Turning VS off when nodes down

The trouble with disabling ping is that any single IP can potentially host 64k virtual servers. How do you then control the shared behavior if 64k-1 virtuals are available?

I kind of don't understand what you are asking? I want to basically disable a Vip address / Virtual server if all my nodes are down. In the case where the Virtual server supports more than one url I would think if the pmultiple pools are involved the traffic would pass and the application with the issue would have an issue. In the case where one pool is responsible for multiple urls if the nodes equal 0 then the url's will all be down.

If monitors mark all your pool members down, the vip will be marked down. If you disable all the pool members, but monitors are still affective, you also need to change the the pool member settings to active traffic only. That way, once all active traffic is bled off, the virtual will be marked down.

 

 

Basically I was saying, disabling ping is not an option you could bind to the virtual server availability since more than one virtual server is possible on an IP, and this logic rides higher in the stack than icmp.

Turning off the tcp port is a function of the vip being available or not (assuming it's a port-based vip) Member availability can mean different things based on your settings. If you have 4 members, and you have administratively disabled them, by default, the vip will still be available (ie, the tcp port is still responding) as long as the health monitors, if applied, are successful. This is because the default behavior of a pool member when disabled is changed from allow all traffic to allow active/persistence connections only. You need to change the setting on the pool member to allow active traffic only in order to get the virtual to a truly down state UNLESS the health monitors are all failing, in which case the virtual will be marked down.

 

 

Clear as mud?

Hello,

 

if i vip has http profile and pool is down

 

i can connect vip port 80

 

but if i remove http profile from vip it does not accept connections

 

so what i want?

 

if vip is down dont accept connection,

 

how can i do this?

 

 

regards

 

 

zafer

The BIG-IP will complete a three way handshake with the client if there is a TCP profile on the virtual server, regardless of the state of the nodes. If you want to reset this connection if no nodes are up, you can try this:

when CLIENT_ACCEPTED {
   if { [active_members [LB::server pool]] == 0 } {
      log local0. "no nodes available for [LB::server pool].  Resetting client connection: [IP::client_addr][TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      reject
   }
}

Edit: changed discard to reject. But it seems that reject and discard both cause TMM to send a reset back to the client?!

Aaron

Hi,

 

 

I guess in this way the virtual will stil lreply to icmp echo requests.

 

Is there anyway you know to completely turn down the ip? to have it not publish his mac for example?

 

 

Would be great.

 

 

WAOL

I don't think you can prevent the BIG-IP from answering ICMP echo requests for a virtual server address using a rule.

 

 

Aaron

is there any way to disable ICMP echo replies from a VS on the LTM?

 

LTM version 11.2.1 HF 3

i forgot about packet filtering , HA.

 

 

though I suggesting denying ICMP to the VS at the firewall..