Forum Discussion
Disable (Only persistent or active connections allowed) a Pool member through a monitor in v9.x
Hi Guys,
I am trying to disable a pool member in V9.x (primarily for for maintenance purposes) without any admin access to the bigip (no https, no ssh, no icontrol) based on the content of an object on the target server. (i.e using HTTP Monitors)
The requirement is driven by a financial organization that completely locks down access to their F5 estate once the unit are in production.
As far as I know there is no way to do this from the GUI (hopefully i am wrong) so i can think of 2 ways to do this:
1. Write up an irule that on HTTP_REQUEST checks the status of a 'dummy' pool member with LB::status pool and then disables the production pool member with LB::down pool.
2. Write a cron job that check the status of the 'dummy' member with "b pool my_pool members all monitor" at regular intervals and, if marked down, disables the production members with "b pool my_pool member my_pool_member session disable".
Both methods seem quite cumbersome and not particularly elegant so i was wondering if anyone has come across a better way of doing this.
Thanks,
Claud
- hoolio
Cirrostratus
... - hoolio
Cirrostratus
Ask them to lighten up on their requirements... :) - clazba
Nimbostratus
Yeah sorry i forgot to mention they are running V9.x (I knew I left something rather crucial out ;) .. afaik Receive Disable String only came about in >10.2 ? again hope i'm wrong. - clazba
Nimbostratus
.. of course if anyone has written an ECV monitor to this purpose it would be good to take a peek .. - hoolio
Cirrostratus
I think an ECV would be a lot simpler than iRule trickery for this. You could start with this template and make an iControl call from perl to disable the pool member: - Hamish
Cirrocumulus
What sort of financial organisation stops admin (Including trouble shooting and diags on a production system?)Anyway.. Use a monitor that checks the content. Then arrange the content to return something that marks the pool member down when a particular sting is (Or isn't) returned.
Also set the pool action on service down to nothing (e.g. Don't reselect or reset :)
- hoolio
Cirrostratus
I think the only difference between marking the pool member down with the pool action on down set to nothing and disabling via iControl is that you can set the node address to disabled to still allow persistent connections with iControl. - clazba
Nimbostratus
... - clazba
Nimbostratus
That's right -- we have proven in tests that if a node is marked down by the monitor it won't gracefully drain out existing session, hence the hoop jumping exercise ;)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com