For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

management

4574 Topics

ACME DNS RFC-2136 Let's Encrypt certs
I've been pushing on certbot to handle CNAME entries when ordering certs, and finally given up. https://github.com/certbot/certbot/issues/6787 https://github.com/certbot/certbot/pull/9970 https://github.com/certbot/certbot/pull/7244 This repo contains scripts that: Create an ACME account with Let's Encrypt use TSIG credentials to talk to bind (RFC-2136) create TXT record in correct zone by following CNAME and SOA entries if present downloads certs installs certs on one or more F5s. The F5 credentials requires Administrator rights as Certificate Manager can't upload files. https://github.com/timriker/certmgr CNAME records are recommended to a zone with minimal or no replication and a low TTL. ie: _acme-challenge.example.com CNAME example.com._tls.example.com _acme-challenge.example.net CNAME example.net._tls.example.com _tls.example.com would have one name server and 30 second TTL or so a TSIG key would be created that only needs update access to _tls.example.com Comments welcome. JRahm I'm looking at you. 😎 More info: https://letsencrypt.org/docs/challenge-types/
TimRiker
Dec 09, 2025 Place Technical Forum
68Views
3likes
1Comment
UCS Encryption Question
Good day! In order to run a platform migration with a UCS restore from a FIPS licensed platform (physical to virtual), you need to make some modifications to the UCS file. This requires decryption of the file using article https://my.f5.com/manage/s/article/K58543794 to facilitate extraction and modification of the .conf files. My questions are twofold: (1) On a FIPS licensed platform, do you have to re-encrypt the file in order to load it? I know you can't run a backup unless a passphrase is specified. (2) What is the string to re-encrypt the file? I've tried the following command to no avail: gpg --symmetric --cipher-algo AES128 --output /var/local/ucs/backup-encrypted.ucs /var/local/ucs/backup-decrypted.ucs I'm clearly missing something here. I constructed the command from the guidance found within https://my.f5.com/manage/s/article/K5437 and when performing the restore, I'm getting an "Unexpected Error: UCS loading process failed." error. If anyone can assist, I'd greatly appreciate it. If an encrypted UCS is NOT required to restore a FIPS licensed platform, then that's all good as well! Have a great day!
Solved
Cory_O
Dec 05, 2025 Place Technical Forum
37Views
0likes
2Comments
BIG-IP device fails to install node-inspector
Hi all, when I followed the steps in 'Steps to Setup Node-Inspector on BIG-IP' and executed the following command, an error occurred. command: [root@bigip1:Active:Standalone] ~ # npm install -g node-inspector@0.12.8 errors: npm ERR! Linux 3.10.0-862.14.4.el7.ve.x86_64 npm ERR! argv "/usr/bin/node" "/usr/bin/.npm__" "install" "-g" "node-inspector@0.12.8" npm ERR! node v6.9.1 npm ERR! npm v3.10.8 npm ERR! path /usr/lib/node_modules npm ERR! code EROFS npm ERR! errno -30 npm ERR! syscall access npm ERR! rofs EROFS: read-only file system, access '/usr/lib/node_modules' npm ERR! rofs This is most likely not a problem with npm itself npm ERR! rofs and is related to the file system being read-only. npm ERR! rofs npm ERR! rofs Often virtualized file systems, or other file systems npm ERR! rofs that don't support symlinks, give this error. npm ERR! Please include the following file with any support request: npm ERR! /root/npm-debug.log logs: [root@bigip1:Active:Standalone] ~ # tail -30 /root/npm-debug.log 7616 silly idealTree | `-- lodash@3.10.1 7616 silly idealTree +-- xmldom@0.1.31 7616 silly idealTree +-- xtend@4.0.2 7616 silly idealTree +-- y18n@3.2.2 7616 silly idealTree `-- yargs@3.32.0 7617 silly generateActionsToTake Starting 7618 silly install generateActionsToTake 7619 warn checkPermissions Missing write access to /usr/lib/node_modules 7620 silly rollbackFailedOptional Starting 7621 silly rollbackFailedOptional Finishing 7622 silly runTopLevelLifecycles Finishing 7623 silly install printInstalled 7624 verbose stack Error: EROFS: read-only file system, access '/usr/lib/node_modules' 7624 verbose stack at Error (native) 7625 verbose cwd /root 7626 error Linux 3.10.0-862.14.4.el7.ve.x86_64 7627 error argv "/usr/bin/node" "/usr/bin/.npm__" "install" "-g" "node-inspector@0.12.8" 7628 error node v6.9.1 7629 error npm v3.10.8 7630 error path /usr/lib/node_modules 7631 error code EROFS 7632 error errno -30 7633 error syscall access 7634 error rofs EROFS: read-only file system, access '/usr/lib/node_modules' 7635 error rofs This is most likely not a problem with npm itself 7635 error rofs and is related to the file system being read-only. 7635 error rofs 7635 error rofs Often virtualized file systems, or other file systems 7635 error rofs that don't support symlinks, give this error. 7636 verbose exit [ -30, true ] This seems like a directory access permission issue, but I can't change the read/write permissions on the F5 device. How should this be resolved? f5-appsvcs-extension/contributing/node_inspector_profiling_as3.md at v3.54.2 · F5Networks/f5-appsvcs-extension
Solved
ecolauce
Dec 03, 2025 Place Technical Forum
81Views
0likes
4Comments
Illegal Request in Learning Suggestion for 200 OK response
Dears, I want to know the reason why this suggestion is showing an illegal request status even though response code is 200 OK. Is it because multiple violations triggered? The policy is in transparent mode and I am just verifying the suggestions. Can someone please provide an expert advise?
SRM
Dec 01, 2025 Place Technical Forum
80Views
0likes
5Comments
/mgmt/toc - not possible to launch rest api rest browser
Hi, could you help please on how to kick off the api rest browser? attaching below the internals Thank in advance after providing my admin credentials, the follwoing response is returned { "code": 400, "message": "URI path /mgmt/logmein.html not registered. Please verify URI is supported and wait for /available suffix to be responsive.", "referer": "https://1.2.3.4/mgmt/toc", "restOperationId": 13525870, "kind": ":resterrorresponse" } Platform ID Z101 Platform Name BIG-IP Tenant Software Version BIG-IP v17.1.3 (Build 0.20.11) Bundle, r5600
AndrzejJez
Dec 01, 2025 Place Technical Forum
112Views
0likes
6Comments
Error post F5 upgrade
We're in middle of F5 upgrade. This is the first time I am doing the upgrade. We followed all the steps. Device came back after the reboot, but when I am logging into the device, it is giving me error as 'The configuration has not yet loaded. If this message persists, it may indicate a configuration problem'. On the other line, I am trying to reach TAC. During checking F5 articles, I came across this community so registered here to ask the question. Is anyone can help me with this pls?
Solved
raj_raut
Nov 26, 2025 Place Technical Forum
94Views
0likes
5Comments
Extend capacity of the blade on Velos
Hello everyone, for a customer I need to buy another blade for Velos system that permit to extend the capacity of the disk, at the moment i have cofigured a single blade that is it used at 85%, the target is to buy another one, for having a logical drive that is thwe sum of both hard drive. Is it possible to do it ? I have read documentations about it but, i have not found the correct information, in addition you have to say that now, in the first balde there are 9 Tenants who are working in a production environment, so that, the goal is activities, for add the new blade, should not have impacts on the production. Many thanks , in advanced, everyone. Awaiting news,
unavailable
Nov 24, 2025 Place Technical Forum
66Views
0likes
3Comments
TMOS 21.0.0 compatibility
Hello. The BigIP release matrix and the The F5 hardware/software compatibility matrix documents explicitely declare ix000 hardware serie as not compatible with TMOS 21.0.0. However, IHealth promotes it as an upgrade option for our i5600 hardware, and this uncompatibility doesn't match my own comprehension of "Hardware End of New Software Support (EoNSS)" limit, which is not reached yet for this platform until Jan 01 2026. Does that means TMOS 21.0.0 is supposed to be made available later for this hardware, or just that iHealth has a bug, and that I missed something in the definition of EoNSS ? Regards.
Guillaume_Rouss
Nov 24, 2025 Place Technical Forum
101Views
0likes
2Comments
How to Use ACME with BIG-IP
We are terminating SSL on BIG-IP and considering using KOJOT-ACME for automatic certificate renewal. Could you explain the steps, configuration, and requirements (such as version or model) for using ACME with BIG-IP? We are struggling because we don’t know exactly what needs to be done on the BIG-IP side.
richaed
Nov 20, 2025 Place Technical Forum
106Views
0likes
1Comment
Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF
Hi Team, We’re running Microsoft Exchange Server 2016 CU24 on Windows Server 2019, and have enabled Kerberos (Negotiate) authentication due to NTLM being deprecated in F5 Cloud WAF. Environment summary: Exchange DAG setup: 4 servers in Primary Site, 2 in DR Site Active Directory: Windows Server 2019 F5 Component: Cloud WAF (BIG-IP F5 Cloud Edition) handling inbound HTTPS traffic Namespaces: mail.domain.lk, webmail.domain.lk, autodiscover.domain.lk Authentication configuration: Negotiate (Kerberos) with NTLM, Basic, and OAuth as fallback SPNs: Correctly registered under the ASA (Alternate Service Account) computer account Certificate: SAN includes mail, webmail, and autodiscover Current status: Internal domain-joined Outlook 2019 clients work without issue. Outlook 2016, Office 2021, and Microsoft 365 desktop apps continue to prompt for passwords. Internal OWA and external OWA through F5 Cloud WAF both work correctly. Observation: Autodiscover XML shows <AuthPackage>Negotiate</AuthPackage> for all URLs. Kerberos authentication works internally, so SPNs and ASA setup are confirmed healthy. Password prompts appear only when traffic passes through F5 Cloud WAF, which terminates TLS before reaching Exchange. Suspected cause: F5 Cloud WAF may not support Kerberos Constrained Delegation (KCD) in the current configuration. TLS termination on F5 breaks the Kerberos authentication chain. NTLM/Basic fallback might not be fully passed through from WAF to backend. We would appreciate clarification on: Does F5 Cloud WAF support Kerberos Constrained Delegation (KCD) for backend Exchange 2016 authentication? If not, can Kerberos pass-through or secure fallback methods (NTLM/Basic) be enabled? Recommended configuration for supporting Outlook 2016 and Microsoft 365 clients when Exchange advertises Kerberos (Negotiate)? Is there an F5 reference configuration or iRule template for this scenario (Exchange 2016 + Kerberos)? Thank you for your guidance.
Solved
Kayjay88
Nov 18, 2025 Place Technical Forum
196Views
0likes
7Comments