL profiles setup, let call them A and B For trusted connections (i.e. certs issuers in SSSL CA bundle) is am unable to extract the SNI from the initial CH, using the CLIENTSSL_CLIENTHELLO event and [SSL::extensions -type 0]. These are send to profile A based on SNI. I have pcaps showing the CH incoming to the F5. I assume this may have something to do with the 'verified handshake' functionality. It appears the test client browser keeps attempting connection and I see inconsistent results (some connections are reset, some succeed). In irule logs its apparent the SNI does eventually become available in the CLIENTSSL_CLIENTHELLO event. For untrusted/self signed etc this doesn't appear to happen, these are sent to Profile B (identical to A for testing purposes) so my assumption is the F5 is doing some kind of SNI processing (compare to CN's in trust store?) and then connecting to the server for 'verified handshake' before releasing the SNI into the CLIENTSSL_CLIENTHELLO event? I have seen an iRule that effectively disables SSL then parses the raw client hello for SNI, I expect this may work as it would intercept the raw CH so the F5 cannot interfere or do any server-side preamble, but I'd rather do this within the realms of defined events if possible... :-) Any suggestions or comments welcome! thanks
F5 VELOS Backplane Inter-Tenants Communication
Hello, I’m looking for official documentation confirming whether inter-tenant communication between different tenants within the same chassis partition over the VELOS backplane is supported without requiring an external routing device. I haven’t been able to find clear guidance on this, so any assistance would be helpful. Regards
How to Verify config before loading to F5
I have edited .ucs file from old F5s and tried to load it on new F5s. The system went into Inoperative state and had to load the cfg that was configured before loading the edited config from old F5.When it was is inoperative, i ran tmsh looad sys ucs verify and it showed one of the line was not commented # How can we verify the file before loading to the config I have the new F5s up with HA and Syncfailover setup(GTM is not yet setup). The management IP, HA selfIPs and VIPs are different on the new implementation. Is there a recommended way we can merge this config. Plan to have iquery established after the config is loaded. Is that okay?
VIP control across data centers - how to ensure only 1 VIP is up at a time?
Hi -- at a very high level, we have a need for two VIPs (one in each data center), with automated orchestration so that only 1 VIP is up at a time. In more detail, we are setting up VIPs to proxy syslog UDP; and having two data centers, and for maximum redundancy, our thought is to have a VIP in each data center, and configure all syslog clients to send to both VIPs. Note that we want to configure the client's syslog destination using IPs, not hostnames, to eliminate DNS as a point of failure. (anycast would be perfect for this, but isn't workable from a technical perspective, since we use OSPF within the data centers; and GSLB [via GTMs, DNS controllers] is not an option, since we don't want to rely on DNS resolution for the syslog destinations) However, one further req't is that we can't allow duplicate syslog transmission; the SIEM we're using can only accept one set of syslog records - it lacks deduplication. So, as a result, it's important that only one or the other of the VIPs be proxying the syslog received from a device. We can accomplish this manually, by always having one of the VIPs force offline. However, we're looking to automate this, so that we don't have windows where no syslog is processed, during the wait for someone to login and enable the backup VIP. So - what are the techniques others have used to orchestrate availability of VIPs such that only 1 is available? Would this be accomplished if we were to establish a new device group, with the LTM from each data center in it? Can you HAVE a device group across WAN links like that, without risk of split-brain effects? Or, can we use iRules to somehow accomplish this? E.g. in one data center's VIP, have a client-accepted rule that performs an external monitor check of the other data center's VIP, and rejects the packet if that VIP is up? Any thoughts welcome!Priority Group Activation is not working
Hi All, I have an LDAP VIP configured with a pool, having two members and applied priority group activation so that all the traffic will go to only one server and if that server is not available then only traffic will go to another servers But it seems traffic in going to both the servers and which is causing the problem. When I remove one of the server from poll, everything works fine. From application prospective all traffic should go to one server and other servers should work as secondary. Am I missing any configuration? Load balancing mechanism is round-robin. Thanks,FQDN Node Configuration
We have always used IP address for Node creation, but have a new need to deploy a FQDN node on our LTM's. I created it and noticed that an auto generated node was created with an IP address from DNS within the Common Partition as well as the one I created. I see that one that was created is Green but the one in the Common is monitor failed, therefore the Pool is down. I created a specific https monitor and applied it to the pool (also tried the https one from Common) but neither worked. Our logging shows that the F5 is reaching out to the node IP address via the management IP, is this expected? Again this is my first time using FQDN for a node and I am confused on the results/behavior that I am seeing. Any assistance or guidance would be greatly appreciated. Thanks, JoeCatch Dynamic CRL Errors and Return Friendly Page
Hi all, I’ve implemented a TLS 1.3 mTLS HTTP virtual server, following the general instructions to support friendly HTTP errors as per Catch SSL Errors and return a friendly page... | DevCentral, with some slight adjustments. This has worked great and I’ve been able to catch errors through checks against the SSL::verify_result value. However, while this works using CRL File option, the behaviour is different when using Dynamic CRL. It appears that using the CRL File option, all validation performed prior to the CLIENTSSL_CLIENTCERT event with the outcome provided in the SSL::verify_result. When using CRL Validator all non CRL validation performed prior to CLIENTSSL_CLIENTCERT, then CRL Validator performs its operations after CLIENTSSL_CLIENTCERT and before the CLIENTSSL_HANDSHAKE event, where the SSL::verify_result value can change based on the CRL Validator outcome. However, on most errors (from testing it appears to be all errors except for revoked status) processing fails and the CLIENTSSL_HANDSHAKE event is never reached. Instead, a TLS protocol response returned directly to the calling client, removing the opportunity to catch and process the error and return an HTTP response. Has anyone configured catching SSL/TLS errors using Dynamic CRL and sending friendly HTTP responses? Any thoughts on how to address this? This is specifically to cover all the CRLDP failing scenarios, such as for all the “unknown” certificate status triggers and for certificates missing the CRLDP extension. Thanks for any help Andrew