F5 LTM TCP traffic can't be meet this require
topology:
client( 30.1.1.1 )------->VS( 200.1.1.100:23)-------------->pool members(router1: 192.168.40.1:23 router2:192.168.40.2:23)
The scenario is as follows: vs 200.1.1.100 vs port 23, pool name pool_web, pool member 192.168.40.1:23 192.168.40.2:23, monitor tcp_22, tcp detects port 22, member is a router, and ssh telnet service is turned on, I found:
The client tries to telnet 200.1.1.100 23. He successfully logs in to the device and can execute network commands. However, when I shut down the router interface, the client will get stuck in telnet. The sys connection created by F5 (30.1.1.1:15332 200.1.1.100:23 30.1.1.1:15332 192.168.40.1:23), the idle timeout of tcp for 300 seconds. The session will be deleted when the timeout expires, and the rest will disconnect the client from the VS
My requirement is that when the router's tcp 22 service is stopped, the existing connection to port 23 is allowed, but when the device interface is down, that is, when the F5 to the router icmp is unreachable, let F5 take the initiative to delete the existing useless session, but the setting of Action On Service Down in the pool reject, drop, and reselect cannot meet this demand
Last year, I came up with a solution. Linux shell can be used for any node, and I can also use icall (the disadvantage is that when add some new pool members, I have to add icall configuration)
The method is to add a ping detection to the Linux shell. If the ping timeout occurs, it will tmsh delete the node session;
you need to pay attention to BIGIP version(V12.1.6 can support nc -z command), some high version(in Centos 7+ system) can not support nc -z
you can use status=`echo -e "admin" | /usr/bin/nc -w 1 $node_ip 22 &>/dev/null;echo $?`
#!/bin/sh # # (c) Copyright 1996-2006, 2010-2013 F5 Networks, Inc. # # This software is confidential and may contain trade secrets that are the # property of F5 Networks, Inc. No part of the software may be disclosed # to other parties without the express written consent of F5 Networks, Inc. # It is against the law to copy the software. No part of the software may # be reproduced, transmitted, or distributed in any form or by any means, # electronic or mechanical, including photocopying, recording, or information # storage and retrieval systems, for any purpose without the express written # permission of F5 Networks, Inc. Our services are only available for legal # users of the program, for instance in the event that we extend our services # by offering the updating of files via the Internet. # # @(#) $Id: //depot/maint/bigip12.1.6/tm_daemon/monitors/sample_monitor#1 $ # # # these arguments supplied automatically for all external pingers: # $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname) # $2 = port (decimal, host byte order) # $3 and higher = additional arguments # # $MONITOR_NAME = name of the monitor # # In this sample script, $3 is the regular expression # # Name of the pidfile pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" # Send signal to the process group to kill our former self and any children # as external monitors are run with SIGHUP blocked if [ -f $pidfile ] then kill -9 -`cat $pidfile` > /dev/null 2>&1 fi echo "$$" > $pidfile # Remove the IPv6/IPv4 compatibility prefix node_ip=`echo $1 | sed 's/::ffff://'` # Using the nc utility to get data from the server. # Search the data received for the expected expression. # status=`echo -e "admin" | /usr/bin/nc -w 1 $node_ip 22 &>/dev/null;echo $?` status=`/usr/bin/nc -w 1 $node_ip -z 22 &>/dev/null;echo $?` ping_result=`ping -c1 -w1 $node_ip &>/dev/null;echo $?` if [ $status -eq 0 ] then # Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" elif [ $ping_result -eq 1 ] then rm -f $pidfile tmsh delete /sys connection ss-server-addr $node_ip ss-server-port $2 &>/dev/null exit fi # Remove the pidfile before the script ends rm -f $pidfile