F5 Loadbalancers

Issue When remote authentication is configured it is not possible (out of the box) to configure local user accounts. Other then the default admin and root accounts provided. This is also stated within the TMOS Management Guide for BIG-IP Systems, which says: “Excluding the admin account, the entire set of standard user accounts that you … Read more

In order to interact with the F5 via Python the best option available is bigsuds. This is a Python module that allows you to interact with the F5 API iControl via a set of Python classes. Typically you will normally find all the methods you need to interact with your F5 without issues. However, there … Read more

Problem You may observe both devices, within an F5 HA pair, going into a standby-standby when, VLAN Failsafe is enabled on a segment Route Domains are configured There is no server present on the given segment The F5 version is lower then 11.2.0 Reason The reason for this is based around bug id 388270 and also … Read more

Issue When updating the parent profile on a client SSL profile the cert-key-chain settings are inherited from the new parent profile. Even though the cert-key-chain is explicitly configured within the child profile. Consider the following, You have a client SSL profile ‘CLIENTSSL’ with the cert, key and chain configured along with a parent profile set … Read more

What is AAM ? BIGIPs AAM (Application Acceleration Manager) is a set of modules used to optimize web traffic. The modules include : Web Optimization WAN Optimization Profiles – this includes profiles used to deploy various optimization techniques such as SPDY, HTTP compression, OneConnect etc. Bandwidth Controller Rate Shaping Core vs Full AAM comes in … Read more

Within this article we will show you the commands to show the status of the serial cable i.e whether it is connected without the need to physically check the device. Commands The follow commands shows the status that the failover daemon detects on the serial cable from its failover peer. Version Command 10.x b failover … Read more

Issue You may observe GTM Monitors failing with a message of ‘state: timeout’ within the logs messages. On further investigation you find that though the GTM is trying to build the connection (i.e sending the SYN), there is no response (SYN-ACK) from the destination. Resulting in the probe attempt failing. Reason The reason for this … Read more

Within this article we will provide you with the steps to upgrade an F5 LTM v10 box to v11. New Device Upgrade Below are the steps if you are going to be upgrading your v10 configuration onto a new device. These steps presume that you already have v11 running on your new device. Verify your … Read more

Issue You may observe the GTM being unable to successfully establish a TCP connection when initaing a monitor probe to a given destination. Spefically, the GTM will send the SYN, but you notice the destination not responding with the SYN-ACK. There are 2 reasons that can cause this behaviour, Time-Wait Mismatch This occurs when the … Read more

Within v11.x of LTM/GTM BigIP certificates are located within a folder called ‘certificate_d’ under the necessary partition folder. i.e /config/filestore/files_d/Common_d/certificate_d By default everything is placed within the common partition folder ‘Common_d’. Below shows an example root@gtm:Active:Standalone] # ls -l /config/filestore/files_d/Common_d/certificate_d total 32 lrwxrwxrwx 1 root root    33 Sep 30 02:52 :Common:ca-bundle.crt_1 -> /config/ssl/ssl.crt/ca-bundle.crt lrwxrwxrwx 1 … Read more

Problem When using the command “persist uie add” in conjunction with the “node” command within an iRule the F5 issues a RST back to both the client and server. Background Lets look at an example. First we`ll look at the configuration and then the resulting behaviour. Configuration You have the following configured, You have persistence … Read more

The auto last hop feature ensures that traffic is sent back via the same hop from which it was sent. This is done by the F5 forwarding traffic to the MAC address of the last hop. The last hop MAC address is recorded within the connection table along with the source and destination addresses.

After finding this funky little command the other day I thought the readers of Fir3net may find it useful. Its especially handy when your LTM/GTM is placed directly onto the public network i.e not behind a firewall. Command To restrict access to the Web UI the following command is used, root@f5ltm1(Active)(tmos)# modify sys httpd allow … Read more

The F5 offers a number of different ways to you can represent your data via iRules such as variables, tables, datagroups and arrays. Within this article we will look at the variables. There are 2 main types of variables, local and global. Local Local variables represent data within your local namespace, and are assigned the … Read more

Introduction RAM Cache is a feature that provides the ability to serve content to your clients directly from the memory of your F5 appliance. This benefits both client and server by reducing response latency and also server load. What is Cached ? Heres a summary, The following items are cached, All 200, 203, 206, 300, … Read more

Issue When viewing the UIE persistence records you observe that the Client Addr field is not populated. root@f5ltm(Active)(tmos)# show ltm persistence persist-records all-properties Sys::Persistent Connections universal – 172.16.100.200:80 – 192.168.1.31:80 ———————————————————– TMM           0 Mode          universal Key           8ffa6c0012825a76b3b68d10a9c68ad3 Age (sec.)    4 Virtual Name  VS-172.16.100.200-80 Virtual Addr  172.16.100.200:80 Node Addr     192.168.1.31:80 Pool Name     POOL-172.16.100.200-80 Client Addr   :: … Read more

TACACS+ accounting was first supported within BIG-IP version 10.2.0.  Within this article we will show your the commands required to enable this feature. Configure First of all you will need to enable accounting within your authentication settings (this can be found within the GUI under ‘System / Users / Authentication’) modify sys db config.auditing.forward.destination value … Read more

BACKGROUND In order to to maintain persistence between services (such as HTTP and HTTPS) on a single Virtual Server two persistence methods are available ; Cookie Hashing and Source IP. In order to perform “true” Cookie (insert) persistence across services an iRule is required. Note : Though cookie persistence (insert) can be performed within the … Read more

Question How do I configure my F5 to equally distribute HTTP requests so that each request goes to a different server ? Answer To ensure that each request goes to a different server rather then all requests for a single connection going to the same server you will need to: Disable CMP Clustered Multi-Processing (CMP) … Read more

Within this article we look at how to rate-limit traffic via the use of an iRule. iRule The Table Command So that we can rate-limit traffic the iRule command ‘table’ is used. The table command (as the name suggests) provides the ability to create, delete, and append tables, along with being able to define timeouts … Read more

One great feature of the F5 Local Traffic Manager is ability to distribute traffic basic on its geographical location. This feature was introduced within v10.1 thanks to F5`s partnership with Neustar (previously) Quova. The geolocation component uses a (local) IP geolocation database (on the F5) to determine the geographically location of the IP address. To … Read more

Issue You may observe that ICMP response (return) traffic is randomly dropped by the F5. This behaviour occurs when using tagged VLANs and packet-filters on the F5.Below shows the issue in further detail. An ICMP Ping is initiated from the F5 and a packet capture is run.  We can see from the Ping that the … Read more

When trying to view your SNMP configuration from within the Web UI you may observe the following error: No object identifier specified in context Solution To resolve this remove the community via bigpipe and save. You will then notice that the SNMP community has been removed via the Web UI. This can then be re-added … Read more

Configuration Files /config/bigip.conf main configuration file containing objects for local application traffice such as pools, virtuals servers, pools etc. /config/bigip.license system licenses /config/bigip_base.conf networking components (bigpipe base load) not sync`d for HA setups. /config/bigip_local.conf stores virtuals servers for GTM /config/bigip_sys.conf stores the Linux/UNIX configuration objects /etc/alertd/alert.conf defines custom SNMP OID`s. UCS (User Configuration Set) A … Read more

The F5 LTM provides the ability to configure a HA (High-Availability) based setup. Configuring HA ensures that traffic is still processed even in the event of a failure (such as a software or hardware). Within this article we will explain and discuss a Active / Standby HA F5 setup. This allows one unit to pass … Read more

When running the BIG-IP LTM (10.2.3) virtual appliance on ESX4 you may observe that only the management interface is seen by the system. [root@localhost:Active] config # b interface showINTERFACEKey     Speed    Pkts Pkts Drop Coll   Bits   Bits Errs Trunk         Mbps      in  out               in    outmgmt UP   100 FD  511    8    0    0 266144   5056    0 Solution To … Read more

Overview The OneConnect feature works with HTTP Keep-Alives to minimize the number of server-side TCP connections by reusing existing connections for further HTTP requests.“OneConnect” has 2 methods. They are : OneConnect Profile and OneConnect transformations. Both of which are explained within this article. HTTP Requests Overview HTTP/1.1 requests – HTTP/1.1 dictates that HTTP Keep-Alive connections … Read more

When running the BIG-IP LTM (10.1) Virtual appliance on ESX4 you may observe the following error message (within the /var/log/message file): Unable to attach to PCI device 02:02.00 for Interface 1.1 This results in both interfaces forming the status of un-initialized and in turn failing to pass traffic. Solution To resolve this define each interface … Read more

Adaptive Reapers Adaptive reapers provide the ability for the system to automatically clear connections at the point of a predefined threshold being reached. This provides both system and connection stability during the point of a Denial of Service attack.At the point memory usage reaches the low water mark threshold (default %85) all half open connections … Read more

Installation and upgrade of software on the F5 LTM is extremely straight forward.  Each image is installed onto a slot, the slot can then be upgraded or re-imaged. 1. Transfer Image Create a directory ‘[root@f5:Active] config # mkdir /shared/images/legacy’ Copy the iso image to the directory ‘/shared/images/legacy’ using scp. Move to the directory ‘[root@f5:Active] config … Read more

Within this article we will show you the necessary steps required to create a sorry page (containing an image) that will be published when there are no available pool memebers for the spefic VIP (Virtual Server). Note : This example is based upon serving a png image. Encode Image First of the image that will … Read more

The F5 LTM allows for the transmission of syslog messages using TCP connections via the use of the syslog-ng daemon. Syntax In order to configure TCP syslog the following command(s) are used, bigpipe syslog include ‘”destination d_tcp { tcp(\”<SYSLOG IP>\” port(<PORT>));};log { source(local);\ destination(d_tcp);};”‘bigpipe save all Confirmation To confirm the configuration has been added use … Read more

The following commands are based upon F5 LTM 10.1.0 (and higher) bigpipe bigtop show statistic summary b self show show self IP`s b vlan show show vlans b interface show show interfaces b pool [pool name] show show pool b virtual [virtual name] show show vs b snat list list snats b route domain list … Read more

Below provides the steps rename a virtual server, pool or any other object within the configuration of a F5 LTM. The steps provided involve the editing of the (bigip.conf) configuration file. This file is then verified for any potential issues before it is loaded and committed to the F5 LTM`s running configuration. Backup Configuration First … Read more

What is an iRule ? iRules are built using a TCL-based scripting language allowing arbitrary manipulation of traffic flowing through the BIG-IP, including real-time modification of defined data. Components of an iRule A typical iRule contains four main components. These are : rule NAME {  when EVENT {    if { conditional_statement } {      action_when_condition_true  }    … Read more

Below shows a number of iRule examples that you may find useful when creating or deploying iRules on the BIGIP F5 device. For the latest in iRule tips and tricks hop over to our iRule Cookbook  – click here WWW redirect This simple iRule redirects any HTTP traffic without the prepending www to a www … Read more

Introduction The BigIP F5 provide 2 ways in which SSL is processed. These are : Client SSL – F5 decrypts the encrypted traffic inbound from the client.Server SSL – Traffic is re-encrypted by the F5 then routed onto the backend servers. There are a number of advantages to SSL termination on the F5, which are … Read more

Via the use of administrative states, the administrator has the power to gracefully select a pool members state. States There are 3 administrative states: Enabled – This is the default state. All connection types are passed to the pool member and the monitor continues to determine the state of the member.Disabled – Only new connections … Read more

Persistence When an application maintains the session, a persistent session between the client and server must be correctly maintained to ensure the server can continue to process client requests. A typical example is web based shopping carts, this normally requires the user to maintain persistence to a single server during the lifetime of the session. … Read more

The BigIP F5 LTM supports various load balancing methods. These methods are categorized as either Static or Dynamic. Dynamic load balancing methods are considered balancing methods that take the server performance into consideration.This article also explains how the BigIP F5 LTM can balance traffic outside of the fore-mentioned Static and Dynamic balancing methods. Static Round … Read more

Big IP`s F5 LTM offers 2 types of NAT. These are SNAT and NAT. SNAT (Secure Network Address Translation) provides source NAT. The SNAT option ‘Automap’ enables source NAT`ing (SNAT) based on the IP address of the egress interface. NAT (Network Address Translation) – NAT provides a static one to one NAT translation. Configuring SNAT … Read more