Disable / enable an irule via an irule
We have existing F5 LTM / ASM sandwich configuration in place and I ran into an issue with a few apps. Basically in our ltm/asm sandwich you have the initial vip that terminates ssl etc that has a pool that sends traffic to the asms. The asms would then inspect and send the data back to the same originating ltm (separate vip with serverssl enabled) then down to the web servers. That initial vip will have server ssl enabled as well so I use an irule to disable that server ssl:
when CLIENT_ACCEPTED {
set asm_enabled "true" if { ([active_members asm pool] >= 1) and ($asm_enabled eq "true") } { SSL::disable serverside pool asm pool } else { pool server pool } }
So if the asm pool would fail the ltm would just send to the server pool versus the asm. Since the vip has the serverssl enabled it would be sending encrypted as configured.
Now what I have found is some initial vips have other irules enabled like for snat and other custom settings. The solution in a ltm/asm sandwich is just to move the irules to the second ltm vip that sends the traffic to the servers. However if the asms would fail and the initial vip would then just send to the web servers the irules that were moved to the second vip would not exist.
So to put it into a picture: asm pool up client --> f5 ltm vip1 (only irule is the asm pool check) --> asm pool --> f5 ltm vip2 (snat irule in place) --> web server pool
asm pool down client --> f5 ltm vip1 (asm pool check only, no snat irule since it was moved to vip2) --> web server pool
So is there a way to add a condition where if the asm pool failed then irule::enable irule snat, using my example drawing above?