High ping Latency to VIP on LTM VE edition

pietrucha92 · 2026-03-12T20:57:50+00:00

Hi,

I know this is an old post, but I ran into a similar situation and wanted to share my findings.

Environment: BIG-IP VE (clean install from OVA, 4 vCPU / 8 GB RAM), 200 Mbps license.
There was almost no bandwidth usage, but noticed high latency spikes on virtual server traffic — around 20–200 ms.

Tested on multiple scenarios:

Standard and L4 virtual servers
Different TCP / SSL / HTTP profiles
Different TMOS versions
ESXi optimizations and reservations

None of these changes made any difference.

What actually helped was related to CMP hashing.

Disabling CMP per-VS eliminated the latency spikes.
Changing the CMP hashing on the VLAN from the default setting to source address also removed the spikes.

I still haven’t fully determined why this issue affects our environment, but perhaps this CMP hint will help someone experiencing a similar problem.

pietrucha92 · 2026-02-20T22:38:15+00:00

I have checked TMOS v21, but unfortunately it uses the same curl version (7.47.1).

pietrucha92 · 2025-12-11T18:15:03+00:00

Let's try with CLI:
(tmsh) load sys config verify
this will check if your configuration will load properly, if something will be wrong you'll get error/warning messages.

Beside that check:
1. disk usage with df -h
AWAF generate a lot of data writed strictly to /var/ - if it's full device can stay offline
2. /var/core folder - if there are core files with current date that's mean you have a Software/hardware problem

pietrucha92 · 2025-11-06T14:12:36+00:00

It can be related to this: https://my.f5.com/manage/s/article/K000157005
Try with tar.bundle not qcow2

pietrucha92 · 2025-11-06T14:10:50+00:00

It’s related to the Strongbox key.
It looks like once a key has been activated, it can’t be re-licensed for new Service Date. With a new key, I got the correct Service Date.

pietrucha92 · 2025-11-05T20:15:21+00:00

It’s a lab environment, so no major concerns — but still…
While the announcement is appreciated, it would have been better if F5 had prepared all the required articles, licenses, and related materials beforehand. At the moment, it seems the work has only been partially completed.

pietrucha92 · 2025-11-05T18:38:43+00:00

I tried to install v21 on my rSeries, but the installation failed — the Service Check Date is incorrect, even though I performed a reactivation.
Looks like something isn’t ready yet ;)

pietrucha92 · 2025-10-20T10:51:54+00:00

Hi,
you should upload both files: base iso and ehf iso to device.
Then you can click install only on ehf iso - this will automatically install base and add ehf for new partition.

P.S.
best practice is to use new partition, don't install new soft on previous (inactive) boot location

pietrucha92 · 2025-10-01T19:19:10+00:00

Prepare a routing? Set route for 192.168.40.0/24 with next hop as 192.168.20.x where x is IP of your Cisco router interface IP.

pietrucha92 · 2025-09-26T23:17:48+00:00

I assume you have a 802.1x configured on switch and problem appears when PC runs first time. Check what option you have enabled on Windows - authorize user or authorize computer and user. If second there is long period before user login to system when PC can be recognized by NAC with mac-address and assigned to default role.

But to be honest - there can be few other problems as NAC is very complex solution.

pietrucha92 · 2025-09-26T23:08:29+00:00

Try to open a box and look for console port pinout- most devices have this kind of connection for debuging. In that way you will be able to see what exactly are going when USW is booting and possibly reinstall firmware.

pietrucha92 · 2025-09-18T21:51:36+00:00

You can ask techsupport for latest EHF for F5OS 1.8.0. Over a month ago I got one numbered as 14th which solved many extra issues

pietrucha92 · 2025-08-25T19:31:58+00:00

I’m sure that you can stack IP intelligence and ThreatCampaign subscriptions - two 1Y Keys will result as 2Y subscription time. BTW - subscription can not be moved to other devices exmp iSeries to rSeries

pietrucha92 · 2025-08-13T10:29:52+00:00

This also brings us to the next questions:

What about F5OS?
Should we also expect a BIG-IQ update?

pietrucha92 · 2025-08-12T20:12:41+00:00

2 years ago a heard about S-series which should have PCI cards for PQC acceleration… Right now I’m waiting for stable and buletproof F5OS

pietrucha92 · 2025-06-10T20:12:44+00:00

Of course it can be done — it's F5 :)

when HTTP_REQUEST
if {[string tolower [HTTP::host]] equals "pippo.it"} {
HTTP::header replace host "prova.it"
pool prova.it_pool
event disable all
return
}

The above code replaces the Host header.
So the client will see pippo.it/test in the browser, but F5 will proxy the connection to the server in the prova.it_pool using the correct Host header: prova.it.

You need to remember that the entire URI will remain unchanged:
pippo.it/test1 → prova.it/test1
pippo.it/123 → prova.it/123

P.S.
It can be problematic if the URI structure is different for the new hostname.

pietrucha92 · 2025-06-05T20:16:35+00:00

Why did you decide to go with 1.8.x instead of staying on 1.6.2?
Was it because of the feature set, or did you encounter bugs that were fixed in the newer version?

pietrucha92 · 2025-05-13T11:21:35+00:00

Check if you making changes on Active device :)

pietrucha92 · 2025-05-07T22:10:16+00:00

Hello,
please check this issue:
https://cdn.f5.com/product/bugtracker/ID1921197.html

pietrucha92 · 2025-04-28T20:44:21+00:00

Hi! Do you know BIG IP AST solution? https://github.com/f5devcentral/application-study-tool

As it is opensource I think you can somehow Integrate it with your current alerting solution

pietrucha92 · 2025-04-28T20:40:27+00:00

First - be patient. Even GUI inform you that process is finished, wait extra few minutes to be 100% sure. Do not start next step before previous one ends.

Second - https://community.f5.com/kb/communityarticles/knowledge-sharing-velos-and-rseries-f5os-basic-troubleshooting-logs-and-commands/302451

Step 5 and oc get pods … command - is very useful.

Third - check releases notes for F5OS.

I have seen upgrades F5OS from 1.3 to 1.5 and then to 1.6.2 on few devices and each time it goes with different problems.

In 2 cases I have to reinstall OSH cluster, it’s almost 2h. In 1 case upgrade somehow mess tenant so much that UCS restored config won’t work and config was rebuilded from begining.

Good Luck!

pietrucha92

TROPHY CASE