Marking a VIP down via an iRule

Question

We have an Exchange cluster that monitors 2 Exchange F5 VIPs (1 F5 VIP in location X, 1 in location Y).

Each of those VIPs has an iRule applied to them, that looks through various conditions and sends the request to respective pools.

The problem is when we do maintenance on location X, we need manual intervention to bring down the VIP in that location, so that the Exchange cluster doesn't send traffic to that VIP.

What we're looking to do, is to somehow build intelligence into the iRule that is applied to this VIP. For example, marking that VIP as down if a particular pool/s are marked as down.

michael_yates · Answer

Hi ant8344, 
&nbsp;  
&nbsp; The easiest way to accomplish what you are looking to do is to create another monitor to apply to the server pool and then require that all Health Checks be successful in order for the server to be considered alive. 
&nbsp;  
&nbsp; In your case you could so something like Enable TCP Print Services (which runs on port 515) on the servers.  Then create a TCP Monitor for that port and apply it to the pool. 
&nbsp;  
&nbsp; So when you want to take a server down for maintenance you stop the TCP Print Services on the server causing the device to fail the health check and be marked down. 
&nbsp;  
&nbsp; Run your maintenance normally and start the service when you are done. 
&nbsp;  
&nbsp; You can do this with an iRule, but I have found that this type of method is more reliable and preferable.  If you are still interested in an iRule approach look here: 
&nbsp;  
&nbsp; disable pool member with an irule 
&nbsp;  
&nbsp; Hope this helps.

ant8344_5401 · Answer

Actually, what we're looking to do is mark a VIP down that does NOT have a pool applied to it.   
&nbsp; Since the VIP only has an iRule applied to it (with various conditions), that VIP will always respond on its port. 
&nbsp; I'm trying to see if there is any way we can have the VIP NOT respond on that port (I'm thinking the only way this is possible is via iRule, if at all). 
&nbsp;  &nbsp;

brian_van_stone · Answer

Assuming I understand your scenario, one exchange talks to two VIPs on your F5, which then direct traffic accordingly. When doing maintenance at the lowest level (the destination) you need to cut out the middle man by stopping the VIP from processing traffic. &nbsp;
&nbsp; If you simply want to not respond at all when the VIP should be marked down, you can drop all packets under the conditions that interest you, although rejecting them would cause the exchange to fail immediately rather than waiting for a timeout, which is probably a better scenario. &nbsp;
&nbsp; if { condition indicating vip needs to be marked down } {    reject 
&nbsp; } else{ 
&nbsp;    do all other processing 
&nbsp; }&nbsp;

ant8344_5401 · Answer

Thanks Brian, the reject is what I was looking for.

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Marking a VIP down via an iRule

4 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Related Content

HTTPS Monitor: receive string with quotation mark

Remove Quotation marks

iRules Style Guide

Mark Server Down on Excessive Errors

Managing Model Context Protocol in iRules - Part 1

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS