For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kirit_Patel_521's avatar
Kirit_Patel_521
Icon for Nimbostratus rankNimbostratus
Dec 30, 2009

disable arp not working

We had a situation where we have virtual servers defined and pools. If the backend servers lets say ip 172.16.34.2 and 172.16.34.5 listening on port 80 were down     But we are still able ...
config
design
L4L7_53191's avatar
L4L7_53191
Icon for Nimbostratus rankNimbostratus
Dec 30, 2009
Yep, you are exactly right. With a standard virtual server, the LTM is in 'full proxy' mode, so you'll get a successful 3-way handshake. The full proxy allows BigIP to do all of its magic, and this particular scenario is an artifact of the architecture. After all, there are perfectly valid reasons to have a virtual server with nothing behind it but you still want it to handle traffic - e.g. a port 80->443 redirection.

 

 

One thing to note when you're doing this type of telnet testing is that as soon as you try and PSH data to the LTM it'll send a RST just like Bhattman's rule does above. His version catches this scenario earlier, and the LTM will RST on the first SYN from the client (I believe - haven't tested with tcpdump to verify this).

 

 

All this being said, it would definitely be nice to have a check-box way to fully disable (at L2) a virtual server when all of the members are down...

 

 

-Matt