Forum Discussion

Michael_61068's avatar
Michael_61068
Icon for Altocumulus rankAltocumulus
May 30, 2013

Virtual Server down, but still repsonds to ping

Hello,

 

 

We are using BipIPLTM to load balance Internet proxies. We have two geopraphically separate BigIP LTMs providing two Virtual Servers that we use as primary and backup proxies for users. The failover to the backup proxy virtual server is not working as expected becaus even when it is down. It seems that the client machines check if the primarry proxy is up, but doing a 3-Way Handshake. If the connection is successful then the assumption is that the primary proxy is up.

 

The problem is that when the virtual server for the primary proxy goes down, the BigIP LTM still responds to ICMP Ping and to a TCP connection. When we manually connect via telnet to port 80 on the BigIP LTM the get a "connect" message (Meaning 3 way handshake is successful) followed by an immediate disconenction. (See attached screenshot)

 

I would like to understand why the BigIP LTM is still responding to ICMP Ping and TCP when the Virtual Server is down?

 

What is the purpose of this behaviour?

 

Many thanks,

 

basic
getting started
new to f5

5 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 02, 2013
    I would like to understand why the BigIP LTM is still responding to ICMP Ping and TCP when the Virtual Server is down?about 3 way handshake, it depends on what virtual server type you are using. i understand you are using standard virtual server type.

     

     

    sol8082: Overview of TCP connection set-up for BIG-IP LTM virtual server types

     

    http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html

     

     

    there is "verified accept" setting in tcp profile. you may try to see if it is usable but it is not compatible with L7 feature (e.g. iRule).

     

     

    sol7559: Overview of the TCP profile

     

    http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7559.html
  • Michael_61068's avatar
    Michael_61068
    Icon for Altocumulus rankAltocumulus
    Jun 03, 2013
    Thanks for the explanations. I think that we can find a solution to the problem. Knowing now the different VS types act is the key. St

     

     

    The behaviour to respond ven when all pool members aredown and the Virtual Server is down seems a bit strange, but it seems to be a feaure so "works as designed" I guess. I might help if this was a bit better discribed in the training and documentation.
  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Jun 04, 2013
    What about clear ICMP echo in virtual address list configuration ?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 04, 2013
    What about clear ICMP echo in virtual address list configuration ?i understand either unchecking icmp echo (under virtual address setting) or using packet filter would work. anyway, we have to make it automate e.g. action on log, etc.

     

     

    Acton on Log - using the alertd deamon

     

    https://devcentral.f5.com/wiki/advdesignconfig.Acton-on-Log-using-the-alertd-deamon.ashx
  • Michael_61068's avatar
    Michael_61068
    Icon for Altocumulus rankAltocumulus
    Jun 04, 2013
    With the information you have provided we now have a better way of solving the problem with the "verfied accept", or maybe looking at differnet type of virtual server.