Disable VIP when pool has less than x amount of active servers

Question

Hello,&nbsp;
I use a pair of active/passive BIGIP LTM running version 11.6.0HF5. The LTMs are used to load-balance RADIUS traffic to 5 RADIUS servers. There is only one pool configured on the appliance and it has the necessary health monitors. I have confirmed these work correctly. I understand an iRule could be used to achieve my goal of disabling the VIP when the pool has less than 3 active servers. I'm totally new to iRules so any ideas or pointers will be greatly appreciated.&nbsp;
Thanks in advanced for your help!&nbsp;
Luis &nbsp;

hannes_rapp · Answer

Hello,
If relying purely on an iRule solution, you would have to use a workaround. I'm not aware of any iRule functions that would enable you to disable VIP entirely. To achieve exactly what you're asking for, by minimum, a combination of an iRule and an iCall script are required.
Perhaps a workaround is better for you?
While a VIP is disabled, F5 will respond to a new connection with a TCP/RST packet. The iRule below will help you simulate a similar behaviour as would occur if the VIP was disabled. 
when CLIENT_ACCEPTED {

if { [active_members MyPoolName] &lt; 3 }{
    reject
    log local0. "[IP::client_addr] - Client rejected. Active members of MyPoolName dropped below 3."
  } else {
    return
  }

}

According to what you've said, all you want is to configure F5 so that any new connections are refused as the number of active members drops below 3. If there are other requirements, please specify.

luissoler79_138 · Answer

Thanks so much for your response. It is greatly appreciated.&nbsp;
Yes, the goal is to have the F5s reject any new connections over UDP-1812 when the number of active servers in the pool drops below 3. Will the iRule you have so kindly posted also work with UDP traffic? &nbsp;
Regards,
Luis&nbsp;

hannes_rapp · Answer

Yep, it's for IP in general and can be used for TCP as well as for UDP. In case of an UDP connection, ICMP Unreachable message will be sent instead of TCP/RST.

luissoler79_138 · Answer

Initial testing was successful. Thank you very much!
After my limited testing I did realize I'll also need to ignore/reject traffic for any existing connections. Is there a way to accomplish that?&nbsp;

arie · Answer

Hannes' solution is technically accurate, but I prefer more generic rules that can be applied to different VIPs.
If you change 
if { [active_members MyPoolName] &lt; 3 }{
to 
if { [active_members [LB::server pool]] &lt; 3 }{
that'll work for most VIPs. 
Note: be careful if an iRule that changes the pool as you could find that you're taking action on the status of a different pool than you intended.

Forum Discussion

Disable VIP when pool has less than x amount of active servers

7 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Rest API to disable virtual server

Disabling Weak Ciphers

disable http retry

behavior of SSL::disable serverside

iControl Apps - #01 - Disabling Node Servers