Hello Team, I have just found i can create persistence entry using two variables example: persist uie "$var1:$var2" But not sure how can later use it. Is it possible to hit it if matching $var1 OR $var2 ? Or maybe i have to match both $var1 AND $var2 ? How it works ? Do i have any control over that ? I need to have "OR" logic because subsequent flows/protocols might not contain both - but just one matching attribute/variable. Thanks, Michal

Hi Michal, considering that you need an UIE persistence, I think that you need to create two persistence records separately and after that, test if exists persistence for those keys with "persist lookup uie". But you need to ensure that during the first, you have both $var keys, otherwise you may persist in two places. Am I wrong? What do you think about it? [ ]

Hi Cjunior, Thank you for the answer. Indeed i have the same conclusions - i need two persistence records. But how to create two persistence records ? I have my data only in client request (not server response). When i have tried to create two persistence records in CLIENT_ACCEPTED or SERVER_DATA using "persist uie" or "persist add uie" always only the last one was created. What are the limitation for creation of 2 persistence records ? I would like to achieve: - on client request: check if there is persistence for $var1 - if yes follow - on client request: check if there is persistence for $var2 - if yes follow - on client request: create/update persistence record for $var1 - on client request: create/update persistence record for $var2 Possible ? Thanks, Michal

Hi Stephan, Thank you for that example. But i do not want AND ("combination of parameters") but OR logic. Real example: - Incoming Radius Access-Request with Calling-Station-ID create persistence for Calling-Station-Id - Incoming Radius Accounting-Request with Calling-Station-ID should be redirected to the same node (as per persistence) but at the same time i would like to create a new persistence record based on Framed-IP-Address attribute - Incoming HTTP traffic: take source ip and match with persistence entry for Framed-IP-Address Radius (Authentication + Accounting) is one virtual server, HTTP is the other. How would you prepare iRules for both ? Thanks, Michal

Sorry, I still don´t get it. I guess the virtual server for HTTP is mapped to a pool of webservers. These servers are not identical with your AAA servers,right? Where is the information in RADIUS about the pool member to select for your web application?

iRule: persist uie "$var1:$var2"

19 Replies

cjunior
Nacreous
Dec 16, 2015
Hi Michal, considering that you need an UIE persistence, I think that you need to create two persistence records separately and after that, test if exists persistence for those keys with "persist lookup uie". But you need to ensure that during the first, you have both $var keys, otherwise you may persist in two places. Am I wrong? What do you think about it? [ ]
teknet7_237497
Nimbostratus
Dec 16, 2015
Hi Cjunior,

Thank you for the answer. Indeed i have the same conclusions - i need two persistence records. But how to create two persistence records ? I have my data only in client request (not server response). When i have tried to create two persistence records in CLIENT_ACCEPTED or SERVER_DATA using "persist uie" or "persist add uie" always only the last one was created.

What are the limitation for creation of 2 persistence records ?

I would like to achieve:

- on client request: check if there is persistence for $var1 - if yes follow - on client request: check if there is persistence for $var2 - if yes follow - on client request: create/update persistence record for $var1 - on client request: create/update persistence record for $var2

Possible ?

Thanks, Michal

StephanManthey

MVP

Dec 16, 2015

Hi Michal,

if you want to persist on a combination of parameters it will be required to match exactly.

when HTTP_REQUEST {
   log local0. "[IP::client_addr]:[URI::query [HTTP::uri] param1]"
   persist uie "[IP::client_addr]:[URI::query [HTTP::uri] param1]"
}

I.e. you try to persist on combined client IP and a query parameter. Now watch your persistence table (specify

mode

and the

virtual

server to limit output; the

all-properties

parameter just dispays some more details i.e. record age):

watch -d 'tmsh show ltm persist persist-records mode universal virtual vs_51 all-properties'

Sys::Persistent Connections
universal - 10.131.131.51:80 - 10.131.131.64:80
-------------------------------------------------
  TMM           1
  Mode          universal
  Value         10.131.131.176:abc
  Age (sec.)    36
  Virtual Name  /Common/vs_51
  Virtual Addr  10.131.131.51:80
  Node Addr     10.131.131.64:80
  Pool Name     /Common/pool_distribution_service
  Client Addr   10.131.131.176
  Owner entry

universal - 10.131.131.51:80 - 10.131.131.63:80
-------------------------------------------------
  TMM           1
  Mode          universal
  Value         10.131.131.176:hij
  Age (sec.)    24
  Virtual Name  /Common/vs_51
  Virtual Addr  10.131.131.51:80
  Node Addr     10.131.131.63:80
  Pool Name     /Common/pool_distribution_service
  Client Addr   10.131.131.176
  Owner entry

Total records returned: 2

Whenever the value ist matched, the associated poolmember will be reselected.

Use i.e. cURL to play with query parameters:

curl -v http://10.131.131.51/path?param1=hij

Thanks, Stephan

teknet7_237497
Nimbostratus
Dec 16, 2015
Hi Stephan,

Thank you for that example. But i do not want AND ("combination of parameters") but OR logic. Real example:

- Incoming Radius Access-Request with Calling-Station-ID create persistence for Calling-Station-Id - Incoming Radius Accounting-Request with Calling-Station-ID should be redirected to the same node (as per persistence) but at the same time i would like to create a new persistence record based on Framed-IP-Address attribute - Incoming HTTP traffic: take source ip and match with persistence entry for Framed-IP-Address

Radius (Authentication + Accounting) is one virtual server, HTTP is the other. How would you prepare iRules for both ?

Thanks, Michal
- StephanManthey
  MVP
  Dec 16, 2015
  Sorry, I still don´t get it. I guess the virtual server for HTTP is mapped to a pool of webservers. These servers are not identical with your AAA servers,right? Where is the information in RADIUS about the pool member to select for your web application?
teknet7_237497
Nimbostratus
Dec 16, 2015
Hi Stephan,

Radius and HTTP are identical - same servers - just different tcp/udp ports.

I need to bind Radius Authentication with Radius Accounting using Calling-Station-id (always the same for both). Then i need to bind Radius with HTTP (Radius Framed-ip-addr in Accounting the same as HTTP ip source). How to achieve that ?

Thanks,
- StephanManthey
  MVP
  Dec 16, 2015
  I.e. rad-web-srv-1 returns a framed IP upon request. Later a client with this source IP requests the web service and should be forwarded to rad-web-srv1. The clients asking for AAA and HTTP are not identical, right?
- teknet7_237497
  Nimbostratus
  Dec 16, 2015
  Hi Stephan, My radius server does not return Framed-ip, it's deliver by AAA client in Radius Interim Accounting messages. The AAA client is Network Device (switch, router, firewall), HTTP client is endpoint (PC, mobile device) connected to Network Device. So - the IP for AAA and HTTP traffic will never be the same - but still i need to correlate it (based on Radius Attributes). Thanks,

StephanManthey

MVP

Dec 16, 2015

You can use the

session

command to build and lookup a separated table.

Depending on which party provides the framed IP one of the following rules will be applied to your RADIUS virtual:

Client provides framed IP:

 rule for radius in case client provides the framed IP
when LB_SELECTED {
    log local0. "session table entry added: "
    session add uie "persist:[RADIUS::avp 8]" [LB::server addr]
}

Server provides framed IP:

 rule for radius in case server provides the framed IP
when SERVER_DATA {
    log local0. "session table entry added: "
    session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr]
}

The following one will be bound to your virtual server for HTTP (may be used in context of CLIENT_ACCEPTED as well):

 rule for webservice
when HTTP_REQUEST {
   log local0. "session table lookup result: [session lookup uie "persist:[IP::client_addr]"]"
   if {[session lookup uie "persist:[IP::client_addr]"] ne ""} {
       log local0. "lookup match: [session lookup uie "persist:[IP::client_addr]"]"
       node [session lookup uie "persist:[IP::client_addr]"]
   }
}

I don´t have a RADIUS up and running for testing but replicated it with another service in v11.5.1.

Perhaps you need to adjust the RADIUS part.

Thanks, Stephan

teknet7_237497
Nimbostratus
Dec 16, 2015
Thanks Stephan,

I guess the solution is near :)

You have shown how to correlate Radius-Accounting with HTTP via IP address. But i also need to correlate Radius-Authentication (udp/1812) with Radius-Accounting (udp/1813) via Calling-station-id.

And this it the challenge - to correlate 3 different protocols using 2 different attributes - all of those need to land on the same node for successful correlation.

Are you able to expand this example ?

Thanks a lot !

StephanManthey

MVP

Dec 16, 2015

Hi,

in case the accounting server would return the framed IP it would look as follows (assuming AVP31 represents the calling station ID):

 rule for RADIUS authentication udp/1812
when LB_SELECTED {
    log local0. "session table entry added: "
    session add uie "persist:[RADIUS::avp 31]" [LB::server addr]
}

 rule for RADIUS accounting udp/1813
when CLIENT_DATA {
   log local0. "session table lookup result: [session lookup uie "persist:[RADIUS::avp 31]"]"
   if {[session lookup uie "persist:[IP::client_addr]"] ne ""} {
       log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]"
       node [session lookup uie "persist:[RADIUS::avp 31]"]
   }
}
when SERVER_DATA {
    log local0. "session table entry added: "
    session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr]
}

As initially proposed by cjunior we are using two table entries (keys) pointing to the same real server IP. Thanks, Stephan

teknet7_237497
Nimbostratus
Dec 16, 2015
Great, for me it's aaa client sending framed-ip, so i would need to add session entry inside CLIENT_DATA, like this:

when CLIENT_DATA { log local0. "session table lookup result: [session lookup uie "persist:[RADIUS::avp 31]"]" if {[session lookup uie "persist:[IP::client_addr]"] ne ""} { log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]" node [session lookup uie "persist:[RADIUS::avp 31]"] session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr] } }

Can it work ? I have tried to do the same using persistence only (no sessions) and found out that it can not work together (thread: https://devcentral.f5.com/questions/irule-two-persist-commands)

Thanks, Michal
- StephanManthey
  MVP
  Dec 16, 2015
  Hi Michal, the session table is independent from the persistence table and starting with v10.x(?) you can use it for key/value pairs to build your own "persistence" method. Please just watch the logs to verify the RADIUS::avp returns the expected data to be used in combination with i.e. "persist:" as key. Thanks, Stephan
teknet7_237497
Nimbostratus
Dec 20, 2015
Hi Stephan,

OK, i have made several more tests, i have one VS for both Radius Authentication and Accounting. Irule for that:

rule for RADIUS authentication udp/1812 when LB_SELECTED { log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 31]" [LB::server addr] } rule for RADIUS accounting udp/1813 when CLIENT_DATA { log local0. "session table lookup result: [session lookup uie "persist:[RADIUS::avp 31]"]" if {[session lookup uie "persist:[IP::client_addr]"] ne ""} { log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]" node [session lookup uie "persist:[RADIUS::avp 31]"] log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr] } }

When i send Radius Authentication packet i got the logs:

session table entry added: session table lookup result: 172.16.34.100

It looks like session is never created, when trying:

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys connection Really display all connections? (y/n) y Sys::Connections 172.16.34.102:35200 172.16.34.100:8 172.16.34.102:35200 172.16.34.100:8 icmp 1 (tmm: 0) none 172.16.34.102:32148 172.16.34.100:8 172.16.34.102:32148 172.16.34.100:8 icmp 6 (tmm: 0) none 172.16.34.102:42463 172.16.34.101:8 172.16.34.102:42463 172.16.34.101:8 icmp 5 (tmm: 1) none 172.16.34.102:57314 172.16.34.101:8 172.16.34.102:57314 172.16.34.101:8 icmp 10 (tmm: 0) none Total records returned: 4 root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)

I do see only icmp connection which are result of monitoring (probe). My persistence looks like:

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos) show /ltm persistence persist-records Sys::Persistent Connections hash 0 172.16.33.103:any 172.16.34.100:any (tmm: 0) Total records returned: 1

Why the session is never created ? And how can i display/monitor that ?

Also how can i differentiate accounting from authentication in CLIENT_DATA (i would like to search for framed-ip-addr only for accounting packets).

Thanks, Michal
- StephanManthey
  MVP
  Dec 20, 2015
  Hi Michal, I dont know a way of dumping the table created by the session command. As far as I know it is separated from the persistence table and the connection table. Thats why the related commands do not return the expected results. For the first step I would recommend to extend the log statement in context of the RADIUS accounting message to the following: log local0. "session table lookup result for calling station ID of [RADIUS::avp 31]: [session lookup uie "persist:[RADIUS::avp 31]"]" This way you can the sure the radius client is using the same calling station ID of 11:11:11:11:11:11 as in your example. Looking up the "session" table via iRule is the only way I am aware of. For an analysis of your environment specific traffic patterns I would recommend to run a TCPDUMP while having a single poolmember enabled only ( this way you prevent wrong return values due to failing persistence): tcpdump -i 0.0:nnnp -s 0 -c 1000 -w /shared/radius-001.cap 'port 1812 or port 1813' To differentiate between RADIUS authentication and accounting you can use the return value of [RADIUS::code] in your iRule. 1=access request 2=access accept 3=access reject 4=accounting request 5=accounting resonse Thanks, Stephan

Forum Discussion

iRule: persist uie "$var1:$var2"

19 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

XFF Universal Persistence iRule

Decoding the IPv4 address from the persistence cookie

Disable cookie persistance in irule

SOCKS5 SSL Persistence

Source_Addr Persistence Problems