profiles
20 TopicsEnabling AVR and creating Profiles
Hi All, I've recently provisioned the AVR module (nominal) with out too much trouble. However when I attempt to create a HTTP Analytics profile, I don't see all the my Virtual Servers. I don't see any Virtual Servers when I look at the Statistics->Analytics->HTTP. However I am able to access: Statistics->Analytics->Virtual Servers- Statistics->Analytics->Pools Not sure what I'm missing, that I'm unable to see all the relevant info. Appreciate all advice and suggestions. Thanks Deena50Views0likes1CommentLTM :: Zero Window Server Side :: TCP Profiles
We have a virtual server setup for our receiving mail system, and it has been configured as-is for quite some time (measured in years). Never before has an issue arisen, but recently a particular client has been having problems sending attachments to us (and as far as we are aware, ONLY that client). What they claim to see is that the connection is terminated. Normal email works fine. Small file attachments work fine. However when they send us attachments that are Mb in size, the connection will not be successful. On our side, we see the window size slowly creep down until it hits zero. The BIG-IP probes the mail system, the mail system acks the probe, but keeps the window size at zero. It does this until the zero window timeout is reached on the BIG-IP and the connection is terminated by the BIG-IP (TCP RST). This is what the window decrease looks like on the client side (tcp.stream eq 3 and ip.src eq [the mail system]): This is what the window decrease looks like on the server side (tcp.stream eq 2 and ip.src eq [the VIP]): Client side end of the connection: Server side end of the connection: My impression initially was that this is not a BIG-IP problem... but when we remove the BIG-IP from the path, the connection works fine regardless of attachment size. Again, works fine for everyone else as far as we know regardless of if the BIG-IP is in the path... which is perplexing. Things I've tried: * Switching-out TCP profiles (lan optimized, wan optimized, client and server matching and different in combinations of the above). Now on mptcp-mobile-optimized with defaults. * Moving TLS off of the F5 * Resetting TLS profile to defaults * Different mail systems (of same type/configuration) Current configuration: * VIP on port 25 * TCP profile with mptcp-mobile-optimized w/defaults * SSL Profile (defaults w/cert, optional SSL, allowed cipher suites) * SMTPS Profile (allows TLS) * Pool w/single mail system * iRule w/VIP bounceback * Source IP Persistence VIP bounceback iRule: when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snat automap } else { snat none } } Any ideas/thoughts/suggestions all welcome. Thanks for taking the time.1.2KViews0likes1CommentLTM Authentication Profile LDAP Cert Feature in APM?
Hello again, Since our customer tries to migrate from LTM auth profiles to APM he's missing one feature in APM which was available in LTM auth profiles. The customer is checking in the LDAP if a certificate is available, here's the relevant config setting: Does someone know how to implement the same in APM? Thanks, Peter1.4KViews1like10CommentsVirtual Server creation through iControl Java API fails silently due to missing profiles
I'm using iControl Java API to create a virtual server. The code is as follows: final LocalLBVirtualServerBindingStub virtualServerStub = (LocalLBVirtualServerBindingStub) new LocalLBVirtualServerLocator().getLocalLBVirtualServerPort(foobarURL); final CommonProtocolType vserverProtocolType = CommonProtocolType.fromString(protocol); final CommonVirtualServerDefinition[] vserverDefinition = new CommonVirtualServerDefinition[]{new CommonVirtualServerDefinition(name, ip, port, vserverProtocolType)}; final LocalLBVirtualServerVirtualServerResource[] resource = new LocalLBVirtualServerVirtualServerResource[]{new LocalLBVirtualServerVirtualServerResource(LocalLBVirtualServerVirtualServerType.RESOURCE_TYPE_POOL, loadBalancerPoolName)}; virtualServerStub.create(vserverDefinition, new String[]{netmask}, resource, new LocalLBVirtualServerVirtualServerProfile[0][0]); Now this call just "passes" although no virtual server is really created (I checked through the admin UI). There are no exceptions or even any other relevant logging. After various trial and error tests, I realized that the problem was that the code was passing no "profiles" for the virtual server creation: virtualServerStub.create(vserverDefinition, new String[]{netmask}, resource, new LocalLBVirtualServerVirtualServerProfile[0][0]); The questions I have are: 1) Why isn't the API throwing an exception if profiles is mandatory 2) Is there an API I can use to fetch the list of available profiles for a particular "protocol" and any available "default profile" for that protocol? The reason why I would like to have something like this is, because for a user who is using this code, it won't be feasible to send in some random profile name strings that perhaps won't apply to a particular "protocol" of the virtual server or even the "service type" of the virtual server. P.S: I stumbled upon a similar thread here https://devcentral.f5.com/questions/virtual-server-create-fails-silently which shows sample code to create the virtual server and in there it hard codes certain profile names which is exactly what I'm trying to avoid. Environment details: iControl Java (assembly) API version: 11.4.1 (the latest that was available here https://devcentral.f5.com/d/icontrol-library-for-java) BigIP version: 10.1 Virtual edition trial version available from here https://www.f5.com/trial/big-ip-ltm-virtual-edition.php305Views0likes0CommentsLTM Authentication Profiles EOL?
Hi all, I have a customer which is making intensive use of LTM Authentication Profiles. We are told by our F5 representative when v13 was released this time that LTM auth profiles will be EOL some day. I told my customer he should plan to go to APM to use auth in LTM. Now we're on v16 and the LTM auth profiles seem still to be available. I couldn't find any information about when LTM auth profiles will be EOL. Can someone from F5 enlighten me so that I can give this information to the customer? Thank youSolved776Views0likes2CommentsF5 SDK Python - Assign HTTP Profile to VIP
Hi, can someone draw me an example how can I assign HTTP profile to existing VIP? I am seeing that ipProtocol key is tight to tcp profile but I do not see any key that has http profile assigned when queering VIP configuration. I am little bit lost here.695Views0likes3CommentsSSL issue
Hello there, We have a F5 LTM and a virtual server configured to a server in port 443, the topology is: Computer --> F5 LTM --> switch --> server When we try to connect to the server through https we saw the message "Connection reset" in the browser, but if we try to connect without passing the F5 the connection is successful. We don't have configured any SSL client profile or server. This is the configuration on F5: #Virtual Server #________________________________________________________________________________ ltm virtual /Common/Server1 { destination /Common/10.1.5.X:443 ip-protocol tcp mask 255.255.255.255 pool /Common/Server1 profiles { /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled } #________________________________________________________________________________ #Pools #________________________________________________________________________________ ltm pool /Common/Server1 { members { /Common/10.1.7.X:443 { address 10.1.7.X } } monitor /Common/https_443 } #________________________________________________________________________________ #Profiles #________________________________________________________________________________ # -Default Profile- ltm profile tcp tcp { ack-on-push enabled close-wait-timeout 5 congestion-control high-speed deferred-accept disabled delayed-acks enabled ecn disabled fin-wait-timeout 5 idle-timeout 300 keep-alive-interval 1800 limited-transmit enabled max-retrans 8 nagle disabled proxy-buffer-high 49152 proxy-buffer-low 32768 proxy-mss disabled proxy-options disabled receive-window-size 65535 reset-on-timeout enabled selective-acks enabled send-buffer-size 65535 slow-start enabled syn-max-retrans 3 time-wait-recycle enabled time-wait-timeout 2000 timestamps enabled } As you can see, we don't have any SSL client or server profile and we tried changing "translate-port" to disabled and "Source Address Translation" to auto map but none of these work. Also we made a tcpdump and we can see the TCP Reset from 10.1.7.X (tcpdump.png) and some curl (curl.png), openssl (openssl.png and openssl2.png) and a telnet (telnet.png). Hope you can help us to find out what's going on. Thank you.416Views1like1CommentRewrite Profile JSON error
Hey Everyone, We are using a rewrite profile to do the following: Converting Client URI = https://customer.company.com/loginpage/ to Server URI = https://login.company.com/ Everything looked fine but some users i guess have more access on the backend and are getting a JSON error. Should I be using Irules instead?Solved679Views0likes3Comments