Forum Discussion
awan_m
Cirrostratus
Cirrostratustcp monitor - reaching Pool member
Hi - i have 2 F5s and the second F5 has a TCP App as pool member F5 (1) - has F5 (2) VIP as pool member - and it has a TCP health monitor F5 (2) - has a tcp app as pool member - the VIP is a stand...
On the TCP monitor, check to see whether you have the transparent setting enabled (it's usually disabled by default):
list ltm monitor tcp tcp transparent
ltm monitor tcp tcp {
adaptive disabled
transparent disabled
}
awan_mi tried with Transparent - to Yes - but same result - the connection makes it way back to the pool and even on th spool statistics the counters increase.
Question - i am also using AFM on the F5 - can i use a AFM policy to block more than 3 syn PACKETS PER 6 SECONDS ?
Apologies, I wasn't clear. I meant to say that you'd want the transparent setting to be *disabled* (not enabled). If it's already disabled, then leave it as is.
Having thought about this more, I don't think there is a way to stop this behaviour due to the full proxy architecture of a standard virtual server. When F5(1) connects to the F5(2) virtual server, F5(2) will subsequently send SYN Packets to the back-end pool member.
With regards to AFM, you can create a tcp-syn-flood DoS profile and apply it to a virtual server, but I believe you can only rate limit on a per second basis (e.g. 1000 SYN packets per second or 100 SYN packets per second per client source IP).
- awan_m
Thanks for your response
the problem i am facing is - that a TCP health monitor starts consuming application ports and the application is sensitive in that way -
a client is only allowed to open 1 port - and in this case clients F5 (1) is using up ports causing application to NOT connect .
a tcp half monitor is good - but i cannot force external clients to use tcp half .
i need way to block tcp Full monitor to get to the application.