When parent VS with pool-group/pool attached indirectly gets an VS update by means of SSL profile config update, state of VS may go down with error "Pools belonging to this Virtual Service are down"
Article ID: 408723
Updated On:
Products
Issue/Introduction
- SSL profile attached to a parent VS with EVH hosting of type SNI is modified.
- The VsVIP for the VS may be marked Down with error message "Pools belonging to this Virtual Service are down" even though the Pool status is UP. The VS may be still marked UP.
- The VsVIP status will be marked UP on its own after sometime without any change.
Environment
The parent VS is a Virtual Hosting VS of type SNI. It has no pool members attached either directly or indirectly via datascript.
The version is 22.1.x or below.
Cause
SSL profile update recalculated the parent VS state incorrectly. To the parent VS, poolgroup could be added directly or indirectly via datascript. Upon the update, it is incorrectly checking number of up pools to be at least 1 for parent VS and marking it down if number of up pools are 0 as there is no pool attached directly or indirectly. At a later time (after a few hours), when SE list VS update happens, the VS state is recalculated at which time the VS gets marked UP.
Resolution
Issue is fixed in 30.2.4, 31.1.1-2p3, 31.1.2. Upgrading to this or higher builds will resolve the issue.
Workarounds
1. Do not modify ssl profile attached to parent VS directly, but create new ssl profile template and update the VS to use new one and remove the old ssl profile. The update will then be a VS update and not as ssl profile update and prevent this issue from occurring.
2. In non-AKO setup, attaching dummy pool without any servers directly to parent VS, will avoid this issue. In AKO setup this workaround won't work, as AKO will replace the configuration, it is instead recommended to upgrade to version with fix.
Feedback
