telnet to server from F5
I have a F5 big-ip 4200 on code version 11.4 and I cannot seem to telnet to anything over a specific port. I am using route domains so I was following this article: http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10467.html This does not appear to be working though as I am still not able to telnet to anything that I know should be working. This is the error I get: run util telnet 2620:0000:0C10:F501:0000:AD00:172.28.141.168 453 Trying 2620:0:c10:f501:0:fe4d:ac1c:8da8... telnet: connect to address 2620:0:c10:f501:0:fe4d:ac1c:8da8: Network is unreachable I am able to telnet to 172.28.141.168 on port 453 from my desktop. IPv6 is enabled...am I missing something?
Connections vs sessions
Hi all This is my first post so apologies if I'm breaking any standards. I'm having trouble figuring out the difference between connections and sessions. No matter how much I Google this, I'm not finding a simple answer. Let me phrase it this way...if you read the article on "LTM: Dueling Timeouts" (https://devcentral.f5.com/articles/ltm-dueling-timeouts), it says: "Persistence timeouts are actually idle timeouts for a session, rather than a single connection." Unfortunately that statement does not tell us anything meaningful unless the definition of a connection and session is clarified. Or to put it another way, if you consult the F5 V11 configuration guide as it relates to session persistence profiles (http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-1-0/ltm_persist_profiles.html), it says: "The primary reason for tracking and storing session data is to ensure that client requests are directed to the same pool member throughout the life of a session or during subsequent sessions." So my question here would be, what factors influence whether ongoing HTTP GET requests (as an example) constitute a single session, or subsequent sessions? I'd really appreciate somebody's help here as I know this is a fundamentally basic concept but I'm unable to find a definitive answer.
Pool members with fully-qualified domain names (FQDNs): How does this work?
From release notes of v11.6.0 (on new features): Populate pools by FQDN This release includes the ability to configure a BIG-IP system with nodes and pool members that are identified with fully-qualified domain names (FQDNs). When configuring pool members with FQDN, addresses dynamically follow DNS changes. Fully dynamic DNS-managed pools may even be created. How does this work? When the fqdn resolves to multiple addresses, how is LB handled?
APM logon page redirect loop
When i connect to my vserver using APM, i recieve the below message. Your session could not be established. BIG-IP can not find session information in the request. This can happen because your browser restarted after an add-on was installed. If this occurred, click the link below to continue. This can also happen because cookies are disabled in your browser. If so, enable cookies in your browser and start a new session. Thank you for using BIG-IP. To open a new session, please click here. clicking 'here' just redirect loops back to this page over and over. I've cleared the sessions and even rebooted the bigip, and i get the same thing. any ideas? thanks,TCP RST instead of Server Hello during SSL Handshake
Hi All, Been troubleshooting an issue with a customer after they made changes server side to disable SSLv2 and SSLv3 etc and to only accept ciphers for TLS1.1 and TLS1.2 By default they were using the standard default https monitor for their pool and post making changes server side (i don't have access) the node is now not coming up. HTTP is fine but HTTPS is a problem. We're running BIG-IP 11.4.0 (Build 2434.0) I'm wondering if he's only enabled ciphers which aren't available in the current version of Big-IP we are using Here's the SSLDUMP (cipher set to ALL): 1 1 - 1444809450.0879 (0.0024) C>SV3.1(114) Handshake ClientHello Version 3.1 random[32]= 56 1e 0a ea e4 11 03 df d1 77 92 83 da ec 1d 44 21 65 c2 20 97 25 40 53 75 d6 e5 c2 6b 1d 96 65 cipher suites TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Unknown value 0x46 Unknown value 0x45 Unknown value 0x44 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xff compression methods unknown value NULL 1 - 1444809450.0884 (0.0004) S>C TCP RST
HOW-TO disable Microsoft-HTTPAPI /2.0
To the Microsoft Experts out there This is my (GTM) scenario... There are two Data Centers Each Data Center with its own GTM and its own IIS server ( hosted on Windows 2012 server) ( each IIS server hosting the same website or in other words configure with the same application pool) At the DNS resolution level, GTM works flawlessly.. I have constructed an http monitor validating the host header of the application pool, so when i stop one of the application pool ( in either data center) GTM is capable of detecting the site as "down" and providing DNS response the the one application pool remaining as "up" in the other Data Center. If I do an HTTP capture I can see the "Server" response header with the expected value of "Microsoft IIS 8.5" up until here all good! My problem arises at the Browser/user session level When I go and stop one of the application pool, GTM ( as i said) is capable of detecting the app went down and provides a DNS response to the remaining available site, HOWEVER at the Browser level the user is getting a 503 ERROR message "Service Unavailable". Analyzing the HTTP captures I see the "server" response header with the value of "Microsoft-HTTPAPI / 2.0" as if the IIS is still listening on port 80 for incoming user request Does anyone knows is this API is related to my problem? If so, how to disable it I have attached an screenshot for better clarification Thanks in advanced!
Health check via URL
Hi, Wanted to setup a load balancer which can check the health of a node based on the URL (not by pinging just host and port). For example: The LB should check the following URLs and if the HTTP response is 200 (OK) and the response text contains keyword as “PASS” then that particular node is good otherwise don’t send any request to that node. https://mysite.com:22301/ws/healthmonitor https://mysiteb:22301/ws/healthmonitor
