Forum Discussion

Tatiana_Titova_'s avatar
Tatiana_Titova_
Icon for Nimbostratus rankNimbostratus
Mar 05, 2019

STATISTIC_SERVER_SIDE_CURRENT_CONNECTIONS in IG-IP 12.1.1?

Hello, I have a pool of two pool members in my DNS/GSLB/Pools pool. The routing is based on topology which is based on source IP. My version is BIG-IP 12.1.1. I am using PowerShell GlobalLBPoolV2 commandlet set_member_enabled_state to disable one pool member when I need to do some maintenance on the server. This works fine and new connections are going where I want them to go. How can I determine pro-grammatically that the existing connections have drained out? Looks like in the older version there was STATISTIC_SERVER_SIDE_CURRENT_CONNECTIONS based on this link https://devcentral.f5.com/articles/icontrol-apps-04-graceful-server-shutdown.

 

I tried calling get_member_statistics, but not sure if the return object has information I need. The goal is to disable pool member and wait for the existing connections to drain.

 

  • There is a pretty good DevCentral post on this HERE but I'll copy/paste the important info which is:

    tmsh show sys connection
    is the basic starting point, but if that's all you specify, you'll see all the connections - which is probably much more output than you want. You need to specify additional information about the endpoints you care about if you want to limit the output. I think of them as filters in a sense - they limit the output to only things that match. The ones I primarily use are:

    cs-client-addr - the (client) source IP address on the clientside of the connection

    cs-client-port - the (client) source port on the clientside of the connection

    cs-server-addr - the (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address)

    cs-server-port - the (server) destination port on the clientside of the connection (i.e. the Virtual Server port)

    ss-client-addr - the (client) source IP address on the serverside of the connection (i.e. the SNAT address)

    ss-client-port - the (client) source port on the serverside of the connection (i.e. the SNAT port)

    ss-server-addr - the (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)

    ss-server-port - the (server) destination port on the serverside of the connection (i.e., the Pool Member port)

    You can mix/match these options as necessary to isolate the connections you are interested in. The more pieces of information you specify, the narrower your focus will be, and the smaller your output will become. So for example, this command would show me all connections from client 100.1.1.1, to any Virtual Server assigned address 10.1.1.0, that were load-balanced to Pool Member 192.168.1.1:9999: tmsh show sys conn cs-client-addr 100.1.1.1 cs-server-addr 10.1.1.0 ss-server-addr 192.168.1.1 ss-server-port 9999

    I have noticed over multiple TMM releases that the ss-client-addr and ss-client-port do not work, despite being available according to the command help. That was frustrating, since quite often these connection points are very important. However I just confirmed they do work in 11.2.1HF10. So depending on what version you're running, you may not see the SNAT address in the output. I think you can also append the all-properties option which should include that output, like this. Unfortunately, the output is not formatted as nicely: tmsh show sys conn cs-client-addr 100.1.1.1 cs-server-addr 10.1.1.0 ss-server-addr 192.168.1.1 ss-server-port 9999 all-properties

    Understanding exactly which points in the connection flow correspond to the cs-client-addr, ss-server-port, etc... options can be very, very helpful in isolating connections in the connection table.

    Hope that helps! If it does please up-vote and select this answer, it would be greatly appreciated!

    -Dylan

    • Tatiana_Titova_'s avatar
      Tatiana_Titova_
      Icon for Nimbostratus rankNimbostratus

      Hello Dylan, thank you for the reply. Do you know if tmsh can be run remotely? As far as I know I am not allowed to log onto bigip system, I am not admin. I run powershell commandlets remotely from my PC.

       

    • Dylan_375544's avatar
      Dylan_375544
      Icon for Cirrocumulus rankCirrocumulus

      Yes you can use TMSH remotely. Log into the BIG-IP via CLI, then just type

      tmsh
      . If you cant do that, and can only use iControl (via commandlets), I think you can just run TMSH commands form there, so they should work normally still.