ltm
19074 Topicstroubleshooting serverssl profile with client cert..
Hi all! We have a virtualserver with a serverssl profile configured with a client cert. According to the technician working with the backend nginx node they´re not getting the client cert. Does anyone know a good way for us to verify that the cert is there or not? Would a tcpdump be sufficient? /Kim19Views0likes1Commentremove www from domain
Hello Everyone, Could you please assist for below query how it will be achieved. We have a query where the customer wants to remove the www from the request. for example requested comes to https://www.abc.com and they want to remove www and forward to only abc.com. i would like to know if this is applicable using local traffic policy and irules. if possible kindly share the example irule or local traffic policy example to achieve this. Please note: there are some policies configured with https://www.abc.com/etc and being redirected to https://www.abc.com/xyz . will there be any impact on these redirections rules if we remove the www? if yes then do we need to modify all these policies to abc.com and remove www from the redirection statements.? TIA.24Views0likes1CommentHow are memory and disk allocated to different modules on bigip appliance?
hi, when doing "Resource Provisioning", the memory and disk space are auto allocated to LTM and ASM are shown as below. The amount of Memory and disk is minimum requirement, right? When a huge number of virtual server will be created later, will appliance auto allocate more spare memory and disk to the module? And what is he management module responsible for? Is it responsible for packet forwarding? should we set "Provisioning" to "Medium" or "Large" if the throughput is larger than 1Gbps? Can someone please advise? thanks in advance!64Views0likes7CommentsHow to add missing Content-Length header to an HTTP POST request?
Have tried to send an APM HTTP Auth POST request to external authentication server which requires Content-Length header. Seems to be that APM HTTP Auth does not calculate and add the Content-Length header when sending a custom POST. The POST content is small json data but its size varies. HTTP Auth sends the POST to a layered VS which converts the request to https, so can use iRules there. Tried to use HTTP::collect and then calculate the size from collected HTTP::payload and do HTTP::release. However it gets stuck.. Would be nice to be able to do it at the Layered VS. Alternatively thinking of using an iRule agent event in the VPE to form the json POST data and calculate the size into session variables prior the HTTP Auth box in the VPE and using them in the HTTP Auth custom POST definition. Any advice?271Views0likes1CommentHow to add missing Content-Length header to an HTTP POST request?
Have tried to send an APM HTTP Auth POST request to external authentication server which requires Content-Length header. Seems to be that APM HTTP Auth does not calculate and add the Content-Length header when sending a custom POST. The POST content is small json data but its size varies. HTTP Auth sends the POST to a layered VS which converts the request to https, so can use iRules there. Tried to use HTTP::collect and then calculate the size from collected HTTP::payload and do HTTP::release. However it gets stuck.. Would be nice to be able to do it at the Layered VS. Alternatively thinking of using an iRule agent event in the VPE to form the json POST data and calculate the size into session variables prior the HTTP Auth box in the VPE and using them in the HTTP Auth custom POST definition. Any advice?1.5KViews0likes3CommentsWhat is the best practice to deploy single Tenant in F5 rseries?
Hi, we are going to deploy new rseries 5k with single Tenant. What is the best practice to setup? I plan to setup like below, can someone please advise whether it is correct or not? And I have question on auto disk space and memory allocation. Thanks in advance! Allocate all the disk space to this large single tenant Allocate all the memory to this single tenant within the tenant, set "Large" to "Mgmt" module for the rest modules: LTM, GTM , ASM , set "Normal" under Resource Provisioning". Seems the system automatically allocate disk space and memory to each module. Based on the amount of disk space and memory allocated to these modules, seems there are still a lot spare diskspace and memory. Will these modules automatically share the rest spare diskspace and memory when necessary?14Views0likes0CommentsAny issue if setting up LTM and GTM/DNS on the same F5 Appliance Cluster?
Hi, we have a pair of F5 appliance, and plan to setup HA cluster. After HA configuration and both appliance in sync, LTM works well as active/standby mode as expected GTM delivery listener is active on active F5 appliance as expected, the dns queries are routed to the active appliance GTM wild-ip pool members are shown "down" state on Standby appliance. The status of Data Center/Links are also shown "down" on the Standby appliance. Is it normal? Both F5 appliances are configured under the same GTM sync-group with different external physical links. Can someone please advise? Thanks in advance!14Views0likes0CommentsSyn-Flood protection in F5 LTM BIG-IP 17.1.1.3
HI Guys Sorry maybe i have not been so clear. I've ben searching for information about syn-flood protection of f5 LTM. I know there is the this feature (i saw the command on the CLI "syn-flood protection not active) but i could not find many information. I searched in the : techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-syn-flood-attacks-13-0-0/1.html page but it seems all these pages of f5.com are no longer there. Can anyone explain how to activate this feature or send some exhaustive link ? device is BIG-IP 17.1.1.3 Build 0.0.5 Point Release 3 Thank You B.R Mario30Views0likes1CommentF5 Unveils New Built-In TCP Profiles
[Update 3/17: Some representative performance results are at the bottom] Longtime readers know that F5's built-in TCP profiles were in need of a refresh. I'm pleased to announce that in TMOS® version 13.0, available now, there are substantial improvements to the built-in profile scheme. Users expect defaults to reflect best common practice, and we've made a huge step towards that being true. New Built-in Profiles We've kept virtually all of the old built-in profiles, for those of you who are happy with them, or have built other profiles that derive from them. But there are four new ones to load directly into your virtual servers or use a basis for your own tuning. The first three are optimized for particular network use cases: f5-tcp-wan, f5-tcp-lan, and f5-tcp-mobile are updated versions of tcp-wan-optimized, tcp-lan-optimized, and tcp-mobile-optimized. These adapt all settings to the appropriate link types, except that they don't enable the very newest features. If the hosts you're communicating with tend to use one kind of link, these are a great choice. The fourth is f5-tcp-progressive. This is meant to be a general-use profile (like the tcp default), but it contains the very latest features for early adopters. In our benchmark testing, we had the following criteria: f5-tcp-wan, f5-tcp-lan, and f5-tcp-mobile achieved throughput at least as high, and often better, than the default tcp profile for that link type. f5-tcp-progressive had equal or higher throughput than default TCP across all representative network types. The relative performance of f5-tcp-wan/lan/mobile and progressive in each link type will vary given the new features that f5-tcp-progressive enables. Living, Read-Only Profiles These four new profiles, and the default 'tcp' profile, are now "living." This means that we'll continually update them with best practices as they evolve. Brand-new features, if they are generally applicable, will immediately appear in f5-tcp-progressive. For our more conservative users, these new features will appear in the other four living profiles after a couple of releases. The default tcp profile hasn't changed yet, but it will in future releases! These five profiles are also now read-only, meaning that to make modifications you'll have to create a new profile that descends from these. This will aid in troubleshooting. If there are any settings that you like so much that you never want them to change, simply click the "custom" button in the child profile and the changes we push out in the future won't affect your settings. How This Affects Your Existing Custom Profiles If you've put thought into your TCP profiles, we aren't going to mess with it. If your profile descends from any of the previous built-ins besides default 'tcp,' there is no change to settings whatsoever. Upgrades to 13.0 will automatically prevent disruptions to your configuration. We've copied all of the default tcp profile settings to tcp-legacy, which is not a "living" profile. All of the old built-in profiles (like tcp-wan-optimized), and any custom profiles descended from default tcp, will now descend instead from tcp-legacy, and never change due to upgrades from F5. tcp-legacy will also include any modifications you made to the default tcp profile, as this profile is not read-only. Our data shows that few, if any, users are using the current (TMOS 12.1 and before) tcp-legacy settings.If you are, it is wise to make a note of those settings before you upgrade. How This Affects Your Existing Virtual Servers As the section above describes, if your virtual server uses any profile other than default 'tcp' or tcp-legacy, there will be no settings change at all. Given the weaknesses of the current default settings, we believe most users who use virtuals with the TCP default are not carefully considering their settings. Those virtuals will continue to use the default profile, and therefore settings will begin to evolve as we modernize the default profile in 13.1 and later releases. If you very much like the default TCP profile, perhaps because you customized it when it wasn't read-only, you should manually change the virtual to use tcp-legacy with no change in behavior. Use the New Profiles for Better Performance The internet changes. Bandwidths increase, we develop better algorithms to automatically tune your settings, and the TCP standard itself evolves. If you use the new profile framework, you'll keep up with the state of the art and maximize the throughput your applications receive. Below, I've included some throughput measurements from our in-house testing. We used parameters representative of seven different link types and measured the throughput using some relevant built-in profiles. Obviously, the performance in your deployment may vary. Aside from LANs, where frankly tuning isn't all that hard, the benefits are pretty clear.4.6KViews1like10Comments