Forum Discussion

mohammed_afzal_'s avatar
mohammed_afzal_
Icon for Nimbostratus rankNimbostratus
Aug 02, 2018

virtual server/pool to reject first request from clients but accept subsequent requests

This question might be a little vague and I'm quite new to f5. Anyway, is it possible to have a VS or a pool that can reject the first request but the subsequent requests are accepted and routed correctly?

My VS is currently a standard type and I checked the reject type which sounds good but while changing the settings I ran into the error below.

010716d9:3: Virtual server /Test/VS_TEST requires a profile of type http for ltm policy /Test/r_policy.

Also I'm not sure if reject type would even do what I want. Also would it be possible to achieve this by making changes to iRules?

  • Hi,

     

    You are getting this error beacuse it seems you have a LTM policy configured on the virtual server. You need a HTTP profile on the virtual server if you configure a LTM policy on the virtual server.

     

    By selecting the Reject type, the HTTP profile is removed from the virtual server, but the LTM policy is still configured. So remove the LTM policy before changing the type to reject.

     

    Becasue you do not have HTTP profile on a Reject virtual server, the virtual server has no knowledge of the HTTP protocol, so an iRule based on (HTTP) requests cannot be configured on the virtual server.

     

    And the help states the following:

     

    Reject: Specifies that the BIG-IP system rejects any traffic destined for the virtual server IP address.

     

    So all traffic is rejected. It does not matter if it is the first or second request.

     

    Maybe you can explain why you want this kind of configuration.

     

    Regards, Martijn

     

    • mohammed_afzal_'s avatar
      mohammed_afzal_
      Icon for Nimbostratus rankNimbostratus

      Hey Martijn. Thank you for the explanation. Reject type is not for me then I'm guessing.

       

      I guess I can give you an example of what I want.

       

      I have 2 different f5 machines on two different servers (f5_a and f5_b). There will probably be some DNS server that routes requests to either f5_a or f5_b. The routing should switch to the other f5 if something goes wrong with the current f5. So if I close connections to f5_b the DNS server should start routing (switch) to f5_a. Let's say client xyz is connected to f5_b for now. Now, I'm gonna close connections to f5_b so that the DNS server routes client xyz over to f5_a. But if the DNS server decides to route it back to f5_b instead I want f5_b to accept that connection. I hope this helps. I don't even have a starting point so any help is appreciated.

       

      To close connections -- I've tried disabling the entire VS. This closes the connections but it also does not accept any subsequent connections. I started looking at other options and I found reject on my hunt.

       

    • MvdG's avatar
      MvdG
      Icon for Cirrus rankCirrus

      Hi,

       

      You say you have two F5 appliances. Why don't you build a HA pair? This way your virtual server remains active if one F5 appliance fails. And you do not need DNS to switch between the two F5 appliances.

       

      If a HA pair is not an option, you can take a look at the F5 DNS product. This is a DNS server that provide the IP-address of a application (website) to clients based on the availability of the backend servers.

       

      So the F5 DNS communicates with the F5 LTM (F5_A and F5_B) via a protocol called iQuery. If something goes wrong on F5_A, F5 DNS is notified and does not provide the IP-address of the appliacation hosted via a VS on F5_A.

       

      But I would advise you to contact your local F5 reseller so you can figure out what the best solution is for you. Based on your requirements.

       

      Without full knowledge of your environment, wishes and requirements it is hard for me to give you a complete answer.

       

      Regards,

       

      Martijn

       

  • Hi,

     

    You are getting this error beacuse it seems you have a LTM policy configured on the virtual server. You need a HTTP profile on the virtual server if you configure a LTM policy on the virtual server.

     

    By selecting the Reject type, the HTTP profile is removed from the virtual server, but the LTM policy is still configured. So remove the LTM policy before changing the type to reject.

     

    Becasue you do not have HTTP profile on a Reject virtual server, the virtual server has no knowledge of the HTTP protocol, so an iRule based on (HTTP) requests cannot be configured on the virtual server.

     

    And the help states the following:

     

    Reject: Specifies that the BIG-IP system rejects any traffic destined for the virtual server IP address.

     

    So all traffic is rejected. It does not matter if it is the first or second request.

     

    Maybe you can explain why you want this kind of configuration.

     

    Regards, Martijn

     

    • mohammed_afzal_'s avatar
      mohammed_afzal_
      Icon for Nimbostratus rankNimbostratus

      Hey Martijn. Thank you for the explanation. Reject type is not for me then I'm guessing.

       

      I guess I can give you an example of what I want.

       

      I have 2 different f5 machines on two different servers (f5_a and f5_b). There will probably be some DNS server that routes requests to either f5_a or f5_b. The routing should switch to the other f5 if something goes wrong with the current f5. So if I close connections to f5_b the DNS server should start routing (switch) to f5_a. Let's say client xyz is connected to f5_b for now. Now, I'm gonna close connections to f5_b so that the DNS server routes client xyz over to f5_a. But if the DNS server decides to route it back to f5_b instead I want f5_b to accept that connection. I hope this helps. I don't even have a starting point so any help is appreciated.

       

      To close connections -- I've tried disabling the entire VS. This closes the connections but it also does not accept any subsequent connections. I started looking at other options and I found reject on my hunt.

       

    • Martijn_144688's avatar
      Martijn_144688
      Icon for Cirrostratus rankCirrostratus

      Hi,

       

      You say you have two F5 appliances. Why don't you build a HA pair? This way your virtual server remains active if one F5 appliance fails. And you do not need DNS to switch between the two F5 appliances.

       

      If a HA pair is not an option, you can take a look at the F5 DNS product. This is a DNS server that provide the IP-address of a application (website) to clients based on the availability of the backend servers.

       

      So the F5 DNS communicates with the F5 LTM (F5_A and F5_B) via a protocol called iQuery. If something goes wrong on F5_A, F5 DNS is notified and does not provide the IP-address of the appliacation hosted via a VS on F5_A.

       

      But I would advise you to contact your local F5 reseller so you can figure out what the best solution is for you. Based on your requirements.

       

      Without full knowledge of your environment, wishes and requirements it is hard for me to give you a complete answer.

       

      Regards,

       

      Martijn