Forum Discussion
awan_m
Cirrostratus
Cirrostratustcp monitor - reaching Pool member
Hi - i have 2 F5s and the second F5 has a TCP App as pool member
F5 (1) - has F5 (2) VIP as pool member - and it has a TCP health monitor
F5 (2) - has a tcp app as pool member - the VIP is a standard VIP
Problem -
the TCP monotor set on F5(1) is opening connections on thE backend pool member OF F5(2).
Question - is there a way to stop TCP monitor at the virtual server on the Second F5 .
thanks
On the TCP monitor, check to see whether you have the transparent setting enabled (it's usually disabled by default):
list ltm monitor tcp tcp transparent ltm monitor tcp tcp { adaptive disabled transparent disabled }
awan_mi tried with Transparent - to Yes - but same result - the connection makes it way back to the pool and even on th spool statistics the counters increase.
Question - i am also using AFM on the F5 - can i use a AFM policy to block more than 3 syn PACKETS PER 6 SECONDS ?
Apologies, I wasn't clear. I meant to say that you'd want the transparent setting to be *disabled* (not enabled). If it's already disabled, then leave it as is.
Having thought about this more, I don't think there is a way to stop this behaviour due to the full proxy architecture of a standard virtual server. When F5(1) connects to the F5(2) virtual server, F5(2) will subsequently send SYN Packets to the back-end pool member.
With regards to AFM, you can create a tcp-syn-flood DoS profile and apply it to a virtual server, but I believe you can only rate limit on a per second basis (e.g. 1000 SYN packets per second or 100 SYN packets per second per client source IP).
- zamroni777
Nacreous
you can use irules or traffic policy in F5_2 to:
if request comes from F5_1's self IP or mgmt IP, then sends TCP response.make sure F5_1 has floating IP so it send's client traffics using the floating IP instead of self IP.
Amine_KadimiMVP
Hi,
Can you test and see if the monitor tcp_half_open in F5 (1) solves the problem for you because the standard VS in F5 (2) have to wait for a full TCP 3-way handshake before initiating a connection to the poole member, see: Overview of TCP connection setup for BIG-IP LTM virtual server types (f5.com)
