cisco
190 TopicsBIG-IP to Cisco via 10Gb SFP+ Direct Attach Copper
Hi, Anybody using Cisco DAC 10G transceiver/copper cables (TwinAx) to connect from a Cisco switch to a BIG-IP? Can't seem to find an answer, suspect it is not supported which is always an issue for DACs between vendors. Cheers1.5KViews0likes14CommentsLTM 11.4.1 - Trying to Identify equivalent features to cisco ACE
We have a legacy application which uses the following features in Cisco ACE parameter-map type http PARAMETERS case-insensitive persistence-rebalance set header-maxparse-length 65535 set content-maxparse-length 65535 length-exceed continue parsing non-strict I am looking to find equivalents for these in F5 LTM as once we migrated the application to LTM we see a lot of intermittent issues accessing the application and a lot of 'Resets' from the clients to the Virtual Server IP in tcpdump. The application has multiple pools and we are using the following irule to switch between pools based on a cookie that the application sends to the browser, when CLIENT_ACCEPTED { set default_pool [LB::server pool] } when HTTP_REQUEST { ONECONNECT::reuse disable if { [HTTP::cookie exists "Pool-cookie"] } { switch [HTTP::cookie value "Pool-cookie"] { "Pool1" { pool Pool1 } "Pool2" { pool Pool2 } default { pool $default_pool } } } else { pool $default_pool } } For the persitence-rebalance in ACE we are using Onceconnect, so the LTM can do L7 load-balancing decision for every HTTP request inside the same TCP connection (content switching feature of oneconnect). Just to ensure that the 'server-connection-resuse' is not causing any issues, it has been disabled inside the iRule. Effectively trying to use oneconnect only for the content switching requirement. the http header size has been set tp 65535 in the http_profile. the 'length-exceed continue' option ACE makes it still process the request even if the http header size is more that 65535, but i could not find a similar option to this in LTM. LTM sends a RST if the header size exceeds. Is there any option available in LTM similar to the 'length-exceed continue' feature in ACE??? the 'parsing non-strict' in ACE, ignores malformed cookies in a request and continues parsing the remaining cookies. The application seems to have 'non-compliant RFC2396 characters' in its http responses, which the LTM might not like if it processes only RFC2396 compliant http requests. Is there any feature in LTM similar to the 'parsing non-strict' in ACE so it can continue process other cookies eventhough there are few malformed cookies from the application???386Views0likes6CommentsAutomatic weekly backup transfer to FTP
Hi , I have configured 00 3 * * * tmsh save /sys ucs /var/ucs/XYZ. ucs in crontab -e and weekly backup is working fine in local . Now I need to schedule automatically transfer to backup files to FTP server . Got the script from devcentral for FTP transfer $DATE= date "+%m_%d_%y" Here we create the ucs archive tmsh save sys ucs $DATE Here we copy it to your server with scp scp /var/local/ucs/$DATE user@ip_server:path Here we do the same with ftp ftp -n your_server < Now I am little bit confused where to write this script and how it will relate to cronjob ?? Can anybody help on this . Regds.....646Views0likes3CommentsProblem with SNAT configuration
I´m trying to configure a SNAT for Cisco ISE Change Of Authorization (COA) . The goal is to have the virtual address from the load balance appearing as the source of all COA connections. This way I don´t need to add each policy server address to the NADs. I´m using LTM 11.0.0. I configured the SNAT as shown below: ltm snatpool /Sisop-Linux/radius_coa_snat { members { /Sisop-Linux/172.10.10.10 /*address used as origin } } ltm virtual /Sisop-Linux/vs-isepsn-coa { destination /Common/0.0.0.0:1700 ip-protocol udp mask any profiles { /Common/udp { } } snatpool /Sisop-Linux/radius_coa_snat translate-address disabled translate-port disabled vlans { /Common/v811-pool-net-services /*vlan where the police servers are located } vlans-enabled } The COA traffic never reaches the destination. A tcpdump on the balance shows that traffic is entering the "v811-pool-net-services" vlan but it doesn´t exit. Can anyone help me?287Views0likes1CommentSolution for duplicate F5 Self IP's at two datacenters using OTV
We are planning a migration of a F5 LTM VIPRION pair in datacenter A to a F5 LTM VE pair in datacenter B. We would like to do this in a phased approach (bringing waves of servers at a time) and keeping all IP addresses the same (servers, VIP's, self IP's, VLAN ID's, route domains, gateway, routes etc.) We are using OTV to extend the Layer 2 networks across the datacenters. My concern is duplicate self IP addresses between the F5's, because you cannot disable ARP for a F5 self IP like you can for an F5 VIP. I was thinking to do something like this to support the F5's at Datacenter A and B to operate simultaneously. Perhaps blocking the F5 MAC addresses of Datacenter A from reaching Datacenter B and vis versa: Cisco: mac-list F5-OTHER-DC_vMAC seq 10 deny 0000.xxxx.xxx1 ffff.ffff.ffff mac-list F5-OTHER-DC_vMAC seq 11 deny 0000.xxxx.xxx2 ffff.ffff.ffff mac-list F5-OTHER-DC_vMAC seq 20 permit 0000.0000.0000 0000.0000.0000 route-map F5-OTHER-DC_Filtering permit 10 match mac-list F5-OTHER-DC_vMAC otv-isis default vpn Overlay200 redistribute filter route-map F5-OTHER-DC_Filtering Is this a supported design? Thanks!687Views0likes5CommentsWebsites do not load correctly when load balancing via proxy
We currently have a pair of BIG-IPs with 11.5 running in our DC. One of the services we want to load balance is a pair of Cisco WSAs (IronPort) which function as web proxies. When a client connects via the BIG-IP's VIP to access the Proxies we have the problem that not all of the content is loaded. This problem does not change if we take one of the WSAs out of the pool so that we can be sure we always go via the same proxy. It is also working fine when the clients go via one of the proxies directly. [UPDATE] The http-WSA-proxy profile is based obn the fastL4 but has XFF enabled. Does anyone have an idea what we are missing and why we are not receiving the complete page? High level traffic flow: Client <> BIG-IP Cluster <> Firewall <> 2x Cisco WSA Web Proxy <> Firewall <> Internet LTM config: ltm virtual vs_NAME { destination VIP%RD:webcache ip-protocol tcp mask 255.255.255.255 partition NAME persist { source_addr_mirror { default yes } } pool NAME profiles { /Common/fastL4 { } http-WSA-proxy { } } source 0.0.0.0/0 source-address-translation { type automap } vlans { NAME-VIPs } vlans-enabled vs-index 17 }454Views0likes5CommentsTACACS Auth Errors
Version: 11.5.2 HF1 TACACS for Admin auth Error: Sep 9 19:32:55 hostname err sshd[22220]: pam_tacplus: (pam_tacplus) converse returned 19 Sep 9 19:32:55 hostname err sshd[22220]: pam_tacplus: that is: Conversation error Sep 9 19:32:55 hostname err sshd[22220]: pam_tacplus: unable to obtain password Migrated the UCS from an old appliance to a new one. All that has changed is the management IP and the Self IP addresses. Everything else is the same. The F5 can ping the TACACS+ server. This error does not occur with every login, it almost appears to show up at random in /var/log/secure. Any tips?194Views0likes0Commentsf5-lbaasv-1.0.10 agent configuration to test single tenant f5 lbaas with openstack
I am trying F5 LBaaSv1 VERSION 1.0.10 driver and agent to provision the pool,vip and pool member into bigip ltm 11.6 VE launched as openstack vm. Here are below steps i have followed. 1. launched bigip ltm vm with 3 interfaces. 2. interface eth0 is management interface . 3. I performed below steps from UI of bigip vm and datapath work for lbaas. 3.1.SNAT Creation SNAT is created with following configuration. Translation Automap Origin All Ipv4 addresses VLAN / Tunnel Traffic ALL 3.2. Created 2 vlan Untagged tunnel. Internal : Interface 1.1(eth1) with ip 51.0.0.4 is for internal network(network b/w pool member and bigip vm) External : Interface 1.2(eth2) is with ip 61.0.0.4 for vip (external network) 3.3 Created 2 selfip selfip 51.0.0.4 created for internal tunnel selfip 61.0.0.4 created for external tunnel 3.4. Created virtual server with destination ip 61.0.0.4. 3.5. Created pool and added 2 pool member (51.0.0.9, 51.0.0.10) 3.6. Launched vm on 61.0.0.0/24 network address and sent curl request to vip 61.0.0.4 and datapath work. Now i want to provision above steps with f5-oslbaas-agent,agent run with f5-oslbaasv1-agent.ini,That has many configurable options,which are the option i need to fill to test single tanant f5lbaas.Any thoughts on this??231Views0likes0CommentsVOIP Device under F5-BIG LTM
Dear All, Please advice all configuration in this infra, My requirement is shown in Diagram. I already added route in F5 (route 1. Do I need Source Address Translation (AutoMAP) in f5 Virtual Server ? Listen on External Vlan 2. Do I need Virtual server listen on Internal Vlan for 192.168.10.97/32. 3. I am using multiple ISP load balancing, I want to out voip device to that ISP1 only, So do I need irules?264Views0likes3CommentsUnderstanding this iRule - to resolve upto 15 seconds lag while playing videos
Hi, I need help in understanding the iRule below. I am also mentioning the VS setting for clarity. virtual vs_cdms_http { snat automap pool pool_cdms_http destination 10.0.2.10:http ip protocol tcp rules ir_cdms_http persist pr_dms_source_addr profiles { http {} tcp {} } } rule ir_cdms_http { when HTTP_REQUEST { SET DEBUG TO 1 TO TURN ON AND 0 TO TURN OFF set DEBUG 0 set defaultURI "/windows/test.txt" if { $DEBUG } { log local0. "DMS URI: [HTTP::uri]" } switch -glob [HTTP::uri] { "/" { set uri $defaultURI } default { set uri [string tolower [HTTP::uri] ] } } } when HTTP_RESPONSE { set pserver [persist lookup source_addr [IP::client_addr] node] if { $DEBUG } { log local0. "DEBUG LINE TURN OFF IN PROD URI $uri PServer $pserver:Client Ip [IP::client_addr]:Active Members [active_members [LB::server pool]]" } switch -glob $pserver { 10.0.0.1 { HTTP::redirect "http://abc001$uri"} 10.0.0.2 { HTTP::redirect "http://abc002$uri"} default { HTTP::redirect "http://$pserver$uri" } } } } May I know, how this iRule will be effecting/processing the traffic? Your help will be kindly appreciated.203Views0likes2Comments