pool
55 TopicsTCP RST instead of Server Hello during SSL Handshake
Hi All, Been troubleshooting an issue with a customer after they made changes server side to disable SSLv2 and SSLv3 etc and to only accept ciphers for TLS1.1 and TLS1.2 By default they were using the standard default https monitor for their pool and post making changes server side (i don't have access) the node is now not coming up. HTTP is fine but HTTPS is a problem. We're running BIG-IP 11.4.0 (Build 2434.0) I'm wondering if he's only enabled ciphers which aren't available in the current version of Big-IP we are using Here's the SSLDUMP (cipher set to ALL): 1 1 - 1444809450.0879 (0.0024) C>SV3.1(114) Handshake ClientHello Version 3.1 random[32]= 56 1e 0a ea e4 11 03 df d1 77 92 83 da ec 1d 44 21 65 c2 20 97 25 40 53 75 d6 e5 c2 6b 1d 96 65 cipher suites TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Unknown value 0x46 Unknown value 0x45 Unknown value 0x44 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xff compression methods unknown value NULL 1 - 1444809450.0884 (0.0004) S>C TCP RST3.6KViews0likes2CommentsiRule to Forward Traffic Based on URL Name
Hi, I am in a situation where we have shortage of IP address and am looking for an alternative way to forward traffic to pools based on URL. I am not really good with iRule hence looking for assistance and I have seen posts based on URI, but i am looking for assistance with URL. Eg: 1 VIP and based on the url name, the traffic needs to be forwarded to Pool. Help on this is appreciatedSolved3.4KViews0likes10CommentsIrule with elseif and pool selection
Hello, I'm trying to write an irule that routes traffic to a specific pool based on the host. I think I'm fairly close, but I can't figure out the following error: 01070151:3: Rule [test-pool-selection] error: line 5: [undefined procedure: elseif] [elseif] when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { if { [HTTP::host] starts_with "abc" } { pool ss-devsp3-pool } elseif { [HTTP::host] starts_with "def" } { pool ss-devsp3-pool-81 } elseif { [HTTP::host] starts_with "ghi" } { pool ss-devsp3-pool-82 } } }2.3KViews0likes6CommentsMySQL active connection never bleed off to other pool member
I am running galera MySQL behind F5 with performance Layer 4 type and i have setup 3 mysql node in pool member with Priority so only 1 mysql node will be used and other two will be standby. So everything was good but i found today when i shutdown Primary node which was active and i found my application break and when i have checked logs found: (2006, "MySQL server has gone away (error(104, 'Connection reset by peer'))") So solution was restart application, look like active member mysql connection not bleeding off to other pool member, what is wrong with my setup?1.5KViews0likes13CommentsiRule to close an established connection
I have tcp (not http) based service where client connections are permanent. By that I mean that once a connection to a pool member gets established its stays there 24x7. The pool has 2 pool members configured with priority group. The first pool member has priority 2 and the second one priority 1, with a Less than '1' value for Priority Group Activation. The pool also has the setting of 'Reject' for 'Action On Service Down'. That takes care of any scenario where a pool member is marked down by health monitors. Whenever a highest priority pool is marked down by health monitors all established connections to that pool members get closed automatically. The client applications immediately try to reconnect and get established connections to the second pool member with the lower priority. So far, everything is exactly what we want to accomplish. The challenge comes when the higher priority pool member is marked up/available once again. We're looking for an automatic way to close the already established connections to the lower priority pool member as soon as the higher priority pool member becomes available. Is there a way to do so? Not sure what event I should use for an already established connection. First ones that came to mind were LB_SELECTED and CLIENT_ACCEPTED. So far, I've tried the following options without any results: when LB_SELECTED { if { [LB::status pool poolname member 10.0.0.1 80 ] equals "up" and [IP::addr [LB::server addr] equals 10.0.0.2] } { reject } } when LB_SELECTED { if { [LB::status pool poolname member 10.0.0.1 80 ] equals "up" and [IP::addr [LB::server addr] equals 10.0.0.2] } { LB::reselect pool poolname member 10.0.0.1 } }1.3KViews0likes5CommentsGather a list of virtuals and or pools that are offline state and provide duration
Hi, I am looking for a way in tmsh to provide a list of offline VIPs/pools. In addition to that, I want to know how long they were offline. I know I can sift through the LTM logs but that will take too long for what I want to accomplish. If I go to the GUI, I can list a set of VIPs/Pools based on 'offline' status, however it does not provide duration, just shows the current state.1.2KViews0likes10Commentspool members can't connect to another Virtual Server
Hello, for sure this is a problem already addressed but I have an issue with a client that is part of a pool behind a Vip. If from this client I attempt a connection to another Vip I get no response while the connection works in case I make the connection to my Vip. My client route to the Vip network is the F5 interface. Is there something wrong? I am attaching a diagram that is maybe better than a thousand words....Solved735Views0likes3CommentsOCSP health monitor
Hey Guys, Sort of in a time crunch. I am looking for a way to create a health monitor the would monitor OCSP request instead of http/https. I've seen/read somewhere on the forums that is could be by an external script ? but not sure how that would be done. I have a pool of OCSP validators which work for http health monitor but that's not what our sec team is looking to get monitored. Any help is appreciated. Thanks699Views0likes7Commentsirule to redirect based on HTTP header
Hi guys, I am not a professional coder and Im trying to find and start to develop a irule to redirect our HTTP request to a especific pool, but cant find nothing similar to start a new one. Our LTM receives from the browser an HTTP header with this information: VALIDADOR_USER: 10\r\n (I take it just equals from the wireshark, the number is random 10-27) I want to try a code that will take it number from VALIDADOR_USER and load balance to 4 diffent pools. i.e.: if VALIDADOR_USER: 10 or 11 or 12 or 15 > pool_1 if VALIDADOR_USER: 16 or 17 or 18 or 19 > pool_2 if VALIDADOR_USER: 20 or 21 or 22 or 23 > pool_3 if VALIDADOR_USER: 24 or 25 or 26 or 27 > pool_4 I wonder if its possible to do something based on comparing this values through datagroups and if it matches the LB will be trigged.. Please, can you guys give me a help ? Regards, Cadu.699Views0likes1CommentMonitoring ephemeral pool members & nodes
Hi, I'm looking to use the dynamic FQDN resolution for nodes / pool members, but have a few queries... If an Ephemeral pool member goes down, does that failure trigger anything on the DNS / Node side? Immediate resolution in case the result has changed etc.? Resolution appears to be wholly at the node level, suggesting the health of the pool member is irrelevant, and always limited to the IP's returned periodically by the DNS lookup attached to the node - and "DNS monitoring" merely means a resolution occured. The documentation about "auto populate" is confusing me. What is the real life difference between Enabled and Disabled? I see that when Disabled, the very first result is always used, however it still creates the Ephemeral node, it's still done periodically etc., so the only meaningful difference seems to be if more than one A is returned at a time. There's reference to Enabled removing members that are no longer being returned, but isn't that already implicitly true for Disabled? If that one result changes, then the pool member will change accordingly. Is it really any more meaningful than "Disabled = ignore additional results, Enabled = create nodes for all answers."? What would it mean for a node to auto populate, but a pool member using that node to NOT be set to do that? I see we only get a single pool member, but multiple nodes... but what is the consequence of this? Is there a reason this would be found useful? How does the node resolution internal work with the DNS Cache option in the system settings? The reoslution does use these settings, right? Would it make sense to set the resolution low ~ 5 seconds and enable caching on LTM, meaning that the name would be resolved almost as soon as the TTL expires on the record, thereby falling out of the cache? Could this be seen as a realistic best practise, or are there dragons hiding around here? Setting node resolution at an arbitrary hour interval as per default seems very dangerous to me. Thanks!696Views0likes3Comments