Config NGINX to F5
Hi everyone, I have VS. NGINX require script to implement at F5 profile but i dont know where I must config at F5 configuration. Here the NGINX requirement : client_max_body_size 5000M; client_body_buffer_size 5000M; client_body_timeout 4024; client_header_timeout 3024; Where I must config that NGINX requirement to the VS in F5 ??? Using profile or irules ?? How to set up ? Thanks
Passive FTP using FTP profile
Hi Community, I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd. The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for passive ftp. This scenario is running perfectly without an FTP profile, just a tcp profile (all ports) and the option pasv_address on the ftp server pointing to the public IP address of the F5. But I need to have this working with the FTP profile in order to implement extra security for FTP on the F5. I've tried to implement FTP passive load balancing using official documentations like (https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/load-balancing-passive-mode-ftp-traffic.html ) , but no matter what combination or configuration is implemented on the F5 & the ftp server, if I have the ftp profile the message ("passive mode refused") is always received after request PASV and only works if I use this for internal passive ftp, meaning that I not configure a "pasv_address" on the ftp server, and the client that request the connection is in the same Lan than the F5 & ftp server, resolving everything internally. As a said, i've tried a lot of combinations and settings on the F5 and ftp servers, but nothing works. Could someone give me a little of guidance here? Thanks in advance.
Create client-ssl profile with tmsh error
Hello, i want to add a mass profile creation with tmsh. But always i get the error 010717e3:3: Client SSL profile must have RSA certificate/key pair. I try: create ltm profile client-ssl /Part_123/clientssl_123.xyz.com_1 { app-service none cert /Part_123/clientssl_123.xyz.com_1.crt cert-key-chain add { clientssl_123.xyz.com_1 { cert /Part_123/clientssl_123.xyz.com_1.crt key /Part_123/clientssl_123.xyz.com_1.key chain /Common/Int-CA.crt }} chain /Common/Int-CA.crt key /Part_123/clientssl_123.xyz.com_1.key defaults-from /Common/clientssl_onlyECDHE server-name 123.xyz.com } All partitions and cert and so one exist. I hope you can help me. Cheersmptcp-mobile-optimized and Hardware SYN Cookie Protection
Does anyone know why the TCP protocol profile mptcp-mobile-optimized ships with Hardware SYN Cookie Protection disabled? It is still enabled on tcp-mobile-optimized. Here is a copy of my two profiles, which should be the default: ltm profile tcp mptcp-mobile-optimized { abc disabled app-service none congestion-control illinois defaults-from tcp delay-window-control disabled delayed-acks disabled dsack disabled ecn enabled hardware-syn-cookie disabled init-cwnd 16 limited-transmit enabled mptcp enabled nagle enabled pkt-loss-ignore-burst 0 pkt-loss-ignore-rate 0 proxy-buffer-high 131072 proxy-buffer-low 131072 rate-pace enabled receive-window-size 131072 reset-on-timeout disabled selective-acks enabled send-buffer-size 262144 slow-start enabled timestamps enabled } ltm profile tcp tcp-mobile-optimized { abc disabled app-service none congestion-control high-speed defaults-from tcp delay-window-control disabled delayed-acks disabled dsack disabled ecn enabled init-cwnd 16 limited-transmit enabled nagle enabled pkt-loss-ignore-burst 0 pkt-loss-ignore-rate 0 proxy-buffer-high 131072 proxy-buffer-low 131072 receive-window-size 131072 reset-on-timeout disabled selective-acks enabled send-buffer-size 131072 slow-start enabled timestamps enabled }
tmsh script to change a profile in all virtual servers in all partitions
Inspired by some articles on devcentral ( in special Stop Using the Base TCP Profile! and Rapid iRule Removal via Tmsh Script ), I decided to write a tmsh script to replace a profile for all virtual servers in all partitions. Maybe someone can use it or has any hints for optimization. Example: root@(lab1)(cfg-sync Standalone)(Active)(/Common)(tmos) create cli alias shared changeprofile command "run cli script changeProfile.tcl" root@(lab1)(cfg-sync Standalone)(Active)(/Common)(tmos) changeprofile /Common/tcp /Common/tcp-lan-optimized The /Common/tcp profile was replaced with the /Common/tcp-lan-optimized profile for the following virtuals in partition /Common : The /Common/tcp profile was replaced with the /Common/tcp-lan-optimized profile for the following virtuals in partition /LAB1 : testvip1-http testvip1-https testvip2-https tmsh script: cli script changeProfile.tcl { proc script::init {} { set ::info "Usage: changeprofile IMPORTANT: ALL virtual servers in ALL partitions!" } proc script::run {} { if { $tmsh::argc != 3 } { puts $::info exit 0 } set old_profile [lindex $tmsh::argv 1] set new_profile [lindex $tmsh::argv 2] set all_partitions [tmsh::get_config auth partition] foreach partition $all_partitions { set current_partition "/[lindex [split $partition " "] 2]" tmsh::cd $current_partition set profiles "" set vips [tmsh::get_config /ltm virtual] puts "The $old_profile profile was replaced with the $new_profile profile for the following virtuals in partition $current_partition : " tmsh::begin_transaction foreach vip $vips { set profiles [tmsh::get_field_value $vip "profiles"] if { $profiles contains $old_profile } { tmsh::modify /ltm virtual [tmsh::get_name $vip] profiles delete "{" $old_profile "}" profiles add "{" $new_profile "}" puts "\t[tmsh::get_name $vip]" } } tmsh::commit_transaction } } proc script::help {} { if { $tmsh::argc != 3 } { tmsh::add_help $::info } } proc script::tabc {} { if { $tmsh::argc != 3 } { tmsh::add_tabc $::info } } }F5 Not Functioning With Pulse Secure
Hi All, We have a new set-up of an F5 with two VIPS - one performance layer 4 for https (SSL authentication to the pulse secure appliance), ad another standard VIP on UDP/4500 (for IPSec data traffic). Both Profiles have a source affinity persistence profile mapped to them which has option "Match Across Virtual Server" checked. This is to allow Both VIPS to act as one for Data Traffic. The F5 has also two Gateways configured as self IP's and their respective floating IP's - this is so the pulse uses the F5 as its gateway for internal and external traffic. The routing on the F5 points internal traffic to a default route to a switch in the DMZ which knows the route to the data center - and was being used to route traffic in the old set-up too. What we found with the new set-up was that traffic going to the external port worked fine, but traffic to the internal port on the pulse (routed via the F5 internal gateway) was not working at all. This interface should use its own IP address and initiate a request to Authentication servers, but did look like it was - resulting in users not being able to log into their pule clients (as authentication was failing). In the old set-up the gateways were on two separate switches, and this worked even after we reverted back - we saw users able to connect and log into pulse - where as in the new set-up they couldn't go past the prompt. We believe the issue is only with internal traffic, as external traffic looks fine. We also believe it could be the F5 potentially stopping the traffic from passing but not sure why. Could the profile be changing something in the packet header? Could both VIPs also need to be standard VIPS for this to work ? Has anyone come across an issue like this before ? Best Regards, SabeelHow to attach TCP profile for server/client individually via REST API?
Hi, I was trying to attach the TCP profile to virtual server by REST API. But now what I only can do is to specify the context to "all", then call PATCH on /tm/ltm/virtual/VIRTUALNAME. The content is: {"ipProtocol":"tcp","profilesReference":{"items":[{"kind":null,"name":"VIRTUALNAME","partition":null,"fullPath":null,"generation":0,"selfLink":null,"context":"all"}]}} "Context = all" means I am setting both of the client and server side at the same time. But I would like to set them separately to two different profiles, then I tried context = clientside or context = serverside. Then an error like "Less than the required minimum number of profiles found on VIRTUALNAME: Exactly 1 of (UDP Profile (serverside), TCP Profile (serverside), SCTP Profile (serverside))" was returned. Looks like when only setting clientside/serverside profile, F5 will delete both profiles for clientside and serverside firstly, then update the user's profile. But at that time, the profile is only for server or client, the other part of the profile has been deleted in the previous step, which led to this error. Could anyone help figure out if I am doing in the incorrect way? Or if this might be a bug of setting TCP profiles? Heap thanks.
Persistence Profile Issues
I am having an interesting issue with a persistence profile. It works wonderful in QA but is not working in production. I've created a persistence profile with the following attributes: Parent Profile Universal Mirror Persistence Enabled iRule Enabled and pointed Timeout Enabled and set to 28800 seconds The iRule: when HTTP_RESPONSE { if { [HTTP::cookie exists "ASP.NET_SessionId"] } { persist add uie [HTTP::cookie "ASP.NET_SessionId"] pool po-server-https } } when HTTP_REQUEST { if { [HTTP::cookie exists "ASP.NET_SessionId"] } { persist uie [HTTP::cookie "ASP.NET_SessionId"] pool po-server-https } } In the virtual server instance I then set Default Persistence Profile to this new created profile. This all works wonderfully in QA and the client is persisted to one server based on their cookie value for ASP.NET. The pool names are correct, the cookie exists in both environments etc. but in production, the persistence is not taking place and the client is jumping between servers in the pool. Does anyone have ideas on this one or a path forward to troubleshoot this via clean logging that doesn't inundate the server?
