Forum Discussion

iCongo_Live_Dev's avatar
iCongo_Live_Dev
Icon for Nimbostratus rankNimbostratus
Mar 18, 2011

F5 reboot when restarting a server from the pool

Hi everyone,

 

 

This irule will still send traffic to a non available server in the pool. Which causes a Syn flood. We were told this by support "Using the LB::reselect iRules command without a limiting mechanism may result in a SYN flood". Were not sure how to limit LB::reselect

 

 

Can somebody can confirm that the following script is out of issues?

 

 

when HTTP_REQUEST {

 

Check if there is already a cookie

 

set urlPath [HTTP::path]

 

if { [string match "/VTSFlashClientCacheWeb/*" $urlPath] } {

 

log local0. $urlPath

 

HTTP::header replace Host "www.vts.com:8180"

 

pool vts_8180

 

} elseif {[HTTP::cookie "TARGETNODE"] != ""}{

 

set cookieContent [split [HTTP::cookie "TARGETNODE"]]

 

log local0. "Set node to [lindex $cookieContent 0] [lindex $cookieContent 1] [lindex $cookieContent 2]"

 

pool [lindex $cookieContent 0] member [lindex $cookieContent 1] [lindex $cookieContent 2]

 

 

}

 

}

 

when HTTP_RESPONSE {

 

if {[HTTP::cookie "TARGETNODE"] != ""}{

 

HTTP::cookie remove "TARGETNODE"

 

}

 

set poolServer [LB::server]

 

if { $poolServer != "vts_8180 10.0.0.23 8180" } {

 

extract domain name from host to set cookie domain

 

set cookiedomain ".vts.com"

 

set header_host [HTTP::host]

 

for {set i 6} {$i > 1} {incr i -1} {

 

set tmp [getfield $header_host "." $i]

 

if { $tmp ne "" and $i > 2 } {

 

set cookiedomain $tmp

 

incr i -1

 

set cookiedomain ".[getfield $header_host "." $i].$cookiedomain"

 

break;

 

}

 

}

 

HTTP::cookie insert name "TARGETNODE" value [LB::server] path / domain $cookiedomain

 

}

 

}

 

when LB_FAILED {

 

HTTP::cookie remove "TARGETNODE"

 

LB::reselect

 

}

 

 

1 Reply

  • Without looking at your iRule, I know there is an issue with LB:reselect and syn floods from experience..

     

     

    Check out this wiki on LB:reselect It has some sample code you may be able to use.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/LB__reselect.html

     

     

    It also has a link to AskF5 SOL10386 - Using LB::reselect iRules command without a limiting mechanism may result in a SYN flood

     

     

    https://support.f5.com/kb/en-us/solutions/public/10000/300/sol10386.html

     

     

    Hope it helps!