cisco
190 Topicstelnet to server from F5
I have a F5 big-ip 4200 on code version 11.4 and I cannot seem to telnet to anything over a specific port. I am using route domains so I was following this article: http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10467.html This does not appear to be working though as I am still not able to telnet to anything that I know should be working. This is the error I get: run util telnet 2620:0000:0C10:F501:0000:AD00:172.28.141.168 453 Trying 2620:0:c10:f501:0:fe4d:ac1c:8da8... telnet: connect to address 2620:0:c10:f501:0:fe4d:ac1c:8da8: Network is unreachable I am able to telnet to 172.28.141.168 on port 453 from my desktop. IPv6 is enabled...am I missing something?6.2KViews0likes3CommentsBig IP LTM sending tcp Resets due to SSL handshake time out ?
Hi F5 gurus, We have a https file transfer going on a daily basis and we are experiencing a big problem here. Client is a java program and server is behind the F5. We are offloading ssl on F5 so we use client ssl profile with default settings ( Version 11.2.1 LTM, ssl handshake time out = 10 sec ) . Tcpdump is saying that RST are generated from F5. As per F5 Handshake time more than 10sec will make system vulnerable to DoS attack. Also client route through many network devices before hitting the G5 big ip. I have enabled the rstcause.log and rstcause.pkt which gives me below logs. ltm 12-15 17:00:13 err lb1 tmm1[9547]: RST sent from server ip :443 to client ip :14720, [0x147b9e1:962] SSL handshake timeout exceeded ltm 12-15 17:00:13 err lb1 tmm1[9547]: RST sent from server ip :443 to client ip :14716, [0x147b9e1:962] SSL handshake timeout exceeded ltm 12-15 17:00:13 err lb1 tmm1[9547]: RST sent from server ip :443 to client ip :14718, [0x147b9e1:962] SSL handshake timeout exceeded ltm 12-15 17:00:13 err lb1 tmm[9546]: RST sent from server ip :443 to client ip :14719, [0x147b9e1:962] SSL handshake timeout exceeded ltm 12-15 17:00:14 err lb1 tmm1[9547]: RST sent from server ip :443 to client ip :14716, [0x147db9a:4315] TCP 3WHS rejected ltm 12-15 17:00:14 err lb1 tmm1[9547]: RST sent from server ip :443 to client ip :14718, [0x147db9a:4315] TCP 3WHS rejected ltm 12-15 17:00:14 err lb1 tmm[9546]: RST sent from server ip :443 to client ip :14719, [0x147db9a:4315] TCP 3WHS rejected Please help me if you have seen this problem before. Thanks in advance3.7KViews0likes10CommentsCisco ISE load-balancing and Change of Authorization (CoA)
First, let me clearly state that I do not have a Cisco background. I have no experience with the RADIUS protocol, and am not familiar with the details of the CoA, so I am not in a position to know if what I'm being asked to do is appropriate/necessary/makes sense or not. Our Cisco guys came to me asking for a RADIUS load-balancing VIP, with persistence based on CALLING-STATION-ID. I found https://devcentral.f5.com/questions/load-balance-cisco-ise-servers easily enough. So I created a wildcard UDP VIP with the iRule. But, they came back with an additional CoA requirement. They claim that the ISE servers periodically send "a CoA packet" to the clients of the RADIUS VIP. They want the LTM to intercept these packets, and SNAT it from the RADIUS VIP address. They claim that the clients of the RADIUS service will only accept CoA packets from the VIP address. Apart from the link above, the only good resource on the subject I can find is https://supportforums.cisco.com/blog/153056/ise-and-load-balancing. I get somewhat lost in the terminology, but this statement seems important: Each PSN gets listed individually in the Dynamic-Authorization (CoA). Use the real IP Address of the PSN, not the VIP. In the context of this document it sounds to me like the "PSN" is also the Pool Member of the RADIUS VIP, and that we should be adding the IP address of the Pool Member in some CoA field on the clients of the RADIUS VIP. But again not being familiar with RADIUS, I'm very uncertain. Apart from the question of whether or not I can SNAT from a VIP address at all (which I highly doubt), does anyone have some insight into how to account for these RADIUS/CoA packets in a load-balancing context?2.8KViews0likes8CommentsTrunk / VPC Port-Channel not working properly with Nexus 9K / 2K (FEX) : Spanning-tree involved
Hello DevCentral, I'll present to you an odd behavior using 2 Nexus 9k (9.2.1) with Nexus 2k as Fex on which two Big-IP i4600 (12.1.4) are connected. Our Setup : The two Big-IP are configured in a device-group, Each Big-IP is connected to two Nexus 2k (FEX) in the same aggregate using VPV technology on the Nexus. The configuration match this KB : https://support.f5.com/csp/article/K13142 Spanning-tree is disabled on interfaces and Trunk on the Big-IP Flow Control is disabled on the Big-IP and the Nexus The Big-IP are connected to multiples VLANS using "Tagged Interfaces" option (802.1q tag on packets) Observations with this spanning-tree setup on the VPC configured on the Nexus : spanning-tree port type edge spanning-tree bpduguard enable Observation 1: When every interface is up, everything work properly Observation 2: If I shut one or the other interface of Port-channel1 on the switch everything is ok, If I shut both interfaces of Port-channel1 the aggregate is seen "Down", If I "no shut" interface1 of Port-channel1 the aggregate is rebuild and works after few seconds. Observation 3: If I shut one or the other interface of Port-channel1 on the switch everything is ok, If I shut both interfaces of Port-channel1 the aggregate is seen "Down", If I "no shut" interface2 of Port-channel1 the aggregate is rebuild but packets are not forwarded to/from this interface. Observations with this spanning-tree setup on the VPC configured on Nexus (notice the word trunk added): spanning-tree port type edge trunk spanning-tree bpduguard enable Observation 1: When every interface is up, everything work properly Observation 2: If I shut one or the other interface of Port-channel1 on the switch everything is ok, If I shut both interfaces of Port-channel1 the aggregate is seen "Down", If I "no shut" interface1 of Port-channel1 the aggregate is rebuild and works after few seconds. Observation 3: If I shut one or the other interface of Port-channel1 on the switch everything is ok, If I shut both interfaces of Port-channel1 the aggregate is seen "Down", If I "no shut" interface2 of Port-channel1 the aggregate is rebuild and works after few seconds. General Observations: There is no error detected on the interfaces/Port-Channel on the Nexus There is no error detected on the interfaces/Port-Channel on the Big-IP Conclusion: "spanning-tree port type edge", is not working for this setup "spanning-tree port type edge trunk", is working for this setup Question: Can someone explain what's happening here ? Regards my fellow companions.2.4KViews0likes2CommentsF5 LTM Transparent mode configuration
Dear All, I am trying to configure BIG-IP LTM device to work in transparent mode in order to replace Cisco ACE device. I have already done several configurations but the results are not so good as it should be. As used the following guide : http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_vlans.html1062318 As a result I am not able to ping the external and internal network it looks as the LTM Block the entire flow. Any help will be appreciated ! Thanks in advance !2KViews0likes19CommentsSimplest ping is not working between cisco switch and F5
I have created a vlan put 1 interface in that vlan as untagged as interface on the cisco switch side is access. created self ip of the vlan. Now i try to ping the SVI on cisco switch but ping stops from my own self ip. Same ping is unsuccessful from the cisco switch side. I have already installed 2 F5 and i am out of ideas that why ping is not working. when i take the cable out of F5 and put in laptop and try ping from laptop it works but not from F5. Please any idea. version is 11.2 in my previous F5 version was 11.4. please help help1.6KViews0likes33CommentsBIG-IP to Cisco via 10Gb SFP+ Direct Attach Copper
Hi, Anybody using Cisco DAC 10G transceiver/copper cables (TwinAx) to connect from a Cisco switch to a BIG-IP? Can't seem to find an answer, suspect it is not supported which is always an issue for DACs between vendors. Cheers1.5KViews0likes14CommentsF5 Trunk port is connected to Cisco Switch Access Port
Any issues if F5 Trunk port is connected to Cisco Switch configured as Access Port? Will there be any loop formed? If in case cable is wrongly patched as below. F51 Trunk port1 to F52 Trunk port12. F51 Trunk port2 to Cisco Access port -> Any issues or STP loop? The two ports above are members of the same VLAN. Thanks.1.3KViews0likes19CommentsHow to check Health Status of BIG-IP LTM
We are using BIG-IP LTM in our production environment. I am asked to submit "health check report" of the device on weekly basis. I am a bit confused in "Monitors , QKview, and Statistics" What should I use to check the health of the device. What is the recommended and best way to report about health status? Keeping in mind, the devices are in production so we cannot afford any downtime. Any help will be appreciated. Thanks.1.3KViews0likes3Comments