F5er Harry Kleinbourg came up with a great solution for monitoring the availability of BIG-IP APM targets not just based on the availability of the virtual service but also on its ability to handle service based on the licensed session limits.

Goals

The goal of this solution is for BIG-IP GTM to redirect SSL VPN users to an available BIG-IP APM. The BIG-IP APM must be considered down if the number of users reaches the license limit. However, there is not an existing built-in monitor that allows BIG-IP GTM to act on this scenario. The setup:

  • 2 or more datacenters
  • 1 BIG-IP GTM in at least two datacenters
  • 2 or more BIG-IP APM in each datacenter

Solution Target

The solution is to utilize an external monitor on the BIG-IP APM. The external monitor uses an snmp request for the apmAccessStatCurrentActiveSessions OID against a local self IP address. This OID returns the number of current active sessions in APM. An iRule checks the pool status (the pool member is irrelevant, no traffic is sent to this pool member, it's just a placeholder for the OID call) and returns an UP/DOWN status to the GTM HTTP monitor. Very clever, Harry!

Solution Details

Create an HTTP Monitor in BIG-IP GTM. This monitor is bound to the virtual server that represents the BIG-IP APM listeners.

apm_availability_1

The Alias address is the virtual server called VS_Monitoring on the BIG-IP APM. Over on the BIG-IP APM, add the snmp-check external monitor to the system under /config/monitors or via the GUI under System-> File Management-> External Monitor Program File List, then, create the external monitor:

apm_availability_2

The value of the variable "result" is the number of current sessions NOT to exceed (ie, your license limit). If the value is reached the the monitor will be marked down. The alias address is a self-IP address of the BIG-IP APM to monitor (recommendation would be the floating IP in the case of an HA or pair). This is the IP the SNMP get will be sent to.Next, bind the monitor to a pool that will be used in the iRule:

apm_availability_3

Add a single member here. Again, this member is not used for traffic, but you need at least one member. Based on that monitor, the pool will have an available member or not, and based on that information, the iRule will send a specific HTTP reply. Now, create the iRule:

   1: when HTTP_REQUEST {    
   2:   if { [HTTP::uri] eq "/monitoring" } {
   3:     set response "Monitoring:OK"
   4:     if { [active_members pool_monitoring_apm] eq 0 } {
   5:       set response "Monitoring:NO"
   6:       log local0.info "ERROR, Pool pool_monitoring_apm failed -> No members available" 
   7:     }
   8:   } 
   9:   # Final HTTP Response
  10:   HTTP::respond 200 content $response "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" "Connection:close"
  11: }

 

Finally, create the virtual server VS_Monitoring. This is the virtual server that the BIG-IP GTM will check. It only has an iRule resource, no pool is necessary.

apm_availability_4

apm_availability_5

Now with the solution in place, the BIG-IP GTM will monitor via HTTP to the BIG-IP APM, which will return a status message of availability based on its own pool status for the SNMP OID return value. Again, very clever, Harry, and thanks for sharing your solution with the DevCentral community.