Forum Discussion

teknet7_237497's avatar
teknet7_237497
Icon for Nimbostratus rankNimbostratus
Dec 14, 2015

iRule: persist uie "$var1:$var2"

Hello Team, I have just found i can create persistence entry using two variables example: persist uie "$var1:$var2" But not sure how can later use it. Is it possible to hit it if matching...
application delivery
iRules
teknet7_237497's avatar
teknet7_237497
Icon for Nimbostratus rankNimbostratus

Hi Stephan,

OK, i have made several more tests, i have one VS for both Radius Authentication and Accounting. Irule for that:

 rule for RADIUS authentication udp/1812
when LB_SELECTED {
    log local0. "session table entry added: "
    session add uie "persist:[RADIUS::avp 31]" [LB::server addr]
}

 rule for RADIUS accounting udp/1813
when CLIENT_DATA {
   log local0. "session table lookup result: [session lookup uie "persist:[RADIUS::avp 31]"]"
   if {[session lookup uie "persist:[IP::client_addr]"] ne ""} {
       log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]"
       node [session lookup uie "persist:[RADIUS::avp 31]"]
       log local0. "session table entry added: "
       session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr]
   }
}

When i send Radius Authentication packet i got the logs:

session table entry added: 
session table lookup result: 172.16.34.100

It looks like session is never created, when trying:

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys connection
Really display all connections? (y/n) y
Sys::Connections
172.16.34.102:35200  172.16.34.100:8  172.16.34.102:35200  172.16.34.100:8  icmp  1  (tmm: 0)  none
172.16.34.102:32148  172.16.34.100:8  172.16.34.102:32148  172.16.34.100:8  icmp  6  (tmm: 0)  none
172.16.34.102:42463  172.16.34.101:8  172.16.34.102:42463  172.16.34.101:8  icmp  5  (tmm: 1)  none
172.16.34.102:57314  172.16.34.101:8  172.16.34.102:57314  172.16.34.101:8  icmp  10  (tmm: 0)  none
Total records returned: 4
root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)

I do see only icmp connection which are result of monitoring (probe). My persistence looks like:

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos) show /ltm persistence persist-records
Sys::Persistent Connections
hash  0  172.16.33.103:any  172.16.34.100:any  (tmm: 0)
Total records returned: 1

Why the session is never created ? And how can i display/monitor that ?

Also how can i differentiate accounting from authentication in CLIENT_DATA (i would like to search for framed-ip-addr only for accounting packets).

Thanks, Michal

StephanManthey's avatar
StephanManthey
Icon for MVP rankMVP
Dec 20, 2015
Hi Michal, I dont know a way of dumping the table created by the session command. As far as I know it is separated from the persistence table and the connection table. Thats why the related commands do not return the expected results. For the first step I would recommend to extend the log statement in context of the RADIUS accounting message to the following: log local0. "session table lookup result for calling station ID of [RADIUS::avp 31]: [session lookup uie "persist:[RADIUS::avp 31]"]" This way you can the sure the radius client is using the same calling station ID of 11:11:11:11:11:11 as in your example. Looking up the "session" table via iRule is the only way I am aware of. For an analysis of your environment specific traffic patterns I would recommend to run a TCPDUMP while having a single poolmember enabled only ( this way you prevent wrong return values due to failing persistence): tcpdump -i 0.0:nnnp -s 0 -c 1000 -w /shared/radius-001.cap 'port 1812 or port 1813' To differentiate between RADIUS authentication and accounting you can use the return value of [RADIUS::code] in your iRule. 1=access request 2=access accept 3=access reject 4=accounting request 5=accounting resonse Thanks, Stephan