Enabling AVR and creating Profiles
Hi All, I've recently provisioned the AVR module (nominal) with out too much trouble. However when I attempt to create a HTTP Analytics profile, I don't see all the my Virtual Servers. I don't see any Virtual Servers when I look at the Statistics->Analytics->HTTP. However I am able to access: Statistics->Analytics->Virtual Servers- Statistics->Analytics->Pools Not sure what I'm missing, that I'm unable to see all the relevant info. Appreciate all advice and suggestions. Thanks Deena
LTM :: Zero Window Server Side :: TCP Profiles
We have a virtual server setup for our receiving mail system, and it has been configured as-is for quite some time (measured in years). Never before has an issue arisen, but recently a particular client has been having problems sending attachments to us (and as far as we are aware, ONLY that client). What they claim to see is that the connection is terminated. Normal email works fine. Small file attachments work fine. However when they send us attachments that are Mb in size, the connection will not be successful. On our side, we see the window size slowly creep down until it hits zero. The BIG-IP probes the mail system, the mail system acks the probe, but keeps the window size at zero. It does this until the zero window timeout is reached on the BIG-IP and the connection is terminated by the BIG-IP (TCP RST). This is what the window decrease looks like on the client side (tcp.stream eq 3 and ip.src eq [the mail system]): This is what the window decrease looks like on the server side (tcp.stream eq 2 and ip.src eq [the VIP]): Client side end of the connection: Server side end of the connection: My impression initially was that this is not a BIG-IP problem... but when we remove the BIG-IP from the path, the connection works fine regardless of attachment size. Again, works fine for everyone else as far as we know regardless of if the BIG-IP is in the path... which is perplexing. Things I've tried: * Switching-out TCP profiles (lan optimized, wan optimized, client and server matching and different in combinations of the above). Now on mptcp-mobile-optimized with defaults. * Moving TLS off of the F5 * Resetting TLS profile to defaults * Different mail systems (of same type/configuration) Current configuration: * VIP on port 25 * TCP profile with mptcp-mobile-optimized w/defaults * SSL Profile (defaults w/cert, optional SSL, allowed cipher suites) * SMTPS Profile (allows TLS) * Pool w/single mail system * iRule w/VIP bounceback * Source IP Persistence VIP bounceback iRule: when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snat automap } else { snat none } } Any ideas/thoughts/suggestions all welcome. Thanks for taking the time.
LTM Authentication Profile LDAP Cert Feature in APM?
Hello again, Since our customer tries to migrate from LTM auth profiles to APM he's missing one feature in APM which was available in LTM auth profiles. The customer is checking in the LDAP if a certificate is available, here's the relevant config setting: Does someone know how to implement the same in APM? Thanks, Peter
Virtual Server creation through iControl Java API fails silently due to missing profiles
I'm using iControl Java API to create a virtual server. The code is as follows: final LocalLBVirtualServerBindingStub virtualServerStub = (LocalLBVirtualServerBindingStub) new LocalLBVirtualServerLocator().getLocalLBVirtualServerPort(foobarURL); final CommonProtocolType vserverProtocolType = CommonProtocolType.fromString(protocol); final CommonVirtualServerDefinition[] vserverDefinition = new CommonVirtualServerDefinition[]{new CommonVirtualServerDefinition(name, ip, port, vserverProtocolType)}; final LocalLBVirtualServerVirtualServerResource[] resource = new LocalLBVirtualServerVirtualServerResource[]{new LocalLBVirtualServerVirtualServerResource(LocalLBVirtualServerVirtualServerType.RESOURCE_TYPE_POOL, loadBalancerPoolName)}; virtualServerStub.create(vserverDefinition, new String[]{netmask}, resource, new LocalLBVirtualServerVirtualServerProfile[0][0]); Now this call just "passes" although no virtual server is really created (I checked through the admin UI). There are no exceptions or even any other relevant logging. After various trial and error tests, I realized that the problem was that the code was passing no "profiles" for the virtual server creation: virtualServerStub.create(vserverDefinition, new String[]{netmask}, resource, new LocalLBVirtualServerVirtualServerProfile[0][0]); The questions I have are: 1) Why isn't the API throwing an exception if profiles is mandatory 2) Is there an API I can use to fetch the list of available profiles for a particular "protocol" and any available "default profile" for that protocol? The reason why I would like to have something like this is, because for a user who is using this code, it won't be feasible to send in some random profile name strings that perhaps won't apply to a particular "protocol" of the virtual server or even the "service type" of the virtual server. P.S: I stumbled upon a similar thread here https://devcentral.f5.com/questions/virtual-server-create-fails-silently which shows sample code to create the virtual server and in there it hard codes certain profile names which is exactly what I'm trying to avoid. Environment details: iControl Java (assembly) API version: 11.4.1 (the latest that was available here https://devcentral.f5.com/d/icontrol-library-for-java) BigIP version: 10.1 Virtual edition trial version available from here https://www.f5.com/trial/big-ip-ltm-virtual-edition.php
LTM Policy with Rewrite profile forward to specific Node
The issue I am currently facing is in the common partition I have a profile rewrite and an LTM policy in place working perfectly and has no issues. I have tried to replicate this in a different partition with the exact same steps and it is not working. We have a virtual server: VS_Azure1.aeltc.com_10.205.1.xxxabc.aeltc.com10.205.1.xxx443 (HTTPS)StandardEdit...DMZ And we have a pool: pool_abc.aeltc.com3DMZ In this pool we have 3 different nodes ( running 3 different services ) The profile rewrite looks like this: Client uri: https://abc.aeltc.com/aegis/tt/api/ > server uri: https://ae-iapp01-tt.office.aeltc.org/AEGIS10/api/ Client uri: https://abc.aeltc.com/catering/tt/api/ > server uri: https://uniwareintegration-tt.office.aeltc.org/api/ The above are 2 examples, so the LTM policy I have tried to configure is: If when browsing to abc.aeltc.com they add /aegis/tt/api/ then send the traffic to node one always. If when browsing to abc.aeltc.com they add /catering/tt/api/ then send the traffic to node two always. I have attempted to do this via LTM however the policy isn't working it still load balances via the pool? Any help would be deeply apricated.
SSL issue
Hello there, We have a F5 LTM and a virtual server configured to a server in port 443, the topology is: Computer --> F5 LTM --> switch --> server When we try to connect to the server through https we saw the message "Connection reset" in the browser, but if we try to connect without passing the F5 the connection is successful. We don't have configured any SSL client profile or server. This is the configuration on F5: #Virtual Server #________________________________________________________________________________ ltm virtual /Common/Server1 { destination /Common/10.1.5.X:443 ip-protocol tcp mask 255.255.255.255 pool /Common/Server1 profiles { /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled } #________________________________________________________________________________ #Pools #________________________________________________________________________________ ltm pool /Common/Server1 { members { /Common/10.1.7.X:443 { address 10.1.7.X } } monitor /Common/https_443 } #________________________________________________________________________________ #Profiles #________________________________________________________________________________ # -Default Profile- ltm profile tcp tcp { ack-on-push enabled close-wait-timeout 5 congestion-control high-speed deferred-accept disabled delayed-acks enabled ecn disabled fin-wait-timeout 5 idle-timeout 300 keep-alive-interval 1800 limited-transmit enabled max-retrans 8 nagle disabled proxy-buffer-high 49152 proxy-buffer-low 32768 proxy-mss disabled proxy-options disabled receive-window-size 65535 reset-on-timeout enabled selective-acks enabled send-buffer-size 65535 slow-start enabled syn-max-retrans 3 time-wait-recycle enabled time-wait-timeout 2000 timestamps enabled } As you can see, we don't have any SSL client or server profile and we tried changing "translate-port" to disabled and "Source Address Translation" to auto map but none of these work. Also we made a tcpdump and we can see the TCP Reset from 10.1.7.X (tcpdump.png) and some curl (curl.png), openssl (openssl.png and openssl2.png) and a telnet (telnet.png). Hope you can help us to find out what's going on. Thank you.
