TCP RST instead of Server Hello during SSL Handshake
Hi All, Been troubleshooting an issue with a customer after they made changes server side to disable SSLv2 and SSLv3 etc and to only accept ciphers for TLS1.1 and TLS1.2 By default they were using the standard default https monitor for their pool and post making changes server side (i don't have access) the node is now not coming up. HTTP is fine but HTTPS is a problem. We're running BIG-IP 11.4.0 (Build 2434.0) I'm wondering if he's only enabled ciphers which aren't available in the current version of Big-IP we are using Here's the SSLDUMP (cipher set to ALL): 1 1 - 1444809450.0879 (0.0024) C>SV3.1(114) Handshake ClientHello Version 3.1 random[32]= 56 1e 0a ea e4 11 03 df d1 77 92 83 da ec 1d 44 21 65 c2 20 97 25 40 53 75 d6 e5 c2 6b 1d 96 65 cipher suites TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Unknown value 0x46 Unknown value 0x45 Unknown value 0x44 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xff compression methods unknown value NULL 1 - 1444809450.0884 (0.0004) S>C TCP RST
iRule to Forward Traffic Based on URL Name
Hi, I am in a situation where we have shortage of IP address and am looking for an alternative way to forward traffic to pools based on URL. I am not really good with iRule hence looking for assistance and I have seen posts based on URI, but i am looking for assistance with URL. Eg: 1 VIP and based on the url name, the traffic needs to be forwarded to Pool. Help on this is appreciated
Irule with elseif and pool selection
Hello, I'm trying to write an irule that routes traffic to a specific pool based on the host. I think I'm fairly close, but I can't figure out the following error: 01070151:3: Rule [test-pool-selection] error: line 5: [undefined procedure: elseif] [elseif] when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { if { [HTTP::host] starts_with "abc" } { pool ss-devsp3-pool } elseif { [HTTP::host] starts_with "def" } { pool ss-devsp3-pool-81 } elseif { [HTTP::host] starts_with "ghi" } { pool ss-devsp3-pool-82 } } }
MySQL active connection never bleed off to other pool member
I am running galera MySQL behind F5 with performance Layer 4 type and i have setup 3 mysql node in pool member with Priority so only 1 mysql node will be used and other two will be standby. So everything was good but i found today when i shutdown Primary node which was active and i found my application break and when i have checked logs found: (2006, "MySQL server has gone away (error(104, 'Connection reset by peer'))") So solution was restart application, look like active member mysql connection not bleeding off to other pool member, what is wrong with my setup?
iRule to close an established connection
I have tcp (not http) based service where client connections are permanent. By that I mean that once a connection to a pool member gets established its stays there 24x7. The pool has 2 pool members configured with priority group. The first pool member has priority 2 and the second one priority 1, with a Less than '1' value for Priority Group Activation. The pool also has the setting of 'Reject' for 'Action On Service Down'. That takes care of any scenario where a pool member is marked down by health monitors. Whenever a highest priority pool is marked down by health monitors all established connections to that pool members get closed automatically. The client applications immediately try to reconnect and get established connections to the second pool member with the lower priority. So far, everything is exactly what we want to accomplish. The challenge comes when the higher priority pool member is marked up/available once again. We're looking for an automatic way to close the already established connections to the lower priority pool member as soon as the higher priority pool member becomes available. Is there a way to do so? Not sure what event I should use for an already established connection. First ones that came to mind were LB_SELECTED and CLIENT_ACCEPTED. So far, I've tried the following options without any results: when LB_SELECTED { if { [LB::status pool poolname member 10.0.0.1 80 ] equals "up" and [IP::addr [LB::server addr] equals 10.0.0.2] } { reject } } when LB_SELECTED { if { [LB::status pool poolname member 10.0.0.1 80 ] equals "up" and [IP::addr [LB::server addr] equals 10.0.0.2] } { LB::reselect pool poolname member 10.0.0.1 } }Gather a list of virtuals and or pools that are offline state and provide duration
Hi, I am looking for a way in tmsh to provide a list of offline VIPs/pools. In addition to that, I want to know how long they were offline. I know I can sift through the LTM logs but that will take too long for what I want to accomplish. If I go to the GUI, I can list a set of VIPs/Pools based on 'offline' status, however it does not provide duration, just shows the current state.Monitoring ephemeral pool members & nodes
Hi, I'm looking to use the dynamic FQDN resolution for nodes / pool members, but have a few queries... If an Ephemeral pool member goes down, does that failure trigger anything on the DNS / Node side? Immediate resolution in case the result has changed etc.? Resolution appears to be wholly at the node level, suggesting the health of the pool member is irrelevant, and always limited to the IP's returned periodically by the DNS lookup attached to the node - and "DNS monitoring" merely means a resolution occured. The documentation about "auto populate" is confusing me. What is the real life difference between Enabled and Disabled? I see that when Disabled, the very first result is always used, however it still creates the Ephemeral node, it's still done periodically etc., so the only meaningful difference seems to be if more than one A is returned at a time. There's reference to Enabled removing members that are no longer being returned, but isn't that already implicitly true for Disabled? If that one result changes, then the pool member will change accordingly. Is it really any more meaningful than "Disabled = ignore additional results, Enabled = create nodes for all answers."? What would it mean for a node to auto populate, but a pool member using that node to NOT be set to do that? I see we only get a single pool member, but multiple nodes... but what is the consequence of this? Is there a reason this would be found useful? How does the node resolution internal work with the DNS Cache option in the system settings? The reoslution does use these settings, right? Would it make sense to set the resolution low ~ 5 seconds and enable caching on LTM, meaning that the name would be resolved almost as soon as the TTL expires on the record, thereby falling out of the cache? Could this be seen as a realistic best practise, or are there dragons hiding around here? Setting node resolution at an arbitrary hour interval as per default seems very dangerous to me. Thanks!
OCSP health monitor
Hey Guys, Sort of in a time crunch. I am looking for a way to create a health monitor the would monitor OCSP request instead of http/https. I've seen/read somewhere on the forums that is could be by an external script ? but not sure how that would be done. I have a pool of OCSP validators which work for http health monitor but that's not what our sec team is looking to get monitored. Any help is appreciated. ThanksGTM and LTM Virtual Server Service Ports
I'm trying to create a Wide IP for one of my company's applications and the application uses multiple TCP ports where each port serves a different and independent purpose. On my LTM, I have set up the Pools and the Virtual Servers for this: LTM @ Data Centre A VS 1: 10.1.0.100 Service Port: 80 (HTTP) VS 2: 10.1.0.100 Service Port: 443 (HTTPS) LTM @ Data Centre B VS 1: 10.2.0.100 Service Port: 80 (HTTP) VS 2: 10.2.0.100 Service Port: 443 (HTTPS) What I want to do now is to create a Wide IP DNS called to load balance between these two data centres. I already have the LTMs linked up to my GTM. The problem I face is that when I try to create a pool for the two IPs, I go to: Global Traffic > Pools > Pool List > Create Name: sample_pool Member List: <<< When I try to choose a member, I notice that all the members come with Service Ports tied to them. There isn't a way to add a member without a service port and here's the issue. If I add a member from Data Centre A and a member from Data Centre B both with service port 443, doesn't this mean that if port 443 becomes unavailable at any one Data Centre, the GTM will mark the member as unavailable even if port 80 is still up? I want the GTM to be able to still send traffic to Data Centre A even if 443 is down as long as 80 is up (and vice versa).
