For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

deployment

3852 Topics

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.
Hi all, I have an F5 VE running 17.5.1.3 in my lab environment for learning purposes. As back-end I installed the phpauction webpage and all configuration works flawlessly if only the LTM module is enabled. This in the most simple form: Virtual server on port 80. TCP profile HTTP profile Pool Automap When I add another module, for example ASM, the vip stopped working although it's still green/up and not even a security policy has been attached to the vip. Captures show that the SYN is reaching the F5 but I do not get a response from it: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type EN10MB (Ethernet), capture size 65535 bytes 16:24:51.691462 IP 192.168.1.100.64282 > 192.168.2.10.80: Flags [S], seq 5173934, win 65535, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis= port=1.1 trunk= 16:24:51.942738 IP 192.168.1.100.64625 > 192.168.2.10.80: Flags [S], seq 1642892817, win 65535, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis= port=1.1 trunk= I checked the back-end connection as well but the F5 is not sending out the SYN to the webserver. So it looks like it's blackholing my traffic. When I disable ASM and use only LTM, everything starts to work again. Even when trying with different modules like APM, the same issue happens. VIP is not responding after only enabling APM or AFM. I tried the following: - Factory reset the machine. - Upgrade to 17.5.1.3. - Enable RST CAUSE. (but there isn't any because the SYN isn't there in the first place) - Force reload config on the mcpd process. - Enabled ltm debugging without receiving any logs about the connection. - Looked into the dos and bot defense logs to see if traffic is dropped at an earlier point in the chain. - Enabled tmm debug without getting any relevant logs. - Changing the vip from standard to fastl4. - Remove http profile. I did play a lot with other modules as well like ASM, APM, AFM, SSLO, DNS, so that's why I though it was a configuration issue at first. But make the machine factory default, did not solve it. Is it possible there are some left overs during my learning path on this machine? Do you know what additional steps I can take to solve this issue? Thanks. Best regards, Mitchel
tjoll66
Dec 24, 2025 Place Technical Forum
38Views
0likes
2Comments
BIG-IP VE: 40G Throughput from 4x10G physical NICs
Hello F5 Community, I'm designing a BIG-IP VE deployment and need to achieve 40G throughput from 4x10G physical NICs. After extensive research (including reading K97995640), I've created this flowchart to summarize the options. Can you verify if this understanding is correct? **My Environment:** - Physical server: 4x10G NICs - ESXi 7.0 - BIG-IP VE (Performance LTM license) - Goal: Maximize throughput for data plane **Research Findings:** From F5 K97995640: "Trunking is supported on BIG-IP VE... intended to be used with SR-IOV interfaces but not with the default vmxnet3 driver. [Need 40G to F5 VE] ┌──────┴──---------------------- ────┐ │ │ [F5 controls] [ESXi controls] (F5 does LACP) (ESXi does LACP) │ │ Only SR-IOV Link Aggregation │ │ ┌───┴───┐ ┌───┴───┐ │40G per│ │40G agg │ │ flow │ │10G/flow │ └───────┘ └───────┘
Solved
Karthick1
Dec 24, 2025 Place Technical Forum
106Views
0likes
5Comments
Failing over Virtual F5 VE to DR location using Zerto
is there any recommendation for F5 VE redundancy using Zerto ?
2Bs
Dec 22, 2025 Place Technical Forum
41Views
0likes
1Comment
Cisco TACACS+ Config on ISE LTM Pair
I'm trying to add TACACS+ configuration to my ISE LTMs (v17.1.3). We use Active Directory for authentication. The problem is when I try to create the profile, the "type" dropdown does not show "TACACS+". APM is not provisioned either, not if that is needed. I provisioned it on our lab, but no help.
simpsjy
Dec 19, 2025 Place Technical Forum
100Views
0likes
8Comments
Connection Rest f5
I have box f5 i4800 version 15.1.5, we faced some issues , I have virtual server listen on https 443 then under it pool have one node listen on http port 80 and I used ssl client profile, when I try access VIP , I can't access it and faced connection rest , then check all setting for vip is ok , again try but I can't access , After that I delete this VIP and Create it again with the same setting and the same ssl client profile after that I can access Vip and application is working fine, so I think so that is bug of this version ,please advise me.
Fouad2
Dec 12, 2025 Place Technical Forum
86Views
0likes
5Comments
Import the iSeries UCS file into the rSeries BIG IP tenant.
Hello, I have import ucs file from my iseries and trying to import it into big ip tenant on rseries but I got this error. I have tried the manual version and F5 journeys but the result is always the same. --------------------------------------------------------------------------------------------------------------------------------------------------------------- load_config_files[4900]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure Unexpected Error: Loading configuration process failed. 2025 Nov 20 21:05:12 localhost.localdomain load_config_files[4900]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure Broadcast message from systemd-journald@localhost.localdomain (Thu 2025-11-20 21:05:14 EAT): load_config_files[5614]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure Unexpected Error: Loading configuration process failed. 2025 Nov 20 21:05:14 localhost.localdomain load_config_files[5614]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure Configuration loading error: base-config-load-failed For additional details, please see messages in /var/log/ltm
Solved
Manu99
Dec 04, 2025 Place Technical Forum
136Views
0likes
4Comments
BIG-IP device fails to install node-inspector
Hi all, when I followed the steps in 'Steps to Setup Node-Inspector on BIG-IP' and executed the following command, an error occurred. command: [root@bigip1:Active:Standalone] ~ # npm install -g node-inspector@0.12.8 errors: npm ERR! Linux 3.10.0-862.14.4.el7.ve.x86_64 npm ERR! argv "/usr/bin/node" "/usr/bin/.npm__" "install" "-g" "node-inspector@0.12.8" npm ERR! node v6.9.1 npm ERR! npm v3.10.8 npm ERR! path /usr/lib/node_modules npm ERR! code EROFS npm ERR! errno -30 npm ERR! syscall access npm ERR! rofs EROFS: read-only file system, access '/usr/lib/node_modules' npm ERR! rofs This is most likely not a problem with npm itself npm ERR! rofs and is related to the file system being read-only. npm ERR! rofs npm ERR! rofs Often virtualized file systems, or other file systems npm ERR! rofs that don't support symlinks, give this error. npm ERR! Please include the following file with any support request: npm ERR! /root/npm-debug.log logs: [root@bigip1:Active:Standalone] ~ # tail -30 /root/npm-debug.log 7616 silly idealTree | `-- lodash@3.10.1 7616 silly idealTree +-- xmldom@0.1.31 7616 silly idealTree +-- xtend@4.0.2 7616 silly idealTree +-- y18n@3.2.2 7616 silly idealTree `-- yargs@3.32.0 7617 silly generateActionsToTake Starting 7618 silly install generateActionsToTake 7619 warn checkPermissions Missing write access to /usr/lib/node_modules 7620 silly rollbackFailedOptional Starting 7621 silly rollbackFailedOptional Finishing 7622 silly runTopLevelLifecycles Finishing 7623 silly install printInstalled 7624 verbose stack Error: EROFS: read-only file system, access '/usr/lib/node_modules' 7624 verbose stack at Error (native) 7625 verbose cwd /root 7626 error Linux 3.10.0-862.14.4.el7.ve.x86_64 7627 error argv "/usr/bin/node" "/usr/bin/.npm__" "install" "-g" "node-inspector@0.12.8" 7628 error node v6.9.1 7629 error npm v3.10.8 7630 error path /usr/lib/node_modules 7631 error code EROFS 7632 error errno -30 7633 error syscall access 7634 error rofs EROFS: read-only file system, access '/usr/lib/node_modules' 7635 error rofs This is most likely not a problem with npm itself 7635 error rofs and is related to the file system being read-only. 7635 error rofs 7635 error rofs Often virtualized file systems, or other file systems 7635 error rofs that don't support symlinks, give this error. 7636 verbose exit [ -30, true ] This seems like a directory access permission issue, but I can't change the read/write permissions on the F5 device. How should this be resolved? f5-appsvcs-extension/contributing/node_inspector_profiling_as3.md at v3.54.2 · F5Networks/f5-appsvcs-extension
Solved
ecolauce
Dec 03, 2025 Place Technical Forum
100Views
0likes
4Comments
F5 HA deployment in Azure using Azure Load Balancer
I just created an HA 90 (Active/Standby) peer for one of our customers adding an F5 to their current stand alone infrastructure in Azure. We are using a 3-NIC deployment model using the external interface for the VIPs and the Internal for our HA peering. We are also using secondary IP addresses on the external NIC which are in turn used for the VIPs on the F5. ✔ 3-NIC BIG-IP deployment (Management, Internal, External) ✔ Secondary IPs on the external NIC ✔ Those secondary IPs are mapped to BIG-IP Virtual Servers (VIPs) ✔ Internal NIC is used only for HA sync (not for traffic) For redundancy I have suggested using CFE in for failover but the customer wants to use and Azure load balancer and having the F5s as backend pool members. They do not want to use CFE. Is it possible to deploy an F5 HA pair in Azure using an Azure Load Balancer while the VIPs are using secondary NICs on the external interface? I'm afraid using an ALB would require making changes to the current VIP configurations on F5 to support a wildcard. Any other HA deployment models within Azure given the current infrastructure would also be helpful. Thank You
bmainline
Dec 03, 2025 Place Technical Forum
119Views
1like
2Comments
Big-IP LTM integration with Big-IP DNS in Azure
We are deploying Big-IPs to Azure. We are going with 3 NICs(mgmt/client/server) Big-IP LTM/APM nodes. They will integrate with existing Big-IP DNS nodes. What is the NIC to use for not only the initial bigip_add (port 22), but for also iquery 4353? Best practice? I understand big3d will listen on self ips and mgmt. Per https://clouddocs.f5.com/cloud/public/v1/azure/Azure_multiNIC.html, it mentions 4353 comms on internal network for config sync, etc. What about for F5 DNS integration and iquery comms? Does anybody have any experience with this configuration and/or best practice recommendations?
Solved
jparri2323
Nov 25, 2025 Place Technical Forum
117Views
0likes
3Comments
Requirement for BIG-IQ VM Deployment in AWS
Can anyone please suggest on below. We have a requirement to deploy a BIG-IQ VM in the AWS cloud to manage our existing LTM, GTM, and WAF devices. We are planning to manage approximately 100 F5 devices using BIG-IQ. Could you please share the recommended system requirements (RAM and disk space) for the BIG-IQ instance to support this scale? and other details as well if required for the same. Kind regards
Rishi
Nov 24, 2025 Place Technical Forum
75Views
0likes
3Comments