010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure Rseries Tenant ..
Hello, I have previously uploaded the configuration with ucs to Rseries Tenant. When I want to upload the final version of ucs to enable the latest updates, it gives an error. Can anyone help me with this? The command I used when installing: load /sys ucs /var/local/ucs/ALP-30092024.ucs no-license no-platform-check error I got load_config_files[23122]: “/usr/bin/tmsh -n -g -a load sys config partitions all base “ - failed. -- Loading schema version: 15.1.3.1 Loading schema version: 17.1.1.1.3 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure Unexpected Error: Loading configuration process failed.28Views0likes3CommentsAS3 no new LTS Version?
The AS3 Support Cycle Document states that end of support for the latest LTS Version 3.46.2 is 31-Oct-2024 and that the next LTS release is on 30-Sep-2024. However the Release 3.53.0 from 30-Sep-2024 is not present in the AS3 Documentation. So my Question now is if there will be another minor Version like 3.46.1 which then will be the LTS Variant? And if so when will it be released?Solved17Views0likes1CommentKeep encoding when request is handled by irule
I have custom irule to check data in payload. I noticed issue when non-latin characters are detected, for example Japan characters. In this case seems that byte array is not read correctly (2 bytes vs 4 bytes) what just corrupt/change payload. I am almost sure that I hit follow: https://my.f5.com/manage/s/article/K22406348. There is mentioned option to use binary scan but does not work for me. In generally I do not add anything to payload or modify it. I just compare some properties and block request if it match condition. How I can keep origin payload as it is?24Views0likes2CommentsMaintenance page - hosted on LTM or redirect with fallback host - or both?
I'm in the process of implementing an automated maintenance page that is displayed when I have a pool with no healthy members. Looking around, I see two distinct methods of doing this - utilizing the fallback host feature and redirecting to another url, or setting up a page to be hosted on the LTM and using an iRule with " [active_members [LB::server pool]] < 1" in it. Does anyone have any opinions on which one is preferred, and why? Currently, I'm using the fallback host method and I'm redirecting to a page hosted on AWS. My setup includes about 70 virtual servers on a 3600 HA cluster - some are QA, some are non-http. I will likley have the need for multiple versions of the maintenance page, depending on the site content it fronts. The one thing I do see as an advantage of the LTM hosted option is that an iRule code example shows a refresh option being used to automatically pull up the healthy site when it becomes available. Thanks!! Chris324Views0likes5CommentsCertificate server name issue--wildcard certificate
Hello all, I have one virtual server, and I have a policy behind it that redirects to multiple pools. The problem is that my customer requested a certificate for a few applications and requested it as wildcard.xyz.com. However, the application has two dns records as xyz.com and www.xyz.com. Of course, when I call the page as xyz.com, I get a certificate error (not a secure connection). Here, my policy record is as follows: if the host "xyz.com or www.xyz.com" is owned by the host, redirect the traffic to the xyz-pool. I wrote a redirect irule to overcome this. But it didn't work. The rule is like this: when HTTP_REQUEST { if {[HTTP::host] equals "xyz.com"} { HTTP::redirect "https://www.xyz.com[HTTP::uri]" } } anyone have any ideas or suggestion? Thank you in advance for your answers50Views0likes4CommentsBIG-IP syslog include
BIG-IP remote syslog with short names, iso dates, and milli/microseconds It looks like syslog-ng is broken on a number of BIG-IP releases. Using use_fqdn(no) still gets fqdns in the logs. This looks to have been broken here: https://cdn.f5.com/product/bugtracker/ID998649.html Our work around is to add a rewrite filter that removes the domain name. Login, run tmsh, command "edit sys syslog" and enter the below. You probably want to clear any remote syslog setup in the UI first. sys syslog { include " # short hostnames options { frac_digits(6); keep_hostname(no); use_fqdn(no); }; # F5 use-fqdn is broken in # https://cdn.f5.com/product/bugtracker/ID998649.html # so replace '\\.*' with '' rewrite r_domain { subst(\"\\\\..*\", \"\", value(\"HOST\")); }; # Remote syslog in RFC5424 - Tim Riker <Tim@Rikers.org> destination d_remote_loghost { # put your syslog IP here in place of the 0.0.0.0 syslog(0.0.0.0 port(514)); }; log { source(s_syslog_pipe); rewrite(r_domain); destination(d_remote_loghost); }; " } Note: this output does NOT appear to be RFC5424 compliant. For example system output includes a priority field following the hostname, where rfc5424 does not include that in it's spec.Solved129Views2likes6CommentsHelp me understand Load Balancing
Good afternoon everyone, I am hoping someone can help me understand the difference between something that is "failing a healthcheck" in an F5 and something that is "Forced Offline" and how the load balancer would react to both. At my company I notice that if I have a server failing the healthcheck in the load balancer, that load balancer will still send requests to that server experiencing issues. But if I force that server offline manually, then the load balancer respects that the server is down and doesn't send it any requests until we bring it back up manually. Is this the expected behavior from an F5 load balancer? Or does it depend on the version of the device in question or the software? According to the manager that runs this system, they are telling me this is how it is and that the load balancer isn't "smart" enough to know unless we manually force it offline. Does this pass the sniff test or they being misleading? To me this sounds misleading at best. Because what is the point of having an active health check if the load balancer is still going to send requests to servers that fail the health check? I am just trying to educate myself on this and since this is not my area of expertise. I would think a load balancer should be smart enough OOB to handle functionality like this. But I also want to make sure I am not "inventing" functionality that may not be there or is supported through a different license. Any type of info would be appreciated and thank you in advance for anyone who takes the time to read and reply to this post! Respectfully, Brian Jones48Views0likes6CommentsHelp configuring NAT64 on a BIG-IP LTM
I have been trying to implement NAT64 in our network in order for IPv6 only clients can reach our IPv4 only servers. Ive create an IPv6 VIP and enabled the nat6to4 option and port and address translation are enabled. VIP: ipv6 Pool: IPv4 Snat: Auto map when i do #show sys connection cs-server-address 2a:66:x.x.x.xx client IPaddress VIP ip address floating ip address node 2a:45:33.xxx 2a:66:x.x.x.xx any6 any6 I able to see the client IPv6 address reaching to the VIP. But the F5 is not loadbalancing to the backend server How can i make this to work Any help would be greatly appreciated.65Views0likes3CommentsCheck how long it takes for a request to switch from a pool member to another if one is not available
Hello there :) I'm trying to find out how long it takes a request to switch from a pool member to another if one is not available. For example : I have a configuration for load balancing that includes a pool with 2 members (A and B) Let's say Server 'A' is unable to handle a request, and so it should be transfered to Server 'B'. Is there any way to check the duration of this switch? How long it takes for the request to be transfered from A to B after A becomes unavailable? Thank you!398Views0likes2CommentsBIG-IP syslog - send logs with UTC timezone, while APM is in different timezone
Hi, I'm lookign for a way to send out logs to remote syslog server with UTC timestamp. APM is using corporate NTP server that are in GMT +1 time zone and that's how the logs are being send. I tried to edit /sys syslog all-properties and add something like below to have date in ISO format + timezone amended. However as ISODATE is working, time_zone variable is not ( I tried it with "UTC", "GMT, "-01:00", etc) Any other options I could use ? options { proto-template(t_isostamp); }; template t_isostamp { template(\"$ISODATE $HOST $MSGHDR$MSG\\n\"); }; destination d_remote_loghost { tcp(\"x.x.x.x\" port(514) template(t_isostamp) time_zone(UTC)); }; "926Views0likes2Comments