Forum Discussion

VictorC's avatar
VictorC
Icon for Nimbostratus rankNimbostratus
May 21, 2014

VS and pool stats for SCP/SSH VS are not updated.

I've migrated our users to use a SCP (port 22) on a virtual server. After migration I am checking if users are connecting, etc. The stats don't seem to update much so I inserted an iRule and that picks up many CLIENT_ACCEPTED and CLIENT_CLOSED. While the iRule stats are good to have, I would prefer to know existing client connections for current and max but those numbers don't increase. I did a test SCP and SSH to the VIP and even after I connect the stats don't increase.

 

Here is my statistics output (removed name/IP references for security): VIRTUAL ADDRESS UNIT 1 | ARP enable | (cur, max, limit, tot) = (0, 19, 0, 23076) | (pkts,bits) in = (1.510M, 9.250G), out = (1.274M, 5.888G) +-> VIRTUAL myscp_22 SERVICE 22 | PVA acceleration none | (cur, max, limit, tot) = (0, 17, 0, 3390) | (pkts,bits) in = (1.483M, 9.235G), out = (1.228M, 5.849G) | requests (total) = 0 +-> RULE myscp_log +-> CLIENT_ACCEPTED 3345 total 0 fail 0 abort +-> CLIENT_CLOSED 3351 total 0 fail 0 abort +-> SERVER_CONNECTED 3335 total 0 fail 0 abort +-> POOL myscp_22 LB METHOD round robin MIN/CUR ACTIVE MEMBERS 0/2 | (cur, max, limit, tot) = (0, 18, 0, 3330) | (pkts,bits) in = (1.712M, 9.334G), out = (1.189M, 5.822G) +-> POOL MEMBER myscp_22/xx:22 active,up | | session enabled priority 1 ratio 1 | | (cur, max, limit, tot) = (0, 9, 0, 1673) | | (pkts,bits) in = (418354, 2.003G), out = (299391, 1.357G) | | requests (total) = 0 +-> POOL MEMBER myscp_22/xx:22 active,up | session enabled priority 1 ratio 1 | (cur, max, limit, tot) = (0, 9, 0, 1657) | (pkts,bits) in = (1.294M, 7.331G), out = (889905, 4.465G) | requests (total) = 0

 

My rule: rule myscp_log { when CLIENT_ACCEPTED { set vip [IP::local_addr]:[TCP::local_port] }

 

when SERVER_CONNECTED { set client "[IP::client_addr]:[TCP::client_port]" set node "[IP::server_addr]:[TCP::server_port]" log connection info log local0.info "Client $client -> VIP: $vip -> Node: $node" }

 

when CLIENT_CLOSED { log connection info log local0.info "Client $client -> VIP: $vip -> Node: $node" } }

 

Any help is appreciated. Thanks.

 

application delivery
deployment
devops
iRules
LTM

5 Replies

Sort By
  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    May 21, 2014
    VIRTUAL ADDRESS xx UNIT 1 | ARP enable | (cur, max, limit, tot) = (0, 19, 0, 23076) | (pkts,bits) in = (1.510M, 9.250G), out = (1.274M, 5.888G) +-> VIRTUAL myscp_22 SERVICE 22 | PVA acceleration none | (cur, max, limit, tot) = (0, 17, 0, 3390) | (pkts,bits) in = (1.483M, 9.235G), out = (1.228M, 5.849G) | requests (total) = 0 +-> RULE myscp_log +-> CLIENT_ACCEPTED 3345 total 0 fail 0 abort +-> CLIENT_CLOSED 3351 total 0 fail 0 abort +-> SERVER_CONNECTED 3335 total 0 fail 0 abort +-> POOL myscp_22 LB METHOD round robin MIN/CUR ACTIVE MEMBERS 0/2 | (cur, max, limit, tot) = (0, 18, 0, 3330) | (pkts,bits) in = (1.712M, 9.334G), out = (1.189M, 5.822G) +-> POOL MEMBER myscp_22/xx:22 active,up | | session enabled priority 1 ratio 1 | | (cur, max, limit, tot) = (0, 9, 0, 1673) | | (pkts,bits) in = (418354, 2.003G), out = (299391, 1.357G) | | requests (total) = 0 +-> POOL MEMBER myscp_22/xx:22 active,up | session enabled priority 1 ratio 1 | (cur, max, limit, tot) = (0, 9, 0, 1657) | (pkts,bits) in = (1.294M, 7.331G), out = (889905, 4.465G) | requests (total) = 0
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    May 21, 2014

    Hi Victor,

    what TMOS version are you on, please?

    Is it a redundant deployment with mirroring enabled?

    You are really monitoring the active unit and VIPs and floating self IPs are all assigned to traffic group traffic-group-1?

    Could you please provide the config of your virtual server: 

    tmsh list ltm virtual virtual_server_name   
tmsh list ltm virtual-address virtual_ip_address

    Thanks, Stephan

  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    May 21, 2014

    Hi, I'm running BIG-IP Version 9.4.7 320.1. It is a redundant pair and I'm on the Active unit.

    virtual myscp_22 {
   snat automap
   pool myscp_22
   destination xx:22
   ip protocol 6
   rules myscp_log
   profiles
      myscp_tcp
         clientside
      tcp-lan-optimized
         serverside
   persist source_addr
}
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    May 21, 2014

    Hi Victor,

     

    it looks straight forward.

     

    I guess, your clientside tcp profile has just a modified timeout and is based on the default tcp profile?

     

    Your virtual addresses and floating self IPs are all assigned to unit 1, right?

     

    Sometimes I noticed a significant delay with the statistics updates.

     

    But I was under the impression, that this might be related to still open connections. But you proved by your iRule, that this is not the case here ...

     

    Btw, as you are using the virtual server for SCP, it makes sense to run it in proxy mode. In case it would just be plain SSH, I would switch to Performance L4 to lower the introduced latency.

     

    From my perspective this is a case for the F5 support folks.

     

    Thanks, Stephan

     

  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    May 21, 2014

    Thanks for the feedback. Yeah, I don't think it's an issue with the unit or IPs themselves. I have other HTTP virtual servers all updating fine and quick. My tcp profile just extends the timeouts so users don't get dropped too quickly in case of a long download. (These settings where actually pulled from a ftp profile that this VS replaced).

     

    Thanks again. I'll see what else to try, as I know support will probably tell me to upgrade :) That is the plan in 2 months but at the moment, I am trying to get useful data back to mgmt.

     

    Take care.