Forum Discussion
NimbostratusDisable VIP when pool has less than x amount of active servers
Hello,
I use a pair of active/passive BIGIP LTM running version 11.6.0HF5. The LTMs are used to load-balance RADIUS traffic to 5 RADIUS servers. There is only one pool configured on the appliance and it has the necessary health monitors. I have confirmed these work correctly. I understand an iRule could be used to achieve my goal of disabling the VIP when the pool has less than 3 active servers. I'm totally new to iRules so any ideas or pointers will be greatly appreciated.
Thanks in advanced for your help!
Luis
7 Replies
Hannes_RappHello,
If relying purely on an iRule solution, you would have to use a workaround. I'm not aware of any iRule functions that would enable you to disable VIP entirely. To achieve exactly what you're asking for, by minimum, a combination of an iRule and an iCall script are required.
Perhaps a workaround is better for you?
While a VIP is disabled, F5 will respond to a new connection with a TCP/RST packet. The iRule below will help you simulate a similar behaviour as would occur if the VIP was disabled.
when CLIENT_ACCEPTED { if { [active_members MyPoolName] < 3 }{ reject log local0. "[IP::client_addr] - Client rejected. Active members of MyPoolName dropped below 3." } else { return } }According to what you've said, all you want is to configure F5 so that any new connections are refused as the number of active members drops below 3. If there are other requirements, please specify.
Luissoler79_138Thanks so much for your response. It is greatly appreciated.
Yes, the goal is to have the F5s reject any new connections over UDP-1812 when the number of active servers in the pool drops below 3. Will the iRule you have so kindly posted also work with UDP traffic?
Regards, Luis
- Hannes_RappYep, it's for IP in general and can be used for TCP as well as for UDP. In case of an UDP connection, ICMP Unreachable message will be sent instead of TCP/RST.
- Luissoler79_138
Initial testing was successful. Thank you very much! After my limited testing I did realize I'll also need to ignore/reject traffic for any existing connections. Is there a way to accomplish that?
ArieAltostratus
Hannes' solution is technically accurate, but I prefer more generic rules that can be applied to different VIPs.
If you change
if { [active_members MyPoolName] < 3 }{to
if { [active_members [LB::server pool]] < 3 }{that'll work for most VIPs.
Note: be careful if an iRule that changes the pool as you could find that you're taking action on the status of a different pool than you intended.
- Luissoler79_138
Arie, thanks for the suggestion! This iRule will eventually be used on another LTM cluster which has a different pool name. Generic will be great.
As for my question about ignoring/rejecting existing connections, thinking the easiest way is to ensure the servers remain disabled long enough. Does it sound I am on the right track?
- Luissoler79_138
Ended up using the iRule below. It works well for my purposes. I'd like to thank both Hannes and Arie for the assistance. You guys were dead on!
when CLIENT_ACCEPTED { if { [active_members [LB::server pool]] < 3 }{ reject log local0. "[IP::client_addr] - Client rejected. Active members of Authentication pool dropped below 3." } else { return } }Thank so much!
