Broken iRules Maintenance Page

Many people have been using the feature of a health monitor on LTM called “Monitor Disable String”. When the health monitor receives this string it disables the pool member. This is handy to give to application owners so they can remotely disable a pool member for maintenance or upgrades. A popular use case was to attach an iRule to a VIP. That iRule presents a maintenance page when all pool members are in a disabled state.

Before version 13 of BIG-IP here is what happened:

  1. Disabling a single pool member on a VIP with multiple members would allow the VIP to process traffic as normal. It would load balancing to a smaller pool of members, and all normal logic performs as expected. The VIP is green.
  2. Disabling all pool members on a VIP would still leave the VIP green. This is strange as there are no known available pool members. The VIP would still perform normal logic, like iRules. That enables the use of a maintenance page when all members are in a disabled state.
    • Personally I think the VIP should be red (down) as there are no available members. However, it should still process iRules for maintenance pages.

On and after version 13 of BIG-IP here is what happens:

  1. Disabling a single pool member on a VIP with multiple members would allow the VIP to process traffic as normal. It would load balancing to a smaller pool of members, and all normal logic performs as expected. The VIP is green.
  2. Disabling all pool members on a VIP makes the VIP gray. This is illogical for a couple reasons:
    • You can no longer process local traffic policies or iRules for things like maintenance pages. (Even though in TMSH it says the VIP is available but disabled-by-parent)
    • The definition of a gray icon is “A parent object has disabled the object, or the object is enabled but unavailable because of another disabled object.” Well, a parent object is not disabled as a VIP is the parent most object, so we are left with it being in an enabled but unavailable state because of another disabled object.

  

This is mostly true, but since the VIP itself isn’t in a disabled state it should still be available to process logic like iRules which don’t necessarily require a pool (member) to be available to process traffic. Many users have iRules set to direct clients  to a maintenance page if no pool members are available, or have an iRule to send clients to a completely different pool that is not directly associated with that VIP. That all worked until the logic change in v13. Now with the gray VIP icon, it will only reset  L4 connections immediately following the clients syn.

There is a workaround!

With one pool member “forced offline” while all other pool members are “disabled” the vip shows itself as red (down) and will still process logic like iRules. So you could technically create a pool member named “Leave Forced Offline Do Not Disable Or Change”. Though, I’d like to think there is another way.

Leave a Reply

Your email address will not be published. Required fields are marked *