ICMP/TCP Deny on Pool Down

I'm sure i checked this with support after my initial post and it wasnt an RFE.

 

 

I will try this iRule in our environment also, as we are still with GSS and will be for the next year until we get GTM in.

 

 

What i did in the meantime was change the GSS poll to a HTTP HEAD type. This just acts like a user then and sends a HTTP GET to the F5 and consequently the servers, if there are no servers then the F5 fails the poll. The only issue i had here was with HTTPS polls, so i had to set up a second vanilla VIP called _gss_poll_virtual_server (a HTTP VS) with no dependencies, and an iRule to either accept or reject HTTP requests depending on the active members in the HTTPS pool.

 

 

This is a bit of a pain frankly if you have alot of HTTPS Virtuals, but its easy for the HTTP ones.

 

 

I will try the iRule mentioned above and report back, it needs to stop the 3-way handshake completing for a TCP GSS poll or it will not work (as mentioned by Steve@yellowbook). I am also confused by the CLIENT_ACCEPTED as i thought that was post handshake completion.

Duh. Correction, sends a HTTP HEAD. :-)

I'm checking with our account teams to see if they have ideas on how to make this work. Maybe an enhancement request at the end of this tunnel.

You can enable verified accept on your tcp profile.

So i got this to work finally, had to upgrade GSS to 3.2 to get the HTTPS HEAD feature (replacing with GTM hopefully later this year anyway!). Here's the iRule i used to give both GSS answer and maintenance page redirection.

 

 

GSS needs to be set to HTTP/HTTPS head, and set the path as /gss. If anyone sees a more efficient way then feel free to chime in.

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/gss" } {

 

if { [active_members [LB::server pool]] >= 1 } {

 

HTTP::respond 200 Location "http://"

 

} else {

 

reject

 

}

 

} else {

 

if { [active_members [LB::server pool]] == 0 } {

 

pool maint_page

 

}

 

}

 

}

 

 

Hi Steve,

 

At the first I didn't realize the first posting date. But if you still have got a problem with ICMP you can check this

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2161191/showtab/groupforums/Default.aspx

Thanks Serhat, but i think using HTTP/HTTPS HEAD and the iRule above is way easier and safer. Hopefully i wont have to put up with it for much longer anyway!

It's posted above

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/gss" } {

 

if { [active_members [LB::server pool]] >= 1 } {

 

HTTP::respond 200 Location "http://"

 

} else {

 

reject

 

}

 

} else {

 

if { [active_members [LB::server pool]] == 0 } {

 

pool maint_page

 

}

 

}

 

}

 

 

 

I think I read in the release notes for 11.3 that they are now including a TCP/ICMP deny feature on the VIP now.

 

Posted By Jason Rahm on 10/19/2010 08:47 AM

 

I encountered this as well when I worked with the GSS. My solution was to make the health monitor on GSS TCP only and use an irule to check for active members in the pool, if none, discard requests from ONLY the GSS source IPs. This worked just fine in my environment.

 

Posted By Jason Rahm on 10/19/2010 08:48 AM

 

BTW, for the GSS the discard is important, because ANY TCP response, even a RST, is considered "good".

 

 

I know this is kind of late, but do u have an example of this irule that I can reference?