Forum Discussion

awan_m's avatar
awan_m
Icon for Cirrus rankCirrus
Apr 18, 2023

tcp monitor - reaching Pool member

Hi - i have 2 F5s and the second F5 has a TCP App as pool member 

F5 (1) - has F5 (2) VIP as pool member - and it has a TCP health monitor

F5 (2) - has a tcp app as pool member - the VIP is a standard VIP 

Problem - 

the TCP monotor set on F5(1) is opening connections on thE backend pool member OF F5(2).

Question - is there a way to stop TCP monitor at the virtual server on the Second F5 .

thanks 

 

 

4 Replies

  • On the TCP monitor, check to see whether you have the transparent setting enabled (it's usually disabled by default):

    list ltm monitor tcp tcp transparent
    
    ltm monitor tcp tcp {
        adaptive disabled
        transparent disabled
    }
    • awan_m's avatar
      awan_m
      Icon for Cirrus rankCirrus

      i tried with Transparent - to Yes - but same result - the connection makes it way back to the pool and even on th spool statistics the counters increase.

      Question - i am also using AFM on the F5 - can i use a AFM policy to block more than 3 syn PACKETS PER 6 SECONDS ?

      • Apologies, I wasn't clear. I meant to say that you'd want the transparent setting to be *disabled* (not enabled). If it's already disabled, then leave it as is.

        Having thought about this more, I don't think there is a way to stop this behaviour due to the full proxy architecture of a standard virtual server.  When F5(1) connects to the F5(2) virtual server, F5(2) will subsequently send SYN Packets to the back-end pool member.

        With regards to AFM, you can create a tcp-syn-flood DoS profile and apply it to a virtual server, but I believe you can only rate limit on a per second basis (e.g. 1000 SYN packets per second or 100 SYN packets per second per client source IP).