Forum Discussion
F5 LTM TCP traffic can't be meet this require
topology:
client( 30.1.1.1 )------->VS( 200.1.1.100:23)-------------->pool members(router1: 192.168.40.1:23 router2:192.168.40.2:23)
The scenario is as follows: vs 200.1.1.100 vs port 23, pool name pool_web, pool member 192.168.40.1:23 192.168.40.2:23, monitor tcp_22, tcp detects port 22, member is a router, and ssh telnet service is turned on, I found:
The client tries to telnet 200.1.1.100 23. He successfully logs in to the device and can execute network commands. However, when I shut down the router interface, the client will get stuck in telnet. The sys connection created by F5 (30.1.1.1:15332 200.1.1.100:23 30.1.1.1:15332 192.168.40.1:23), the idle timeout of tcp for 300 seconds. The session will be deleted when the timeout expires, and the rest will disconnect the client from the VS
My requirement is that when the router's tcp 22 service is stopped, the existing connection to port 23 is allowed, but when the device interface is down, that is, when the F5 to the router icmp is unreachable, let F5 take the initiative to delete the existing useless session, but the setting of Action On Service Down in the pool reject, drop, and reselect cannot meet this demand
Last year, I came up with a solution. Linux shell can be used for any node, and I can also use icall (the disadvantage is that when add some new pool members, I have to add icall configuration)
The method is to add a ping detection to the Linux shell. If the ping timeout occurs, it will tmsh delete the node session;
you need to pay attention to BIGIP version(V12.1.6 can support nc -z command), some high version(in Centos 7+ system) can not support nc -z
you can use status=`echo -e "admin" | /usr/bin/nc -w 1 $node_ip 22 &>/dev/null;echo $?`
#!/bin/sh # # (c) Copyright 1996-2006, 2010-2013 F5 Networks, Inc. # # This software is confidential and may contain trade secrets that are the # property of F5 Networks, Inc. No part of the software may be disclosed # to other parties without the express written consent of F5 Networks, Inc. # It is against the law to copy the software. No part of the software may # be reproduced, transmitted, or distributed in any form or by any means, # electronic or mechanical, including photocopying, recording, or information # storage and retrieval systems, for any purpose without the express written # permission of F5 Networks, Inc. Our services are only available for legal # users of the program, for instance in the event that we extend our services # by offering the updating of files via the Internet. # # @(#) $Id: //depot/maint/bigip12.1.6/tm_daemon/monitors/sample_monitor#1 $ # # # these arguments supplied automatically for all external pingers: # $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname) # $2 = port (decimal, host byte order) # $3 and higher = additional arguments # # $MONITOR_NAME = name of the monitor # # In this sample script, $3 is the regular expression # # Name of the pidfile pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" # Send signal to the process group to kill our former self and any children # as external monitors are run with SIGHUP blocked if [ -f $pidfile ] then kill -9 -`cat $pidfile` > /dev/null 2>&1 fi echo "$$" > $pidfile # Remove the IPv6/IPv4 compatibility prefix node_ip=`echo $1 | sed 's/::ffff://'` # Using the nc utility to get data from the server. # Search the data received for the expected expression. # status=`echo -e "admin" | /usr/bin/nc -w 1 $node_ip 22 &>/dev/null;echo $?` status=`/usr/bin/nc -w 1 $node_ip -z 22 &>/dev/null;echo $?` ping_result=`ping -c1 -w1 $node_ip &>/dev/null;echo $?` if [ $status -eq 0 ] then # Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" elif [ $ping_result -eq 1 ] then rm -f $pidfile tmsh delete /sys connection ss-server-addr $node_ip ss-server-port $2 &>/dev/null exit fi # Remove the pidfile before the script ends rm -f $pidfile
- xuwenCumulonimbus
Last year, I came up with a solution. Linux shell can be used for any node, and I can also use icall (the disadvantage is that when add some new pool members, I have to add icall configuration)
The method is to add a ping detection to the Linux shell. If the ping timeout occurs, it will tmsh delete the node session;
you need to pay attention to BIGIP version(V12.1.6 can support nc -z command), some high version(in Centos 7+ system) can not support nc -z
you can use status=`echo -e "admin" | /usr/bin/nc -w 1 $node_ip 22 &>/dev/null;echo $?`
#!/bin/sh # # (c) Copyright 1996-2006, 2010-2013 F5 Networks, Inc. # # This software is confidential and may contain trade secrets that are the # property of F5 Networks, Inc. No part of the software may be disclosed # to other parties without the express written consent of F5 Networks, Inc. # It is against the law to copy the software. No part of the software may # be reproduced, transmitted, or distributed in any form or by any means, # electronic or mechanical, including photocopying, recording, or information # storage and retrieval systems, for any purpose without the express written # permission of F5 Networks, Inc. Our services are only available for legal # users of the program, for instance in the event that we extend our services # by offering the updating of files via the Internet. # # @(#) $Id: //depot/maint/bigip12.1.6/tm_daemon/monitors/sample_monitor#1 $ # # # these arguments supplied automatically for all external pingers: # $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname) # $2 = port (decimal, host byte order) # $3 and higher = additional arguments # # $MONITOR_NAME = name of the monitor # # In this sample script, $3 is the regular expression # # Name of the pidfile pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" # Send signal to the process group to kill our former self and any children # as external monitors are run with SIGHUP blocked if [ -f $pidfile ] then kill -9 -`cat $pidfile` > /dev/null 2>&1 fi echo "$$" > $pidfile # Remove the IPv6/IPv4 compatibility prefix node_ip=`echo $1 | sed 's/::ffff://'` # Using the nc utility to get data from the server. # Search the data received for the expected expression. # status=`echo -e "admin" | /usr/bin/nc -w 1 $node_ip 22 &>/dev/null;echo $?` status=`/usr/bin/nc -w 1 $node_ip -z 22 &>/dev/null;echo $?` ping_result=`ping -c1 -w1 $node_ip &>/dev/null;echo $?` if [ $status -eq 0 ] then # Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" elif [ $ping_result -eq 1 ] then rm -f $pidfile tmsh delete /sys connection ss-server-addr $node_ip ss-server-port $2 &>/dev/null exit fi # Remove the pidfile before the script ends rm -f $pidfile
- xuwenCumulonimbus
In simple terms, when the pool member node icmp is unreachable, let F5 actively delete the exists sys session to the node. When tcp_22 is unreachable, mark the node as down, allowing connections to the node that already exist, and assigning new connections to the rest of the pool member
- G-RobEmployee
Are you using a OneConnect profile on this virtual server? This article may explain the behavior:
K45841734: Connection is not reset by Action on Service Down: Reject
- xuwenCumulonimbus
my test environment is one BIGIP-VE, pool members is 3 cisco router(enable telnet and ssh service), VS in standard mode,only have tcp profile, no http profile and no oneconnect profile.
pool member monitor is tcp_22 monitor tcp port 22 service,but pool member service port is 23, if client telnet VS:23, i can exec show ip int brief command,but when i shutdown select pool member cisco interface, i will cause i can not show running and use Enter not affect, terminal is hold 300 seconds until tcp profile timeout default value 300s
Why do I use cisco router to simulate? Because the production environment is F5 working in tcp standard mode(no ssl,no http profile,no oneconnect profile),pool member is nginx, ssl offload is nginx's responsibility, nginx service port is 1080, and f5 detection nginx port is 1081. When nginx adds upstream, the 1081 port service will be closed, and then reload nginx.config(require F5 keeplive nginx established active session,new session send to other green pool member). But if nginx icmp is not available, F5 is required to actively delete the established session of nginx, Avoid holding 300s timeout like cisco router
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com