F5 Content Switching
I am coming from a netscaler world where they had an element in the UI for content switching... I know with F5 you can use iRules to select a Pool but the problem I find with that is in the netscaler world you select a virtual server to content switch to which has the advantage of having all of the virtual server specific policies/authenication/waf etc tied to it. Is it possible to use irules to direct to another virtual server with F5 while retaining the same external IP for the client instead of the pool? (ie: I don't want to do a simple redirection from one url to another or ip to another, it needs to be transparent like netscaler does)
Snapshot capability of VE Guests on VCMP
Hi all, I wish to investigate on the backup/restore capcacity beyond ucs backup. With VEs running on VMWare we can take adavantage of VMWare's snapshot capability to have images of the VE before we operate on it. Are there similar capabilities available on my 5250V/VCMP? Cheers, Gabe
LDAPS Monitor with Certificate Expiration
Hi Team, I have been working with my AD team trying to resolve a problem where they forget to update a Domain Controller certificate and it expires and ADLDAPS queries fail since they dont bind to expired certificates. They have requested to see if we can drop a member out of the pool if the certificate is expired ( ie, not a valid SSL cert ) I have been messing with the LDAP Health monitor, turning on the Security settings, but I dont believe this would actually check that a certificate is valid or not. I know with server side SSL configuration you can enable SSL authentication but would just stop traffic from flow, not actually drop a member out of the pool. Any ideas ?
Sharepoint 2010 Health Monitor
I have an HTTP GET health monitor setup for our Sharepoint 2010 servers. The health montior seems to work as I am seeing 200s come back from the server after authentication. However, what I'm also seeing is the health monitor sending along several GETs without the NTLM credentials and those come back with 401 authentication errors: Logs from Sharepoint server...top two are not successful as the LTM did not send along the credentials of PPL\spsearchqa. Bottom two are successful with the creds: 2015-04-24 13:48:04 xxx.xxx.xxx.xxx GET /sitepages/Home.aspx - 80 - xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+5.1;+rv:2.0.1)+Gecko/20100101+Firefox/4.0.1 401 2 5 5 2015-04-24 13:48:04 xxx.xxx.xxx.xxx GET /sitepages/Home.aspx - 80 - xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+5.1;+rv:2.0.1)+Gecko/20100101+Firefox/4.0.1 401 1 2148074254 5 2015-04-24 13:48:08 xxx.xxx.xxx.xxx GET /sitepages/Home.aspx - 80 PPL\spsearchqa xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+5.1;+rv:2.0.1)+Gecko/20100101+Firefox/4.0.1 200 0 64 12045 2015-04-24 13:48:14 xxx.xxx.xxx.xxx GET /sitepages/Home.aspx - 80 PPL\spsearchqa xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+5.1;+rv:2.0.1)+Gecko/20100101+Firefox/4.0.1 200 0 64 10075 Here is how my health monitor is setup: Any help would be very much appreciated. Thank you!GTM Internal and External View configuration
Hi Team, One of our customer requirement is to configure GTM as DNS server for both external user and internal user. Few of the records are common for both internal and external user but ip address are different. eg : abc.test2.com fqdn, 1.1.1.1 is ip address for external user and 2.2.2.2 is ip address for internal user. This is first time we are doing such internal and external view configuration on GTM, so we tested this first on lab env. On over lab setup we created external view for test2.com with 172.16.1.1 as SOA and resource record for abc.test2.com (1.1.1.1) and created internal view for test2.com with 192.192.1.1 as SOA and resource record for abc.test2.com (2.2.2.2), we were able to create internal and external zone and resource record . But both View have both abc.test2.com (1.1.1.1) and abc.test2.com (2.2.2.2) record, also internal view SOA is overwritten with 172.16.1.1(external view IP). Please help me how to configure internal and external view. Below are screenshot taken from view and zone. External view Internal view View list Zone list Thanks, Sachin
Maxed out CPU utilization - cbrd process
As I wait for a response from F5 support, thought I'd ask the question here. We just noticed that our BIG-IP (VE) is running at max cpu with the cbrd process taking up 160% of the cpu ( tmm takes up almost all the rest. And the total being 200% due to the 2 cores, from what I gather). I know the cbrd process is a core process, and according to SOL8035 it's for XML content based routing. However, we don't have anything set up to use XML content based routing so I'm not sure why the process would be using so much CPU. So my question is two fold: Is it safe to restart the cbrd process on a production box (i.e. Will it cause any negative impact on existing connections) if we're not using xml content based routing? Has anyone seen something like this before, or know why it might be happening (or how to troubleshoot why it's happening)? Thanks! -MichaelHelp with configuring F5 load-balancing in between two ASA pairs (full routing)
Hello, I'm fairly new to F5s, and from what I've been seeing in my searches it appears as though I've really dived into the deep end for complex F5 setups. I've been spending time researching my issues but so far haven't been able to find the specific answers I need. Topology Details: Route Path: Internet <--> External ASA <--> F5 <--> Nexus 5k <--> Internal ASA <--> Server DMZs External ASA: - inside IP is 172.16.0.1/24 - Performs Static NAT from public IPs to VS IPs F5: - external VLAN (172.16.0.0/24) attached to external LACP trunk, tagged - internal VLAN (10.99.0.0/24) attached to internal LACP trunk, tagged - default gateway points to 172.16.0.1/24 - internal gateway (10.0.0.0/8) points to 10.99.0.10/24 - self-ip (float) 10.99.0.1/24 - All VS on 172.16.0.0/24 - nodes on multiple 10.x.x.x/24 subnets Nexus5k: - 'outside' IP is 10.99.0.10/24 - default gateway points to 10.99.0.1/24 Internal ASA: - default gateway points to Nexus5k - All load-balanced servers behind ASA on different security zones/interfaces - No NAT Notes: - Active/Standby HA using an HA VLAN on Internal trunk. - The gateway of the servers must be the internal ASA. - The topology cannot be changed. Questions: Will I need any SNATs in this setup? The routing should technically take care of everything so I'm not seeing much purpose in SNATs based on my understanding of how it works. I already set up an IP forwarding server (source/destination of 0.0.0.0/0) to allow OUTBOUND (server initiated) routing to pass through the F5; I have enabled loose initiation/close and disabled 'reset on timeout' using an attached custom FastL4 profile. Will I need any special forwarding servers or other virtual servers outside of Standard to make this work for INBOUND connections? Are there any other details I need to consider that I haven't mentioned here?
