Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

tcp monitor - reaching Pool member

awan_m
Cirrus
Cirrus

Hi - i have 2 F5s and the second F5 has a TCP App as pool member 

F5 (1) - has F5 (2) VIP as pool member - and it has a TCP health monitor

F5 (2) - has a tcp app as pool member - the VIP is a standard VIP 

Problem - 

the TCP monotor set on F5(1) is opening connections on thE backend pool member OF F5(2).

Question - is there a way to stop TCP monitor at the virtual server on the Second F5 .

thanks 

 

 

4 REPLIES 4

Michael_Saleem
Cirrocumulus
Cirrocumulus

On the TCP monitor, check to see whether you have the transparent setting enabled (it's usually disabled by default):

list ltm monitor tcp tcp transparent

ltm monitor tcp tcp {
    adaptive disabled
    transparent disabled
}

i tried with Transparent - to Yes - but same result - the connection makes it way back to the pool and even on th spool statistics the counters increase.

Question - i am also using AFM on the F5 - can i use a AFM policy to block more than 3 syn PACKETS PER 6 SECONDS ?

Apologies, I wasn't clear. I meant to say that you'd want the transparent setting to be *disabled* (not enabled). If it's already disabled, then leave it as is.

Having thought about this more, I don't think there is a way to stop this behaviour due to the full proxy architecture of a standard virtual server.  When F5(1) connects to the F5(2) virtual server, F5(2) will subsequently send SYN Packets to the back-end pool member.

With regards to AFM, you can create a tcp-syn-flood DoS profile and apply it to a virtual server, but I believe you can only rate limit on a per second basis (e.g. 1000 SYN packets per second or 100 SYN packets per second per client source IP).

 

Thanks for your response 

the problem i am facing is - that a TCP health monitor starts consuming application ports and the application is sensitive in that way - 

a client is only allowed to open 1 port - and in this case clients F5 (1) is using up ports causing application to NOT connect .

a tcp half monitor is good - but i cannot force external clients to use tcp half .

i need way to block tcp Full monitor to get to the application.