For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

millencol1n_619's avatar
millencol1n_619
Icon for Nimbostratus rankNimbostratus
Dec 28, 2009

Terminate TCP Sessions

Hi,

 

 

is there a way to actively terminate tcp sessions on the f5.

 

i have the following scenario:

 

 

2 nodes, each listening on port X

 

all traffic should be sent to server A as long its listening on port X

 

server B should only be used when A is not active, and as soon A gets active again all traffic should go to A again.

 

 

i have this running, but the problem is that after A gets online again i have a bunch of tcp sessions going to B, and that sessions do nor get migrated to A neither they time out on server B.

 

 

any ideas?

 

 

thx for your input!
application delivery
dev
devops
iRules

6 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 29, 2009
    I can't think of another way to handle this without a shell script. Maybe someone else has ideas.

     

     

    One option might be to use an external monitor which references a shell script. You could poll the pool members and if server B goes down, delete all its connection table entries using a system call to 'b conn ss server 1.1.1.1:80 delete' where 1.1.1.1:80 is the IP:port for server B.

     

     

    Aaron
  • millencol1n_619's avatar
    millencol1n_619
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2009
    thx, i think it works that way...

     

    one more thing, is it possible to call a shell script out of an irule?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 29, 2009
    Not directly, but you could log a message and then use a custom user_alert.conf to call a shell script. This is described to some extent in SOL9469 for handling a different issue:

     

     

    SOL9469: A disabled interface is enabled after a reboot or an mcpd process restart

     

    https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9469.html

     

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 29, 2009
    If you end up with a working solution, could you reply here with a sanitized example or post it to the Codeshare?

     

     

    Thanks,

     

    Aaron
  • millencol1n_619's avatar
    millencol1n_619
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2009
    i applied the following irule to the virtual server 

     
 when RULE_INIT { 
     set ::count 0 
   } 
  
 when CLIENT_ACCEPTED { 
    if { [active_members pool_a] > 0 } { 
       pool pool_a 
      log local0. "primary active" 
    if { $::count == 1 } { 
        log "clean sessions" 
       set ::count 0 } 
      
    } else { 
       pool pool_b 
  log local0. "secondary active"  
  set ::count 1   
    } 
 } 
 when LB_FAILED { 
    pool pool_b 
  set ::count 1   
  log local0. "Selected member: [LB::server addr]"    
 }

    on the bigip itself i listen for the string 'clean sessions' in the ltm log, which triggers the bigpipe command as descibed in the solution.

    cheers