"01020066:3: The requested Node (/Common/fqdn1) already exists in partition Common."
Hello, when trying to POST a new application in a tenant that uses an already shared FQDN across tenants in the same cluster, the AS3 POST response is: "01020066:3: The requested Node (/Common/fqdn1) already exists in partition Common." It is saying that fqdn1 already exists in /Common, which is true, as it can be seen in other pools as a member. Now, if I try a different FQDN (fqdn2), it works fine with no issues. Any suggestions on how to find the root cause and fix this without: deleting fqdn1 from everywhere, and redeploying it? Thank you J version running 3.56.0-10
Building a Certificate Lifecycle Manager with F5 BIG-IP Support — Looking for iControl REST Feedback
GitHub: https://github.com/shankar0123/certctl Managing certificate renewals on BIG-IP is one of those tasks that's easy to forget until it breaks something. The typical workflow is generate a CSR, submit to a CA, wait for issuance, download the cert, upload through the GUI or push via iControl REST, bind it to the right virtual server. This has too many manual steps and no central visibility into what's expiring when. I'm building certctl, a self-hosted certificate lifecycle platform, and F5 BIG-IP is one of the target connectors I'm working on. The platform already handles certificate issuance (built-in Local CA and ACME/Let's Encrypt with HTTP-01 challenges), configurable renewal policies, agent-based key generation (ECDSA P-256, private keys never leave the agent), threshold-based expiry alerting, policy enforcement, and an immutable audit trail. The NGINX target connector is fully implemented. Agents deploy certs via file write, nginx -t validation, and reload. Where I need feedback — the F5 connector: The F5 target connector interface is built and the iControl REST flow is mapped out, but I'm looking for input from people who manage certs on BIG-IP day to day before shipping the implementation. The planned flow is: Authenticate via POST /mgmt/shared/authn/login Upload cert PEM via POST /mgmt/tm/ltm/certificate Update the SSL profile via PATCH /mgmt/tm/ltm/profile/client-ssl/{profile} Validate deployment by checking profile status Questions for the community: Is this the right iControl REST flow for cert deployment, or are there edge cases I'm missing (e.g., cert bundles, intermediate chain handling, partition scoping)? Do most environments use client-ssl profiles directly, or is there a layer of indirection I should account for? Any gotchas with token-based auth vs. basic auth on newer BIG-IP versions?
BIG‑IQ: Adding rSeries/Velos Devices through the REST API
Hello, Is there a way to add F5OS devices (rSeries/Velos) to a BIG‑IQ instance using the REST API or an Ansible module? The latest API‑Reference version is 8.1.0, but the capability to add F5OS devices was introduced in later BIG‑IQ releases. Adding our devices manually is not an option for us. Could someone point me in the right direction, please? Cheers, Ichnafi
RDP persistence with SNAT
Hi, rather than using an RDS broker service, is there a simpler way to persist and equally load balance traffic to an RDP vip which is a resource on APM? Our setup is: client connects to APM On APM there is a webtop using native RDP which points at the IP address of an LTM VIP on the same F5. LTM vip sees the F5 SNAT IP, I cannot pass any cookie, header, or even custom rdp parameter from APM to the LTM vip so there is no way to persist on anything unique. LTM cannot see the username, apparently if even a blank apm profile is bound to the LTM vip I can see things like sso username, however if I enabled apm then the vip makes ssl profile mandatory which then breaks rdp. Any other ways to do this or is it impossible?Struggling with web GUI usability with links in new tabs
Hi, there's thing thing with the web GUI for a BIG-IP that slows me down terribly, if I want, let's say, to open multiple tabs of different virtual servers, I have to do it slooooooowly, I can't open 10 tabs in like 2 seconds because the web GUI somehow needs to load everything before accepting a new link, if I open virtual server A in a new tab I have to wait for it to fully load before opening vs B because if I don't, it'll load vs B in both tabs, is there any way to prevent this from happening? It's pretty infuriating. Also is there a way to make the web GUI not work as an SPA? I know there's the "link to this page" thing in the gear icon for each page, but I just want to have my tabs with the absolute URL, not hxxps://host/xui. Thanks.
F5 i-series Guests to r-series tenants migration
Hi All, I have two i-series 11900 with 4 guests on each as: 1 LTM, 1 GTM, 1 WAF, and 1 APM. There is HA between the guests. I am working on a migration plan to r-series 10900 and have two options: Option 1: HA method: Here, I will replace the i-series device that has the standby guests with the r-series device. Then will establish the HA between the active i-series and the r-series and sync the configuration. Then will make the r-series active as active. Then will replace the newly bocming standby i-series device with the second r-series and establish the HA with the first r-series. this is a lengthy way but has a positive side of fast rollback in case I faced any issue, and there will be no changes on the management IPs. Option 2: UCS method: in this method I will create a replica of the existing guests on the r-series tenants using the UCS files from the iseries guests. This setup will be isolated from the production network. During the maintenance window, I will disconnect the cables from i-sereis and connect it to the r-series boxes. This way I need to use different management IPs while building the replica setup. and during the migration will change the management IPs and use the onse were on the i-series. Note that, existing devices are connected to cisco ACI. Let me here your thoughts and suggestions.
Impact of client.crt and server.crt expiration
My device is currently running on L4 A-S. The client.crt and server.crt expire in 2027.05. DTDI and DTCA expire in 2035. 1. If client.crt and server.crt expire, will it affect HA or config sync? 2. If I need to update, I'll do it via CLI. Will it affect HA and config sync? I'm wondering if I need to set up new redundancy or reboot, or anything like that. This is a very sensitive service, so there may not be a maintenance window, so I wanted to notify you in advance.BigIP/IQ Security Compliance Scanner
Hello All, I would like to initiate a discussion about a personal project I am developing. The following description of the project's goal will be an overview rather than a low-level description of how it will function. The project centers on a tool (desktop application/web app) that will allow F5 BigIP/IQ administrators/engineers to upload XML/JSON documents. The XML/JSON will contain a specific schema for security settings that the application parses and translates into iControl REST API calls or TMSH commands via SSH to verify if the BigIP/IQ server is configured with a particular setting. Below are some examples to help demonstrate the overall concept. Example: User uploads XML document that contains the following security settings <?xml version="1.0" encoding="UTF-8"?> <Settings> <OnDemandCertAuth> <VerifyText>Run the below command in TMSH</VerifyText> <Action>tmsh modify sys httpd auth-pam-validate-ip on</Action> <Action>tmsh save sys config</Action> </OnDemandCertAuth> </Settings> Now that the doc is uploaded, the app parses the XML for the "<Action>" element, then creates the related tmsh show command or potential iControl REST API call to verify if httpd is validating IPs on standard auth to the GUI, in this example. Depending on the data returned from TMSH or the API, the application would then present the user with a table in the GUI that shows the checks that passed and failed. Then they could remediate the system to have the correct security setting for compliance. Lastly, I'd like to provide a bit more background on the inspiration for this tool. I work a lot in the federal space, where we have to make sure our F5 products meet a baseline security standard. Currently, there are no tools that automate this like there are for Windows products, etc. If you have ever used the SCAP tool for DISA STIGs, then you'll understand the overall goal of this project. Thank you for taking the time to review my post to the community. I'd love to hear your feedback!
