F5 r10800 not connected to Cisco Nexus 9000
10G and 25G interfaces on F5 rSeries 10800 (F5os version 1.5.2 ) port fail to establish links with Cisco Nexus switches C93360YC-FX2 (nxos version 9.3.5) both side module model are: type is SFP-H25GB-SR name is F5 NETWORKS INC. part number is OPT-0053 is ther a solution to this problem??
Ways to correlate client side and server side connections
Hi all, Wondering if there are any new methods to correlate client side and server side connections? Say I have the client IP and ephemeral source port is there any feature that allows me to see the end to end conversation ? I am aware of the tcpdump with verbosity parameters, flow id, but I was wondering if there are any other ways easier that this above. Thanks in advance!
LTM SSL handshake failuer (40) with IIS SSL setting Accept
I had an issue that communication from client PC failed with one of pool members. Clinet PC can directly access to the problem member without any issue. If it is accessed through VS, the failure happened. As investigated with packet capture, following error caused the communication failure. Transport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 26 Alert Message Level: Fatal (2) Description: Handshake Failure (40) As I investigated, I found the problem member's IIS SSL setting is set as "Accept". Other working members are set as "Ignore". As I changed the setting to "Ignore", the problem was gone. The IIS SSL setting "Accept" is to accept clinet certificate if it is provided by client. If client did not provide client cetificate, IIS still establish connection. On the VS, SSL server profile is used. the profile setting is almost default. Do you know why BIG-IP fails the SSL communication if the IIS SSL setting is "Accept"?Unequal loadbalancing for a UDP VIP
We've an UDP VIP configured with udp-datagram profile enabled. We're observing a strange behaviour the way LTM routes the packets to the backend server. There are 5 servers in the pool and most of connections are routed to one server due to this behaviour the resource on that perticular server getting exhausted. I am not sure when we've enabled on data-gram profile. I am assuming the some of the old connections still in the connection table and being handled without data-gram. I tried clear the connection table using below tmm script and did not have any success. Please let us know if there are any other way to clear the connection table. tmsh show sys connection ss-server-addr <server-ip> | grep tmm | awk '{split($1, client, ":"); print "tmsh delete sys conn cs-client-addr " client[1] " cs-client-port " client[2] " cs-server-addr <VIP> cs-server-port 1813"}' | sh
Problems with ping dropped packets
Hello Experts, I've recently encountered a strange problem where the ping node drops packets (about 10-20%) when gtm1 is active, but when gtm1 is in standby, the ping node doesn't drop any packets. gtm2 works fine in both active and standby states, no packets are dropped! Does anyone have any experience with this? Here is my structure Thanks
Migration from physical Hardware to R series
I have a physical hardware box 4000s in which there are 4 X 1 gig interfaces in a trunk. In new r series device r4600 we have trunk with two 25 gig interfaces. Can I copy the UCS from old device and load it on the new device using no license no platform check command ? Anyone has done this type of migration, please let me know the steps you followed.BIG-IP Report
Problem this snippet solves: Overview This is a script which will generate a report of the BIG-IP LTM configuration on all your load balancers making it easy to find information and get a comprehensive overview of virtual servers and pools connected to them. This information is used to relay information to NOC and developers to give them insight in where things are located and to be able to plan patching and deploys. I also use it myself as a quick way get information or gather data used as a foundation for RFC's, ie get a list of all external virtual servers without compression profiles. The script has been running on 13 pairs of load balancers, indexing over 1200 virtual servers for several years now and the report is widely used across the company and by many companies and governments across the world. It's easy to setup and use and only requires auditor (read-only) permissions on your devices. Demo/Preview Interactive demo http://loadbalancing.se/bigipreportdemo/ Screen shots The main report: The device overview: Certificate details: How to use this snippet: Installation instructions BigipReport REST This is the only branch we're updating since middle of 2020 and it supports 12.x and upwards (maybe even 11.6). Downloads: https://loadbalancing.se/downloads/bigipreport-v5.7.13.zip Documentation, installation instructions and troubleshooting:https://loadbalancing.se/bigipreport-rest/ Docker support https://loadbalancing.se/2021/01/05/running-bigipreport-on-docker/ Kubernetes support https://loadbalancing.se/2021/04/16/bigipreport-on-kubernetes/ BIG-IP Report (Legacy) Older version of the report that only runs on Windows and is depending on a Powershell plugin originally written by Joe Pruitt (F5) BIG-IP Report (only download this if you have v10 devices): https://loadbalancing.se/downloads/bigipreport-5.4.0-beta.zip iControl Snapin https://loadbalancing.se/downloads/f5-icontrol.zip Documentation and Installation Instructions https://loadbalancing.se/bigip-report/ Upgrade instructions Protect the report using APM and active directory Written by DevCentral member Shann_P: https://loadbalancing.se/2018/04/08/protecting-bigip-report-behind-an-apm-by-shannon-poole/ Got issues/problems/feedback? Still have issues? Drop a comment below. We usually reply quite fast. Any bugs found, issues detected or ideas contributed makes the report better for everyone, so it's always appreciated. --- Join us on Discord: https://discord.gg/7JJvPMYahA Code : BigIP Report Tested this on version: 12, 13, 14, 15, 16
Unexpected Error: UCS loading process failed
Hello, I'm taking the LTM Essentials course online. There are different labs and before each lab, I need to upload a UCS file and restore it. But when I do the restore, I receive the following error: Unexpected Error: UCS loading process failed. It is impossible to have the restore working. Somebody would have an idea how to troubleshoot this? Thank you, VinchSysLog UDP Load Balancing
Hello, 1st of all I require some guideline/suggestion here. I am configuring a Virtual Server from F5 listening on 514 and translating port to 8514 at backend servers. Idea is Systems will send the syslog through this F5 and F5 VIP will eventually send logs to Backend Syslog Connectors. Traffic Flow is like below Client >> F5 VIP_IP [ 2.2.2.2] ( Service Port 514 ) ( UDP Profile with FastL4 Profile ) -- >> Backend Syslog Connector 2.2.2.6, 7 on 8514 Port. Clearly to specify VIP IP and Backend IP are in the same subnet hence I do not need to enable SNAT. Also I was thinking if I enable SNAT at backend how do they identify actually who send the Log. What is the Guideline for this to make sure Syslog can see actual source and Syslog Servers follow return traffic through F5 ?. ( Note that Servers gateway are at Network Device not in F5 ) Also if I set monitor TCP or Gateway ICMP Pool Goes Down. Pool is live only if I set Monitor as UDP. Why is that ? How I should check that UDP Traffic is load balanced. But this is less important as I need to be sure about the Traffic Flow. Please advise. Below is the Virtual Server Config tmsh list ltm virtual Virtual_Server all-properties [api-status-warning] ltm/virtual, properties : deprecated : mobile-app-tunnel, urldb-feed-policy ltm virtual Virtual_Server { address-status yes app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 creation-time 2020-02-25:18:47:05 description "Supports Syslog" destination 2.2.2.2:514 enabled fallback-persistence none flow-eviction-policy none gtm-score 0 ip-protocol udp last-hop-pool none last-modified-time 2020-02-25:20:04:58 mask 255.255.255.255 metadata none mirror disabled mobile-app-tunnel disabled nat64 disabled partition Common per-flow-request-access-policy none persist none policies none pool SYSLOG_Pool profiles { fastL4 { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none rules none security-log-profiles none service-down-immediate-action none service-policy none source 0.0.0.0/0 source-address-translation { pool none type none } source-port preserve syn-cookie-status not-activated traffic-classes none traffic-matching-criteria none translate-address enabled translate-port enabled transparent-nexthop none urldb-feed-policy none vlans { vlan_222 } vlans-enabled vs-index 97 }How does the BIG-IP process multiple LTM policies on a virtual server?
I have a LTM traffic policy on a virtual server that I use to perform hostname-based routing for 10 different applications. There is a rule for each app, and once there is a match on the hostname, no further rules are evaluated and traffic is forwarded appropriately. Hypothetically, let's say that instead of using a single policy and multiple rules, I created a new policy for each of the 10 apps, with each policy having only one rule to route traffic for a single app. If a request for App_1 comes through and the hostname matches the rule in Policy_1, would the rules in policies 2-10 be evaluated, or would the evaluation stop similar to what happens with a single policy and multiple rules? I'd love to hear any thoughts on this. I've been reading through the BIG-IP documentation but I haven't found anything yet, so any help would be greatly appreciated. :)
