Once you start depending on the F5® BIG-IP® to deliver your applications you will soon ask yourself: How do I view and delete the current or active connections through my F5 Load Balancer? Answering this question helps get your head around the concept that the F5 BIG-IP is a Full Proxy, and for that matter, much more than a load balancer! Many of us first become familar with F5 through the Local Traffic Manager™, aka LTM® – handling much of the local load balancing, but that’s just the start. From advanced DNS, Authentication & Identity, to advanced security and Web Application Firewalls – the BIG-IP has matured into the enterprise standard for delivering vital applicaitons.
F5 being a full proxy has two sets of connections, both with their own Client Side, and Server Side respectively. You’ll find this command is indespensible, not only with the LTM, but with other core modules like the AFM™, DNS/GTM™, APM®, and ASM®. Lets dive into the TMSH command to display and delete connections with an F5 bigip. Note – viewing and deleting connections is currently not available in the GUI.
To simply view all the active connections use the following command from the cli:
TMSH command to view all the current active connections
tmsh show /sys connection
Here is an example of a line of output:
172.10.50.20:30322 10.10.10.1:443 192.168.1.1:30322 192.40.200.20:332 tcp 14 (tmm: 6) none
Now we will run the command with a question mark at the end to get all of the Options and Properties
TMSH command to list all the options & properties with the show /sys connection command
tmsh show /sys connection ?
Options:
all-properties Display all properties for the specified items
default Units are determined based on current values
exa All values are displayed in exa-units
gig All values are displayed in giga-units
kil All values are displayed in kilo-units
meg All values are displayed in mega-units
peta All values are displayed in peta-units
raw No conversions are made to any values
save-to-file Output from the command is saved to the specified file. -
This file is placed in /shared. This allows to write a file larger than 2GB.
tera All values are displayed in tera-units
yotta All values are displayed in yotta-units
zetta All values are displayed in zetta-units
| Route command output to a filter
Properties:
"{" Optional delimiter
age Specifies the age, in seconds, of a connection
cs-client-addr Specifies the clientside remote address of the active connections
cs-client-port Specifies the clientside remote port of the active connections
cs-server-addr Specifies the clientside local address of the active connections
cs-server-port Specifies the clientside local port of the active connections
protocol Specifies the protocol used for specified connections (for example: tcp, udp)
ss-client-addr Specifies the serverside local address of the active connections
ss-client-port Specifies the serverside local port of the active connections
ss-server-addr Specifies the serverside remote address of the active connections
ss-server-port Specifies the serverside remote port of the active connections
Using my example output line above we will label each part of the output:
Client Side
172.10.50.20:30322 10.10.10.1:443
cs-client-addr:cs-client-port cs-server-addr:cs-server-port
Server Side
192.168.1.1:30322 192.40.200.20:30322
ss-client-addr:ss-client-port ss-server-addr:ss-server-port
The protocol used, the age of the connection, and which traffic management microkernel was used
tcp 14 (tmm: 6) none
protocol age tmm used
You can see there are plenty of useful options and properties you can choose from, now lets take a look at some of my terrible art work. The drawing will help explain where exactly in the connection flow they live.
This drawing depicts a BIG-IP in Full-Proxy mode where the client is the initial source of the communication to a VIP on the Client Side, and the F5 is using SNAT to route traffic destined to the server on the Server Side. I’ve labeled the respective parts of the drawing with the equivalent “show /sys connection” property.
One of the most important things in understanding TCP/IP communication is understanding who “initiated” aka “sourced” the connection – with the BIG-IP we take it a step further and aim to understand who was the “initial” source. In this example the computer is the initial source to the BIG-IP VIP, and the VIP proxies the connection to the backend server “sourcing” communication from the SNAT address, destined for the Server. The context doesn’t always have to be that way, for example, the Server could initiate a connection, and now in relation to the connection table, it’s the client side client address or cs-client-addr. The F5 could also initiate communication – one good example is monitor traffic from the non-floating self IPs. Fortunately the output of the connection table always lists the initial source on the left side as the cs-client-addr.
TIP – In general with TCIP/IP you can often tell who sourced a connection by looking at the ports, whoever is initiating a connection is typically going to use a port greater than 1024 for itself, and will usually go after a well known port like 80 or 443.
How do I delete a connection from the F5 BIG-IP connection table?
To delete active connections in the BIG-IP connection table you can key on any of the property value(s). For example, if I wanted to delete all connections a user was initiating to the BIG-IP you would specify the users IP as the client side client address like this:
TMSH command to delete all connections initiated from a specific client IP
tmsh delete /sys connection cs-client-addr 172.10.50.20
TMSH command to delete ALL connections in a F5 BIG-IP - Careful, you're going to kill EVERY session.
tmsh delete /sys connection
Make sure you check out the “all-properties” option, it has a load of great information, including how many bits the connection has pushed, and its’ age & idle-timeout. Lets take a look at the output:
TMSH command to show all details about a particular conneciton, including how much traffic, bits in and out, a connection has used
tmsh show /sys connection cs-client-addr 172-10.50.20 all-properties
172.10.50.20:30322 - 10.10.10.1:443 - 172.10.50.20:30322 - 192.40.200.20:443
----------------------------------------------------------------------------
TMM 6
Type self
Acceleration none
Protocol tcp
Idle Time 9
Idle Timeout 300
Unit ID 0
Lasthop /Common/internal 00:0d:3a:3a:25:20
Virtual Path 10.10.10.1:443
Conn Id 0
ClientSide ServerSide
Client Addr 172.10.50.20:30322 172.10.50.20:30322
Server Addr 10.10.10.1:443 192.40.200.20:443
Bits In 3.0K 1.3K
Bits Out 1.3K 3.0K
Packets In 4 3
Packets Out 3 4
I hope you found this article useful, do you have any questions or info to add? How do you use the command? Have some fun linux commands chained together to manipulate the output from bash? Share it below in the comments please 🙂
Kumar says
Hi Austin,
Great stuff!!
Can you please post an article on UCS platform migrate option as this would help when migrating from one F5 appliances to the later version.
Dilip Jadhav says
THanks for the article,
@Austin can you tell me how I use cli cmd to check/uncheck the box in F5. Suppost I wanted to check the cipher checkbox in ssp client profile, how I do it via cli?
Austin Geraci says
Using TMSH to define a cipher string would also check the box in the gui by virtue of applying something that is different than what was inherited
Khana says
Thank you for this! Exactly what I needed to understand how to delete connections in F5 LTM!
The F5 Guy says
I really like the way you clearly lay this out, thank you much. Tested deleting connections in the lab and it worked like a charm 😉
Jerome says
Thank you – going through this article helped me understand what it means when people say F5 is a full proxy.
Priya says
Thanks for the article, what is the show sys connection age does? what it refers age basically?
Svein Ove Askeland says
Is there a way to get this information trough the GUI?
Austin Geraci says
Unfortunately there is no way at this time to view detailed connection data like this from the GUI -though it would be nice!
petee says
Thank you for your great article, you helped me a lot!
One hint from my side – if you need delete only one, particular connection (both sides of proxy), please use:
tmsh delete /sys conn cs-client-port 30322 ss-client-port 30322
Austin Geraci says
Thanks for the contribution Petee! Yes, specifying both client side ports should do the trick to delete the single connection – nice tip!
Jim says
Thank you so much for this,
You have a very unique way of explaining technical information that make it sticks with me, keep writing!
Racker says
Thank you so much for the article, Wonderfully put, I would also like to know a few live cases where we will actually need to delete an active connection.
Austin Geraci says
Thanks Racker, so Why and when would you need to delete connections in F5 land?
For the most part, when you make changes to a Virtual Server and its’ associated elements, the changes do not effect current connections. This can confuse you and the folks impatiently hitting refresh expecting the changes to take effect immediately.
This means we have to delete the current connections to that VIP in order for them to establish new connections and utilize the new settings.