Querying SNMP data for half-open connections on a virtual server
Hello,
I’m trying to monitor the embryonic/half-open connections for a particular VS on my F5 load balancer using SNMP.
I’ve read several articles, including ‘K00560557: Using SNMP information related to SynCookie Protection for monitoring potential Syn Flood attack or Unexpected Traffic spikes’ and ‘K25162232: How to get the Virtual Server state using SNMP polling.’ but I did not find how to do it.
Could you please guide me on how to retrieve this information?
I dont think there are SNMP MIBs for monitoring half open connections, but you can check in Pools there is a TCP Half Open monitor that can be applied.
The f5networks.f5_modules.bigip_monitor_tcp_half_open module can be used to manage F5 BIG-IP LTM TCP half-open monitors. This module is part of the f5networks.f5_modules collection version 1.27.1 and requires BIG-IP software version 12 or higher. Some parameters of the module include:
description: A string describing the monitor
interval: An integer that specifies how often the monitor instance will run
ip: An IP address that is part of the IP/port definition
The protocol used, the age of the connection, and which traffic management microkernel was used
tcp 14 (tmm: 6) none
protocol age tmm used
How to delete a connection from the F5 BIG-IP connection table?
To delete active connections in the BIG-IP connection table you can key on any of the property value(s). For example, if I wanted to delete all connections a user was initiating to the BIG-IP you would specify the users IP as the client side client address like this:
TMSH command to delete all connections initiated from a specific client IP
TMSH command to delete ALL connections in a F5 BIG-IP - Careful, you're going to kill EVERY session.
tmsh delete /sys connection
Make sure you check out the “all-properties” option, it has a load of great information, including how many bits the connection has pushed, and its’ age & idle-timeout. Lets take a look at the output:
TMSH command to show all details about a particular conneciton, including how much traffic, bits in and out, a connection has used
tmsh show /sys connection cs-client-addr 172-10.50.20 all-properties
Thank you for the detailed information and the helpful links.
It’s good to know about the known bug and its fix in version 11.6.x. However, I am not affected by bug K15973 as I am running version 15.1.10.
I appreciate the suggestion to use the TCP Half Open monitor. I understand that this monitor would help in monitoring the connections between the virtual server and the pool nodes. However, my main interest is in monitoring the connections between the clients and the virtual server. A SYN flood attack would cause issues on the load balancer itself, not on the backend nodes.
I also appreciate the commands to view and delete active connections. I have used the following command to check the number of connections:
Although there are 1000 established connections, my main interest is in half-open connections, as these are the ones that trigger the SYN cookie mechanism. According to the documentation, these half-open connections appear as "Current SYN Cache" in the output of the show ltm virtual <virtual> command.
Just to clarify, is there a specific OID or SNMP method to directly monitor the number of half-open connections between the clients and the virtual server, or would the TCP Half Open monitor still be the best approach to track this metric?