Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

tcp monitor - reaching Pool member

awan_m
Altocumulus
Altocumulus

‎18-Apr-2023 04:19

Hi - i have 2 F5s and the second F5 has a TCP App as pool member 

F5 (1) - has F5 (2) VIP as pool member - and it has a TCP health monitor

F5 (2) - has a tcp app as pool member - the VIP is a standard VIP 

Problem - 

the TCP monotor set on F5(1) is opening connections on thE backend pool member OF F5(2).

Question - is there a way to stop TCP monitor at the virtual server on the Second F5 .

thanks 

 

 

Labels:
0 Kudos
4 REPLIES 4

Michael_Saleem
Cirrocumulus
Cirrocumulus

‎18-Apr-2023 05:32 - edited ‎18-Apr-2023 05:32

On the TCP monitor, check to see whether you have the transparent setting enabled (it's usually disabled by default):

list ltm monitor tcp tcp transparent

ltm monitor tcp tcp {
    adaptive disabled
    transparent disabled
}
0 Kudos

awan_m
Altocumulus
Altocumulus
In response to Michael_Saleem

‎18-Apr-2023 14:55

i tried with Transparent - to Yes - but same result - the connection makes it way back to the pool and even on th spool statistics the counters increase.

Question - i am also using AFM on the F5 - can i use a AFM policy to block more than 3 syn PACKETS PER 6 SECONDS ?

0 Kudos

Michael_Saleem
Cirrocumulus
Cirrocumulus
In response to awan_m

‎18-Apr-2023 16:03

Apologies, I wasn't clear. I meant to say that you'd want the transparent setting to be *disabled* (not enabled). If it's already disabled, then leave it as is.

Having thought about this more, I don't think there is a way to stop this behaviour due to the full proxy architecture of a standard virtual server.  When F5(1) connects to the F5(2) virtual server, F5(2) will subsequently send SYN Packets to the back-end pool member.

With regards to AFM, you can create a tcp-syn-flood DoS profile and apply it to a virtual server, but I believe you can only rate limit on a per second basis (e.g. 1000 SYN packets per second or 100 SYN packets per second per client source IP).

 

0 Kudos

awan_m
Altocumulus
Altocumulus
In response to Michael_Saleem

‎18-Apr-2023 17:03

Thanks for your response 

the problem i am facing is - that a TCP health monitor starts consuming application ports and the application is sensitive in that way - 

a client is only allowed to open 1 port - and in this case clients F5 (1) is using up ports causing application to NOT connect .

a tcp half monitor is good - but i cannot force external clients to use tcp half .

i need way to block tcp Full monitor to get to the application.

0 Kudos
Copyright © 2023 Khoros, LLC