i have Virtual server always responding to ping even if real server is down ? how can i prevent that ? i actually have 2 VSs doing that .... one is forwarding & the other is standard

If you have multiple Virtual Servers sharing a single Virtual Address, the device will only stop responding to PINGs for that address when all the Virtual Servers using it are down. Depending on how recent your TMOS version is, you can control this behaviour by clicking through to the Virtual Address configuration page and specifying ICMP settings according to your requirements.

My version is 11.2 , i have only one VS for this address ... do u mean i can control it to make it stop responding to PING when its status is down ? how ?

i have only one VS for this address ... do u mean i can control it to make it stop responding to PING when its status is down ? how ?if it is host (ip) virtual server, i do not think it is configurable unless you can dynamically apply packet filter or disable icmp-echo when pool is down.

F5 VS always responding to PING

13 Replies

Ajmal_2608
Nimbostratus
Apr 28, 2013
Here you go.........
hoolio
Cirrostratus
Apr 29, 2013
I think the GUI option to disable or enable ICMP on the virtual address is static. The option to advertise the route can be configured dynamically based on the virtual server(s) status.

Here's a workaround for now:

In current versions of BIG-IP (up to v11.3), a virtual server always responds to ICMP queries due to a variety of different commands that LTM can apply even though the backend servers could be down.

The following solution has been created to prevent LTM from responding to ARP (and therefore ICMP) when a specifically defined pool has no available members.

Important Note: This solution is configuration specific and should be validated every time there is a system upgrade or a sync between HA pair.

Please open a support case and ask to have your case attached to this request for enhancement:

Bug 414380 - Add options to selectively respond to ICMP requests based on Virtual Server status

For now, you could do this using a user_alert.conf script which looks for a "no members available for pool" message and disables ARP on a corresponding virtual server address.

Solution description

This solution uses the /config/user_alert.conf file to locate the /var/log/ltm error message that there are no available pool members for a specific pool member and then issues a command to disable ARP for a specific virtual address.

Here is an example of the /config/user_alert.conf file with the customizable portions highlighted.

alert http_pool-down "No members available for pool /Common/http_pool" {

exec command="tmsh modify ltm virtual-address 10.64.96.68 {arp disable} ; tmsh save sys conf"

}

alert http_pool-up "Pool /Common/http_pool now has available members" {

exec command="tmsh modify ltm virtual-address 10.64.96.68 {arp enabled}; tmsh save sys conf "

}

Notice that we have an alert handler for pool members becoming available as well so that ARP on the virtual address will be enabled again.

This configuration could be duplicated for each pool and virtual address combination that you want to disable/enable ARP for.

Adding a new service (virtual/pool) to configuration

Attached is a command flow of adding a new service to this solution:

Locate the pool name and virtual-address of the service we are adding to the current running configuration

Edit the /config/user_alerts.conf file, add the following lines:

alert POOL_NAME-down "No members available for pool FULL_POOL_ NAME" {

exec command="tmsh modify ltm virtual-address VIRTUAL_ADDRESS_IP {arp disabled}; tmsh save sys conf "

}

alert POOL_NAME-up "Pool FULL_POOL_NAME now has available members" {

exec command="tmsh modify ltm virtual-address VIRTUAL_ADDRRESS_IP {arp enabled}"

}

Validate the configuration:

Open an ssh to the bigip: tail -f /var/log/ltm

Send a continuous ping to the virtual address

Take down all pool members in the new pool

Watch for the following message: No members available for pool FULL_POOL_ NAME

Validate that the ping is no longer responding, additionally, go to virtual address configuration and validate that ARP is disabled

Bring back up all pool members

Watch for the following message:

01010221:3: Pool /Common/http_pool now has available members

Validate that the virtual is now answering pings, additionally go to virtual address configuration and validate that the ARP is enabled again.

Copy the /config/user_alerts.conf file to the standby device manually:

scp /config/user_alerts.conf Standby-MGMT-IP-address:/config

Troubleshooting issues with solution

How can I access the iRule logs?

Using an ssh terminal to log in to the LTM device, the log would reside in:

/var/logs/ltm

Using the GUI, the logs will reside at: System à Logs à LTM

Using a syslog server

The ARP has not been disabled on the virtual address, why?

Is the log message caught in the /var/log/ltm identical to the statement inside the /config/user_alerts.conf?

Note: If the pool name or text syntax is different, the alertd alert handler would never trigger.

ARP is disabled on the virtual address but pings still answered. Why?

Validate that there is no other listener on the bigip answering for that IP address (e.g. SNAT) – search in bigip.conf file

Aaron
Samir_Jha_52506
Noctilucent
Apr 03, 2014
Thanks Aaron.