Tag: F5
-
F5 Failover in AWS
F5 requires IMDSv1 in order to initiate failover between two F5 devices. IMDSv1 is susceptible to SSRF vulnerabilities as indicated in the AWS document. If IMDSv1 is disabled in AWS environment for security reasons, F5 failover will not be seamless and the F5 logs will have errors like this: err logger[15542]: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Instance sanity […]
-
F5 – RST or ICMP Packet Rate
You can follow SOL13151 in order to increase the packets/sec value. However, I would caution against doing it or at least recommend keeping the value smaller. The default setting is in place to prevent the F5 from overwhelming its resources by sending out RST. This could potentially end up being a self-inflicted DoS. So, either don’t change […]
-
iRule HTTP Referer
This is a simple iRule that performs redirects based on HTTP Referer: when HTTP_REQUEST { if { ([HTTP::header exists “Referer”]) and ([URI::host [HTTP::header value Referer]] eq”special.com”) } { HTTP::redirect https://www.site.com/special-client/ } else { HTTP::redirect https://www.site.com/generic-client } }
-
F5 – SSL Cert Expiration
K14318 – Identifying expired certs and certs about to expire in 30 days. K15288 – Email reminder for cert expiration. A few one-liners from bash to identify the cert expiration date: Identifying the expiration date from the certificate name: ~ # tmsh list sys file ssl-cert domain.crt | grep expiration expiration-date 1505951999 expiration-string “Sep 20 […]
-
F5 Virtual Server – Order of Precedence
The VS order of predence differs with code version and the tm.continuematching db variable. This tm.continuematching db variable is set to false by default and hence, a lower predence VS does not handle the traffic if there exists an higher predence VS in a disabled state. If the traffic has to be handled by lower […]
-
F5 – Bleeding Active Connections
Scenario: A Virtual Server is load balancing connections to a pool with 2 pool members. During maintenance window, one of the two pool members is disabled and maintenance is completed followed by the other pool member. However, as the users make continuous API calls every 5 seconds, the existing TCP connection never bleeds out. Even […]
-
OneConnect & HTTP Requests
This is a copy/paste of a Q&A in devcentral. I didn’t change it as it is quite descriptive and gets the point across. Current Setup: We are using Cookie Insert method for session persistence. So LTM adds “BigipServer*” Cookie in the http response header with value as encoded IP address and port name. Subsequent requests […]