Struggling with Node.js API for Searching Profiles Across Multiple F5 Devices
Hey everyone, I’m working on a Node.js API that connects to my frontend and allows users to search for an SSL or LTM profile by name and get back all the relevant details. The twist is that the profile could live on any one of 40+ F5 devices (different mgmt IPs). Here’s what I’ve done so far: I’m using the F5 REST API and creating a session token for each mgmt IP to avoid basic auth on every call. I built a loop to query each device, aggregate results, and return the profile details if it exists. The problem: It’s not consistent. Sometimes the profile is found; other times it’s missed—even though it’s definitely there. I’m getting timeouts pretty frequently, which adds to the frustration. Feels like I’m doing too many sequential calls and maybe hitting performance or token issues. Has anyone tackled something similar? How do you structure your calls to make them reliable across multiple devices? Is there a recommended pattern for handling large-scale F5 REST calls in Node.js (parallelization, rate limits, caching)? Should I stick to session tokens or consider another auth pattern? Any tricks for minimizing timeouts when calling multiple mgmt IPs? Any examples, best practices, or lessons learned would be hugely appreciated. At this point, I’m looking for a clean way to make this work reliably before I refactor again. Thanks
F5 Device Certificate renewal process on Active and Standby devices
Hi Team, The SSL certificates on the load balancers we manage (both Active and Passive) are set to expire in July. Could you please share the recommended steps to renew them correctly and ensure a smooth implementation without any service impact? Certificate Expiry Details Active Load Balancer: Expires on July 26th, 2025 Passive Load Balancer: Expires on July 27th, 2025 Please note that in our case, both load balancers are using different certificates.TCL error: _cgc_pick_clientside
Hi, in an ASM-LTM (Perimeter) Setup I see frquently the following logs: ***err: tmm3[19962]: 01220001:3: TCL error: _cgc_pick_clientside - unknown cgc sni: f5-bei1.xxxx.xx (line 49) invoked from within "CGC::sni $tls_servername"*** Any idea what this TCL error causes? The clientssl is quite Basic: one certificate chain, no Server Name set. Thanks, RolfSNI Sites not taking correct certificate.
I have configured one VIP with two certificate aks.test.com aks4.test.com On SSL profile for aks.test.com i have enabled SNI feature and aks.test.com is working fine taking correct certificate (aks.test.com). but aks4.test.com having not secure error on browser and taking the certificate of (aks.test.com). Could someone please help what could be the issue in this case.
An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains reserved tls extension values. (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtmltls-extensiontype-values-1). The Client Hello request in the SSL Handshake was captured and contained an Extensions list, which included a reserved TLS Extension value (17156), which the F5 isn't presenting in Server Hello. I need an irule that can allow that Extension to be added on the client ssl profile so the ssl handshake doesn't fail.
SSL Renewal / Orchestration?
What are people who use F5 LTM using for SSL ordering/orchestration/renewal? We don't have BIGIP but are running BIGIP Os 16.x.x and I see some integration in the webUI for GOdady, Digicert., etc.. But we mostly use Globalsign / Globalsign API for cert ordering. I'm hoping to have an easy/secure way to renew/order/install certs to the F5 vCMP guests from GlobalsignSSL Server Side Profile
I am looking for some help with SSL Server Profiles. I am looking to decrypt/ASM/re-encrypt If I connect directly to my backend server, everything works I have installed CA cert and configured my SSL client. If I set my backend connections to HTTP and do not apply a SSL server profile, everything works If I then add a custom SSL server, with a parent profile of serverssl I then switch to a pool of HTTPS and get a HTTP error 404 . The requested resource is not found If I remove the server SSL profile and move back, everything is fine. I'm unsure what if anything I am missing: Should I under configuration >> certificate >> key Server Authentication Server certificate >> required >> Trusted cert authorities (what cert do I need here) Any help would be greatly appreciatedQuestion on configuring SNI clientSSL Profile
Hi Experts , I have a question on configuring the SNI SSL profile .Suppose say I have 3 different certificate and 3 SSL profile to be attached to the VIP to configure SNI . https://www.securesite1.com ClientSSL1 > Default SSL Profile for SNI https://www.securesite2.com ClientSSL2 https://www.securesite3.com ClientSSL3 To enable SNI, we configure the Server Name and Default SSL Profile for SNI will be checked on an SSL profile of ClientSSL1, and then assign the profile to a virtual server. How about on other 2 SSL profiles ClientSSL2 & ClientSSL3 ? For other SSL profiles do I need to type the name for the HTTPS site in the Server Name box ? or it can be left blank ?Certificate expiry monitoring
Hello Everyone! Would like to ask how you monitor your certs in your F5s? we would like to monitor the certificate expiry on our F5. I am checking our logs on ltm but it seems that the normal certs are not being logged. I only see cert bundles. Can you share how you monitor the certs expiry on f5?
