devops
21581 TopicsF5 ERR_CONNECTION_RESET
Hello, We are trying to expose our backend application, which is behind a Windows IIS reverse proxy. Based on URL rewrite rules which look for host header and than route the call to the backend. When trying to open the URL, from inside our network, from another server we get the requested page in firefox web browser. When trying the same URL from F5 CLI, we also get the expected page. But when trying from the Internet, we get ERR_CONNECTION_RESET from Chrome and Firefox. What have we checked? F5 is doing the TLS termination, and we have a valid certificate in place. The node and pool are green. SSL Profile (Server) < serverssl > is assigned because communication to the pool is HTTPS. The call never reaches Windows IIS. Is there anything else what we can check? Thanks in advance, IgorSolved60Views0likes2CommentsCert Bundle Manager
I have a bundle file that contains many certs from many organizations maintained in one big pem file. maintaining this one massive bundle file is to cumbersome. I am thinking of using bundle manager and break apart this massive bundle file where each organization has its own bundle file. I would then add each organization bundle in the bundle manager. when the time came that an organization bundle needed to be updated, I would create a new bundle for that organization, upload to the F5 and then add to the bundle manager, click the option update, finish. Has anybody encountered issues with using the bundle manager. For example, when updating the bundle manager in a HA configuration could there be any issues while the F5 are sync'ing, for example possible race condition or any other possible issues. bundle manager ----- organization one bundle ----- organization two bundle ----- organization three bundle ----- organization four bundle ----- organization five bundle ----- organization six bundle39Views0likes1CommentSync-failover group doesn't sync properly
Hello, I need some help with essential Active/Standby setup where I can't make two nodes to sync data. This is the problem I end up with: "did not receive last sync successfully" VLANs are configured like this: vlan tag tagged interface Client 11 1.1 HA 13 1.3 Server 12 1.2 Self IPs and routes are following [root@bigip1:Active:Standalone] config # ip route default via 192.168.159.2 dev mgmt metric 4096 10.11.11.0/24 dev Client proto kernel scope link src 10.11.11.111 10.12.12.0/24 dev Server proto kernel scope link src 10.12.12.121 10.13.13.0/24 dev HA proto kernel scope link src 10.13.13.131 127.1.1.0/24 dev tmm proto kernel scope link src 127.1.1.254 127.7.0.0/16 via 127.1.1.253 dev tmm 127.20.0.0/16 dev tmm_bp proto kernel scope link src 127.20.0.254 192.168.159.0/24 dev mgmt proto kernel scope link src 192.168.159.129 [root@bigip2:Active:Standalone] config # ip route default via 192.168.159.2 dev mgmt metric 4096 10.11.11.0/24 dev Client proto kernel scope link src 10.11.11.112 10.12.12.0/24 dev Server proto kernel scope link src 10.12.12.122 10.13.13.0/24 dev HA proto kernel scope link src 10.13.13.132 127.1.1.0/24 dev tmm proto kernel scope link src 127.1.1.254 127.7.0.0/16 via 127.1.1.253 dev tmm 127.20.0.0/16 dev tmm_bp proto kernel scope link src 127.20.0.254 192.168.159.0/24 dev mgmt proto kernel scope link src 192.168.159.130 Floating IPs on both devices are set to: - Client: 10.11.11.110 - Server: 10.12.12.120 Both devices have certificates, time is in sync via NTP, have the same version 17.1.0.2 Build 0.0.2 (provisioned from the same OVA) and license. Conif sync is set to: HA self IPs Failover networks is: HA + Management Mirroring: HA + Server BigIP1 is Online, BigIP2 is Forced Offline before I start building cluster. Hosts are connected via VmWare Workstation Lan Segments, thus no filtering is applied. I double check I can see packets in "tcpdump -nn -i" for any of the interfaces Client/Server/HA when for example trying to establish the SSH connection from the other host to the respective IP of the interface that is being watched. Then I add device trust. Soon both devices are shown as "In sync" in the device_trust_group. Then create a sync-failover group of two devices with Automatic Incremental Sync with Max sync size =10240. After this, the sync statuses are following: - device_trust_group = In Sync - Sync-Failover-Group = Awaiting Initial Sync If I run "tcpdump -nn -i any tcp" I mostly see packets on HA network for ports 1029 and 4343 If I run "tcpdump -nn -i any udp" I mostly see packets on HA network for port 1026 tmm log Sep 1 22:39:29 bigip1.sq.cloud notice mcpd[7261]: 01071436:5: CMI listener established at 10.13.13.131 port 6699 Sep 1 22:39:29 bigip1.sq.cloud err mcpd[7261]: 0107142f:3: Can't connect to CMI peer 10.13.13.132, TMM outbound listener not yet created Sep 1 22:39:29 bigip1.sq.cloud err mcpd[7261]: 0107142f:3: Can't connect to CMI peer 10.13.13.132, TMM outbound listener not yet created Sep 1 22:39:32 bigip1.sq.cloud notice mcpd[7261]: 01071451:5: Received CMI hello from /Common/bigip2.sq.cloud Sep 1 22:39:34 bigip1.sq.cloud notice mcpd[7261]: 01071432:5: CMI peer connection established to 10.13.13.132 port 6699 after 0 retries Sep 1 22:44:48 bigip1.sq.cloud notice mcpd[7261]: 01071038:5: Master Key updated by user %cmi-mcpd-peer-10.13.13.132 Sep 1 22:52:33 bigip1.sq.cloud notice mcpd[7261]: 01071451:5: Received CMI hello from /Common/bigip2.sq.cloud Sep 1 22:57:33 bigip1.sq.cloud notice mcpd[7261]: 01071451:5: Received CMI hello from /Common/bigip2.sq.cloud Sep 1 23:01:09 bigip1.sq.cloud notice mcpd[7261]: 01070430:5: end_transaction message timeout on connection 0xedc5a0c8 (user %cmi-mcpd-peer-10.13.13.132) Sep 1 23:01:09 bigip1.sq.cloud notice mcpd[7261]: 01070418:5: connection 0xedc5a0c8 (user %cmi-mcpd-peer-10.13.13.132) was closed with active requests Sep 1 23:01:09 bigip1.sq.cloud notice mcpd[7261]: 0107143c:5: Connection to CMI peer 10.13.13.132 has been removed Sep 1 23:01:09 bigip1.sq.cloud notice mcpd[7261]: 01071432:5: CMI peer connection established to 10.13.13.132 port 6699 after 0 retries Sep 1 23:06:11 bigip1.sq.cloud notice mcpd[7261]: 01070430:5: end_transaction message timeout on connection 0xedc5a0c8 (user %cmi-mcpd-peer-10.13.13.132) Sep 1 23:06:11 bigip1.sq.cloud notice mcpd[7261]: 01070418:5: connection 0xedc5a0c8 (user %cmi-mcpd-peer-10.13.13.132) was closed with active requests Sep 1 23:06:11 bigip1.sq.cloud notice mcpd[7261]: 0107143c:5: Connection to CMI peer 10.13.13.132 has been removed Sep 1 23:06:11 bigip1.sq.cloud notice mcpd[7261]: 01071432:5: CMI peer connection established to 10.13.13.132 port 6699 after 0 retries Lastly I push the configuration from the device that is in the online state to the Sync-Failover-Group. Then the sync status is like shown on the screenshot at the beginning of this message. Suggested sync actions (push A or B to group) do not help. Looked through: K63243467, K13946 Appreciate any suggestions that can resolve or properly push/pull the config. Thank you!Solved1.8KViews0likes6CommentsURL Redirect ? URL ReWrite ?
im still on my journey leanring nginx so forgive the stupid question. my goal is as follows: i want my clients to be able to browse to https://www.john.com/Greenlight in the clients browser i dont want the above to change, but i want to get the page load to populate actually from here. https://dev-assets.john.net/cdn/html2canvas/1.4.1/license.html i tried this, but its not working.. i think im close..but maybe not.. ############################################################ Greenlight redirect location /Greenlight { rewrite ^/Greenlight(/.*)$ $1 break; rewrite ^/Greenlight$ / break; proxy_pass https://dev-assets.john.net/cdn/html2canvas/1.4.1; proxy_set_header Host john-assets.alkami.net; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; try_files $uri $uri/ /license.html; } im thinking maybe i need a re-write statement... any guidance would be apprecited.46Views0likes1Commentreading Client SSL Profile details via Ansible
I have an automation I'm building that does a lot of things . . . but one of the tasks in that pile is to try to read, specifically, the field that contains the TLS specifications for every client SSL profile. The server SSL profiles have the options: field in them: but for the life of me, I can find no similar field in the output of client ssl profiles from f5networks.f5_modules.bigip_device_info. None of the other management modules (especially bigip_profile_client_ssl) seem to help with this: in stating that they "manage" profiles, it'd appear that they only write them individually, not read all of them in full detail. Is there something I'm missing?12Views0likes0CommentsGuide for exam 402 F5 Certified Solution Expert
I passed exam 402 F5 Certified Solution Expert, I would like to share guide for prepare to exam this certificate, First you have to review blueprint about exam topic from F5: https://techdocs.f5.com/dam/f5/kb/global/solutions/k29900360/402_-_Cloud_Solutions.pdf 1. Information about license https://my.f5.com/manage/s/article/K14810 https://clouddocs.f5.com/cloud/public/v1/matrix.html https://clouddocs.f5.com/cloud/public/v1/licensing/licensing.html https://wtit.com/f5-good-better-best-licenses/ 2. F5 instance type on microsoft azure and AWS 3. Strategy migration application to cloud https://aws.amazon.com/blogs/enterprise-strategy/6-strategies-for-migrating-applications-to-the-cloud/ 4. Learning about HTTP method for API and API concept https://community.f5.com/kb/technicalarticles/wils-the-data-center-api-compass-rose/283999 5. About cloud provide object https://clouddocs.f5.com/cloud/public/v1/aws_index.html https://clouddocs.f5.com/cloud/public/v1/azure_index.html 6. Cloud concept and automation130Views1like1CommentMutual TSL Between Two BigIPs
Hello, I am trying to determine how Mutual TLS (mTLS) can be implemented between 2 Big IPs for API calls. The certificates will reside on the two BigIPs where the authentication will occur. The objective is to isolate the applications such that no changes are required to the applications or certs need to be loaded exchanged between the apps and the Big IP. Based a several AI searches, this is possible but haven't been able to find explicit documentation on if it is supported and how it can be implemented. Any help is appreciated. Client App --> BigIP 1 -mTLS- Big IP 2 --> Server App29Views0likes1CommentiControl for Gtm wideip
i am using iControl Rest 2.4 downloaded from https://pypi.org/project/iCR/. while using wideips = bigip.getlarge("gtm/wideip/a", xxx) , where xxx is the size of chunk, i would like to understand the limit of chunk size. if i use wideips = bigip.get("gtm/wideip/a") , it works if i have 200-300 hundred wideips, but in case you have +10k wideips it gives you Error 500, AsyncContext timeout. what is the best way to download via api the /mgmt/tm/gtm/wideip/a ?38Views0likes1CommentIs anyone using Certbot for F5 certificate automation? If not, what tool do you use?
Currently, I'm having to manually update certs on our F5 and I'm wondering what other people are using to automate this. We use Sectigo which supports the Certbot F5 plugin, but a fellow tech that tested it said it doesn't work when a vserver has more than one SSL profile assigned. Is anyone using the Certbot tool? If not, what tool are you using? I like to be able to automate this (and be confident it "just works"). Thanks!Solved440Views0likes3CommentsTerraform apply failures - loadbalancer_type.https.port_choice
Hi, I just run TF config via Jenkins. I used follow github link with examples - https://github.com/f5devcentral/terraform-f5xc. Connection to F5 XC and deployment of the origin pools works fine but when I tried to create load balancer it fails with error. Error: error creating HttpLoadbalancer: Creating object: Unsuccessful POST at URL .../http_loadbalancers, status code 400, body {"code":3,"details":[{"code":"UNKNOWN","details":"Field spec.loadbalancer_type.https.port_choice fails rule ves.io.schema.rules.message.required_oneof constraint true due to value \u003cnil\u003e","timestamp":"2025-04-16T13:26:34Z"}],"message":"Field spec.loadbalancer_type.https.port_choice should be not nil, got nil in request."} Where I can check what properties are mandatory to properly execute TF apply? Thank you. Best Regards, JozefSolved73Views0likes2Comments