Forum Discussion
tcp monitor - reaching Pool member
Hi - i have 2 F5s and the second F5 has a TCP App as pool member
F5 (1) - has F5 (2) VIP as pool member - and it has a TCP health monitor
F5 (2) - has a tcp app as pool member - the VIP is a standard VIP
Problem -
the TCP monotor set on F5(1) is opening connections on thE backend pool member OF F5(2).
Question - is there a way to stop TCP monitor at the virtual server on the Second F5 .
thanks
Hi,
Can you test and see if the monitor tcp_half_open in F5 (1) solves the problem for you because the standard VS in F5 (2) have to wait for a full TCP 3-way handshake before initiating a connection to the poole member, see: Overview of TCP connection setup for BIG-IP LTM virtual server types (f5.com)
- zamroni777
Nacreous
you can use irules or traffic policy in F5_2 to:
if request comes from F5_1's self IP or mgmt IP, then sends TCP response.make sure F5_1 has floating IP so it send's client traffics using the floating IP instead of self IP.
On the TCP monitor, check to see whether you have the transparent setting enabled (it's usually disabled by default):
list ltm monitor tcp tcp transparent ltm monitor tcp tcp { adaptive disabled transparent disabled }
- awan_m
Cirrostratus
i tried with Transparent - to Yes - but same result - the connection makes it way back to the pool and even on th spool statistics the counters increase.
Question - i am also using AFM on the F5 - can i use a AFM policy to block more than 3 syn PACKETS PER 6 SECONDS ?
Apologies, I wasn't clear. I meant to say that you'd want the transparent setting to be *disabled* (not enabled). If it's already disabled, then leave it as is.
Having thought about this more, I don't think there is a way to stop this behaviour due to the full proxy architecture of a standard virtual server. When F5(1) connects to the F5(2) virtual server, F5(2) will subsequently send SYN Packets to the back-end pool member.
With regards to AFM, you can create a tcp-syn-flood DoS profile and apply it to a virtual server, but I believe you can only rate limit on a per second basis (e.g. 1000 SYN packets per second or 100 SYN packets per second per client source IP).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com