SMTP Virtual Server balance Exchange

You'd have to do something special to only allow 1 connection per source IP for a VS. It's not a standard 'feature'.

Can you post the iRule? Any errors in /var/log/ltm when it runs? What's the traffic look like with tcpdump for two simultaneous connections?

H

when CLIENT_ACCEPTED { if { not ( [class match [IP::client_addr] equals Allowed_SMTP] ) } { reject } else { snat 172.25.3.123 } } As told before, if I disable the rule I obtain the same result. 6 smtpsend parallel connections with 3 timed out. I tried a more complex iRule with logging such as when RULE_INIT {

} when CLIENT_ACCEPTED {

if { [class match [IP::client_addr] equals Allowed_SMTP] }{

        Uncomment the line below to turn on logging.
        log local0.  "Valid client IP: [IP::client_addr] - forwarding traffic"
        snat 172.25.3.123
} else {

    Uncomment the line below to turn on logging.
    log local0. "Invalid client IP: [IP::client_addr] - discarding"
    discard
}

} and I alway read "forwarding traffic but e-mails does not arrive to destination. Is it possible to be in the same proble reported here ?!? https://devcentral.f5.com/questions/basic-smtp-virtual-server I'd prefere not to delete the SMTP virtual server.

Formatting seems to have messed things up in your posting... Are you using the very first rule listed above (Reject or SNAT choices only).

Are your connections that work coming from multiple IP's? I see you're SNAT'ing everything in the iRule behind a single IP. Perhaps your SMTP server is limiting the connections for a single IP? (Most do to prevent a single remote site taking up all the inbound connections).

When you try 6 parallel connections and 3 time out, do they make it all the way to the SMTP servers? What do you see on a tcpdump? Does the banner come back to each client? Does the banner even get sent from all the server connections?

Do you know how to use tcpdump? It would be useful for you to verify all 6 connections coming into bigip, then whether all 6 connections get established to the SMTP servers, and what happens on both the client-side and server-side for each one.

H

Hi, I solved the problem modifyng the Healt monitor forcing to use TCP instead of SMTP and using autosnat directly in the virtual SMTP server instead of the iRule. Now, I used the following iRule and it work fine as expected. when CLIENT_ACCEPTED {

  if { not [class match [IP::client_addr] equals Allowed_SMTP] }{
      reject
      log local0.  "Invalid client IP: [IP::client_addr] - drop traffic"

} else { pool SMTP-TO-POOL } }

Tnak You all. Red.

MM... The monitor shouldn't affect the operation of the VS (Unless the pool members were flapping, you should have seen that in /var/log/ltm if it were the case though)...

Sorry, I was assuming that the IP you were SNAT'ing to was configured as a SNAT already... Did it belong to someone else perhaps on the network?

H

No..it's the VIP ip address and the autosnat is always done with such IP. As I told before, I'm not an F5 expert but I'm quite well prepared on networking and Exchange solutions (ip addressin, routing, connectors are all ok) and this solution works as expected. The monitor modification solved the multiple SMTP sessions and the new iRule (using the pool command instead of "forward") did the trick responding in realtime to the modification I did on the "Allowed_SMTP" Data Group. Regards. Red.

If the monitor mod solved it, then the old thing I can think of was the monitor causing it to flap for some reason (Which you'd have to verify what was coming back to find out why).

H