Forum Discussion

F5_Jeff's avatar
F5_Jeff
Icon for Cirrus rankCirrus
Mar 02, 2017

GTM WIP is disabled but website is still accessible?

Hi all,

 

We have 2 GTM deployed in two different data centers. All are synced. However, when I disable the pool and the WIP, we can see that the WIP is still accessible and the Public IP is still answering.

 

Is this a normal behavior? Or should it be that when the WIP is disabled, the access to the site is also disabled?

 

To prevent access to site, we have to disable the virtual servers in the LTM.

 

Thank you everyone for the response.

 

3 Replies

  • There are 2 settings that could be related with the problem you have. First is in DNS -> Settings -> GSLB -> Load Balancing, and is called " Verify Virtual Server Availability". Second, is in the GTM pool configuration, called "Verify Member Availability". Both are enabled by default.

     

    However, I just tested, that if you disable the wideip, those options are not relevant as expected. If you disable the wide ip, it should stop reply with IP for that wide IP.

     

    DNS uses many caches, from your operation system, to browsers, etc... To exclude cache from the problem, use dig or nslookup to query direct the GTMs listener. If you get a reply, something is wrong. If you don't, the problem is very likely to be caching.

     

    Also, very important, but I dont think applies to this case, is something called link or DNS prefetching.

     

    https://support.f5.com/csp/article/K13930

     

  • Hi,

     

    When you create a wide IP, if Alternate or fallback load balancing method is "Return to DNS", and primary LB method fails, then the request is sent to DNS server of the GTM VS (created when you created a listener).

     

    if the GTM is configured with F5 IP address, then, the GTM Listener send DNS request to local BIND.

     

    when you create a wide IP, each pool members are added in the BIND configuration as A Record for the wide IP name. you can see the BIND configuration in "Zone Runner" menu.

     

    you can see that GTM respond with only one IP address (default behavior, can be changed), when all members are down, BIND respond with multiple values (all wide IP members)

     

  • on your DNS profile set your "Unhandled Query Actions" -> drop. This is "allow" by default. Changing to "drop" will prevent F5 from answering the WIP