For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

shefys_208480's avatar
shefys_208480
Icon for Nimbostratus rankNimbostratus
Jul 09, 2015

Disable ICMP echo reply for the VIP based on the number of active members in the pool

Hi,

Based on the info about user_alert.conf I tried to come up with the redundancy solution for my needs. I made a script which will turn off ICMP echo reply for the anycast VIP when there is less than half active members in the pool. It is kind of redundancy solution for poor people: I'm detecting VIP state from the router by ICMP echo. If ping fails, the router withdraw the route from the BGP and it get's overwritten by other site's anycast VIP route.

The question is: did I selected right approach to attack this problem?

Here is my bash script:

cat web3-member_2.sh
!/bin/bash
POOLNAME="web3_external"
MINACT="3"

NOACT=`tmsh show ltm pool $POOLNAME members  | grep "Current Active"  | cut -d: -f2 | xargs`

if [ $NOACT -lt $MINACT ]; then
    echo "$(date): FAIL- Number of active nodes for pool $POOLNAME is $NOACT which is less than minimum active $MINACT" >> /root/web3_pool_script.log;
        tmsh modify ltm virtual-address 172.21.21.100%2003 icmp-echo disabled
else
 echo "$(date): PASS- Number of active nodes for pool $POOLNAME is $NOACT which is equal or greater than minimum active $MINACT" >> /root/web3_pool_script.log;
        tmsh modify ltm virtual-address 172.21.21.100%2003 icmp-echo enabled
fi

Here is file permissions (0755):

-rwxr-xr-x 1 root root 907 Jul  8 19:49 web3-member_2.sh

user_alert.conf config:

alert web3-external-member-trigger "Pool /Common/web3_external member" {
exec command="/config/web3-member_2.sh"
}

The idea, that alertd will react on both kinds of alerts:

1) Pool member monitor marks it as down:

Jul  8 19:44:50 bigip2 notice mcpd[6468]: 01070638:5: Pool /Common/web3_external member /Common/web3-ts1:8080 monitor status down. [ /Common/tcp: down ]  [ was up for 28hrs:14mins:38sec ]

2) Administrator manually disable/enable the pool member:

Jul  8 18:16:18 bigip2 notice mcpd[6468]: 01070639:5: Pool /Common/web3_external member /Common/web3-ts4:8080 session status forced disabled.
Jul  8 18:16:29 bigip2 notice mcpd[6468]: 01070639:5: Pool /Common/web3_external member /Common/web3-ts2:8080 session status enabled.

3) TBD

Additional question: After executing the script - do I need to save the system config by executing "tmsh save sys conf"? '

Thanks!

application delivery
availability
LTM
monitor
TMOS
TMSH

1 Reply

  • shefys_208480's avatar
    shefys_208480
    Icon for Nimbostratus rankNimbostratus
    Jul 09, 2015

    Updated script:

     Define the correct variables per application
 POOL_NAME = set the correct pool name for the application
 VIP_MONITOR_ADDR = IP address of the application Virtual Server VIP.
 MIN_ACT = minimum number of active members in the pool to declare pool active





POOL_NAME="web4-internal-pool"
VIP_MONITOR_ADDR="172.25.40.99%4004"
MIN_ACT="3"




CUR_ACT=`tmsh show ltm pool $POOL_NAME members  | grep "Current Active"  | cut -d: -f2 | xargs`

if [ $CUR_ACT -lt $MIN_ACT ]; then
 echo "$(date): FAIL- Number of active nodes for pool $POOL_NAME is $CUR_ACT which is less than minimum active $MIN_ACT" >> /root/${POOL_NAME}-script.log;
        tmsh modify ltm virtual-address ${VIP_MONITOR_ADDR} icmp-echo disabled
else
 echo "$(date): PASS- Number of active nodes for pool $POOL_NAME is $CUR_ACT which is equal or greater than minimum active $MIN_ACT" >> /root/${POOL_NAME}-script.log;
        tmsh modify ltm virtual-address ${VIP_MONITOR_ADDR} icmp-echo enabled
fi