Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

How can I inspect the payload on a UDP forwarding server?

I have a UDP forwarding (IP) virtual server, to which I would like to apply an iRule to dynamically choose the SNAT address based on a persistence record lookup. The problem I'm running into is that I have a fastl4 profile assigned to the VS and so, as I understand it, there is no data inspection available at this point, so my iRule is not ever firing for traffic coming through the VS.

The VS is forwarding traffic on port 1700 for RADIUS packets initiated by PSNs whose default gateway is my F5. Is there a way to configure a forwarding VS to allow payload inspection in this scenario?

Thanks, Jen

Rate this Question

Answers to this Question


Yes. Change the Virtual Server type to Standard. Since you are performing forwarding, assign no pool, and ensure that "Translate Address" and "Translate Port" are disabled/unchecked.

As you say, you can inspect payload only when operating as a full-proxy. FastL4 disabled that.

Do keep in mind that you can still inspect L3 and L4 attributes for the flow, most particularly the IP addresses and ports, even with a FastL4 profile.

Comments on this Answer
Comment made 28-Apr-2016 by dubdub 358
Works great! Thank you so much for the tip! Thanks, Jen

So I spoke too soon, I had limited functionality in the irule and upon expanding it to what I really need it to do, I'm running into a Tcl error. My persistence table uses the MAC address plus the NAS IP as the key (I have multiple VIPs involved and need to use a composite key to uniquely identify client/VIP combinations). This is the irule so far:

when RULE_INIT {
   set static::SNAT_debug 1
   set static::DefaultSNATPool "SNATPOOL_base-vip"

   # Get the MAC address from the packet
   if { not ([RADIUS::avp 31 "string"] equals "" ) } {
      # Remove the punctuation from the mac address
      set mac [string map {":" ""} [RADIUS::avp 31 "string"]]

      # Also get the NAS IP
      set nas_ip [RADIUS::avp 4 ip4]

      # Concatenate them together for the key in the persistence table
      set mac_up "[string toupper $mac]:$nas_ip"
      if { $static::SNAT_debug } { log local0. "mac_up is $mac_up" }

      # Look up the mac address in the persistence table.  We need the pool it came in on
      set persistInfo [persist lookup uie $mac_up]
      set persistFields [split $persistInfo " "]
      set requestedPool [lindex $persistFields 0]

      # Assume the default pool if we did not find a persistence record for this key
      if { $requestedPool eq "" } {
         if { $static::SNAT_debug } { log local0. "mac address $mac_up not found in persistence table!" }
         set mySNATPool $static::DefaultSNATPool
      } else {
         # We found a persistence record
         if { $static::SNAT_debug } { log local0. "requestedPool is $requestedPool" }

         # look up the associated snatpool for the pool from the persistence record
         set mySNATPool [class lookup $requestedPool PoolMap]
         if { $static::SNAT_debug } { log local0. "mySNATPool is $mySNATPool" }

         # If for whatever reason we still do not have a default snat pool, assume the base
         if { $mySNATPool eq "" } {
            set mySNATPool $static::DefaultSNATPool

   if { $static::SNAT_debug } { log local0. "***mySNATPool is $mySNATPool" }

   # set the correct snatpool
   snatpool $mySNATPool

When I execute this rule on the VS with no pool assigned, I get the following errors:

01220001:3: TCL error: /Common/SNATfor1700 - Prerequisite operation not in progress (line 1) (line 1) invoked from within "persist lookup uie $mac_up"

I verified the persistence record exists for the key I am looking for. What could be triggering that Tcl error?

Thanks, Jen

Comments on this Answer
Comment made 02-May-2016 by dubdub 358
Hi Vernon, I actually found that the TCL error was being generated by the fact that I did not have a default pool assigned to the virtual server, and since my persistence profile is matching across services, I changed the lookup command to: set persistInfo [persist lookup uie { $mac_up any pool }] And that got rid of the TCL error. However, I am still not finding the persistence record in the table, despite confirmation that it exists when I query the table from tmsh (I posted about this at https://devcentral.f5.com/questions/persist-lookup-and-a-forwarding-server). So something with the lookup still isn't functioning correctly...