Can we disable 2 VIPs in bundle?

Question

Hi, 
&nbsp;  
&nbsp; I have this kind of requirement, 2 different services in 2 different VIPs(VIP1 is for TCP service, VIP2 is for http service). But there are mutual-dependent between these 2 services. So we want F5 do like this: Either of the two services is down, we need to make the 2 VIPs down (disconnect the existing connections and reject all the coming connection requests). Could iRule do this? 
&nbsp;  
&nbsp; Thanks for your good suggestions and help! 
&nbsp;  
&nbsp; Regards, 
&nbsp; Autumn Wang. 
&nbsp;

hooleylist · Answer

Hi, 
&nbsp;  
&nbsp; Are the two VIP's on the same IP address pointing to the same servers (just on different ports)?  If so you could use one VIP defined on port 0 (any) and one pool with the members defined on port 0.  You could then configure two monitors--one for each TCP port you want to monitor.  Then set the action on service down to reset so the BIG-IP will send a TCP reset when new requests are made to the VIP.  You'd also want to use IP filters or a simple iRule to verify the requested port was one of the two you want to allow connections on. 
&nbsp;  
&nbsp; Else, if the two VIPs can't be combined into one, you could set up monitors on VIP1's pool1 which check VIP2's pool2 in addition to its own members and then marks VIP1 down if either pool is down.  You would do the same for VIP2's pool2. 
&nbsp;  
&nbsp; The monitor configuration would use the alias address and port options: 
&nbsp;  
&nbsp;  
&nbsp; From the online help: 
&nbsp;  
&nbsp; Alias Address 
&nbsp;     Specifies an alias IP address for the monitor to check, on behalf of the nodes or pool members with which the monitor is associated. The default setting is *All Addresses. If the health check for the alias address is successful, the system marks all associated objects up. If the health check for the alias address is not successful, then the system marks all associated objects down. 
&nbsp;  
&nbsp; Alias Service Port 
&nbsp;     Specifies an alias port or service for the monitor to check, on behalf of the nodes or pool members with which the monitor is associated. The default setting is *All Ports. If the health check for the alias port or service is successful, the system marks all associated objects up. If the health check for the alias port or service is not successful, then the system marks all associated objects down.  
&nbsp; &nbsp; 
&nbsp;  
&nbsp; The downside to this is that I think you can only configure one alias address per monitor.  So you'd need one monitor for pool1 and then another monitor per pool member for pool2.  Likewise, for pool2, you would need one monitor for each of the pool1 members. 
&nbsp;  
&nbsp; As for killing active TCP connections: 
&nbsp;  
&nbsp; The only way I know of to kill active connections to a VIP would be through an iControl script.  You'd need to build an iControl app which checks for a failure state and then deletes all connections to the VIP.  Here is a post with a past discussion on this: (Click here). 
&nbsp;  
&nbsp; Another option might be to build an external monitor script which performs the monitor checks (which the pools would get marked down by) and then calls the iControl script if one of the two pools goes down. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Can we disable 2 VIPs in bundle?

1 Reply

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Certificate Bundle Timestamp Query

Disable vip that is listening on different ports

Creating, Importing and Assigning a CA Certificate Bundle

Disabling Weak Ciphers

VIP-targeting-VIP solution using Standard and performance L4 VS