Forum Discussion

tbeach_322093's avatar
tbeach_322093
Icon for Nimbostratus rankNimbostratus
Sep 04, 2018

Logs filling up as side effect of NAC iRule.

We added the an irule (found on DevCentral) when we enabled NAC. The irule works though we get the unwanted side effect of the logs completely filling up with the error:

 

" TCL error: /MLB-RSC-AAA/dhcp_mac_sticky - can't read "mac_up": no such variable while executing "persist uie $mac_up $persist_ttl"

 

Anyone know which part of the irule we could modify to eliminate this logging error without effect the irule?

 

4 Replies

  • Your logs are filling up with TCL errors as somewhere in your iRule you've either not set $1 correctly or some part of your code is not executing.

    If you could share the iRule you have applied on your virtual server, ideally formatting it correctly it would be easier to spot where it's going wrong.

  • Add an if before the use of mac_up

    eg

     

    if {[info exists mac_up]} {
      persist uie $mac_up $persist_ttl
    }
    

     

  • Can you try this code:

     

    the original code was converting first to hexadecimal, to convert back to binary, or to integer...

     

     DHCP Option Field Parser rev 0.4 (2018/09/06)
    
       Written By:  Shun Takahashi 
       Updated By: Stanislas PIRON
    
       Original By: Jun Chen (j.chen at f5.com)
       Original At: https://devcentral.f5.com/community/group/aft/25727/asg/50
    
       Description: iRule to demonstrate how tocapture and binary scan UDP payload
                    and store them into session table for logging enrichment and
                    intelligent traffic steering decision. 
    
                    RFC2131 defines DHCP packet structure. This irule is to scan 
                    UDP payload and store information into session tables with
                    your_ip as a key.
    
                    All the option and value is stored into following session table.
    
                              [tabe set -subtable   ]
                                                       
       Requirement: The rule requires virtual server to listen on DHCP traffic in the
                    middle either in inline or out of band.
    
                    1) In-Line to DHCP traffic
    
                              profile udp udp_dhcp {
                                  allow-no-payload disabled
                                  app-service none
                                  datagram-load-balancing disabled
                                  idle-timeout immediate
                                  ip-tos-to-client 0
                                  link-qos-to-client 0
                                  proxy-mss disabled
                              }
    
                              ltm virtual vs_dhcp {
                                  destination 0.0.0.0:bootps
                                  ip-protocol udp
                                  mask any
                                  profiles {
                                      udp_dhcp { }
                                  } 
                                  rules {
                                      dhcp_sampler
                                  }
                                  source 0.0.0.0/0
                                  translate-address disabled
                                  vlans {
                                      local
                                  }
                                  vlans-enabled
                              }
    
                    2) Receiving mirrored DHCP stream
    
       References:  RFC 2132 DHCP Options and BOOTP Vendor Extensions
                    RFC 1533 DHCP Options and BOOTP Vendor Extensions (Obsolated)
                    RFC 4702 The Dynamic Host Configuration Protocol (DHCP) Client
                             Fully Qualified Domain Name (FQDN) Option
    
    timing off
    when RULE_INIT {
        set static::MSGTYPE_LIST {"DHCP_DISCOVER" "DHCP_OFFER" "DHCP_REQUEST" "DHCP_DECLINE" "DHCP_ACK" "DHCP_NAK" "DHCP_RELEASE" "DHCP_INFORM" "NO_MATCH\(9\)" "DHCP_LEASE_QUERY" "DHCP_LEASE_UNASSIGNED" "DHCP_LEASE_UNKNOWN" "DHCP_LEASE_ACTIVE"}
         Rule Name and Version shown in the log
        set static::RULE_NAME "Simple DHCP Parser v0.4"
        set static::RULE_ID   "dhcp_parser"
    }
    when CLIENT_ACCEPTED priority 100 {
         0: No Debug Logging 1: Debug Logging
        set DBG 1
    
         Using High-Speed Logging in thie rule
        set log_prefix   "\[$static::RULE_ID\]([IP::client_addr])"
        set log_prefix_d "$log_prefix\(debug\)"
    }
    
    
    when CLIENT_DATA {
    
        if {$DBG} {log local0.debug "$log_prefix_d  ***** iRule: $static::RULE_NAME executed *****"}
        if {[UDP::payload length] >= 240 } {
             BOOTP
            binary scan [UDP::payload] ccccH8SB16a4a4a4a4a16a64a128H8a* msg_type hw_type hw_len hops transaction_id seconds \
                bootp_flags ciaddr yiaddr siaddr giaddr chaddr server_host_name_bin boot_file_bin magic_cookie dhcp_options
    
    
    
            binary scan $chaddr H2H2H2H2H2H2 m(a) m(b) m(c) m(d) m(e) m(f)
            set client_mac "$m(a):$m(b):$m(c):$m(d):$m(e):$m(f)"
            set mac_up [string toupper $client_mac]
    
             DHCP
    
            for {set i 0} {$i < [string length $dhcp_options]} {incr i [expr {$option_length + 2}]} {
                binary scan $dhcp_options @${i}cc option_id_signed option_length
                set option_id [expr {$option_id_signed & 0xFF}]
    
                binary scan $dhcp_options @[expr {$i + 2}]a[expr {$option_length & 0xFF}] value
                switch $option_id {
                    61 { 
                     Client Identifier
                     This option is used by DHCP clients to specify their unique
                     identifier.  DHCP servers use this value to index their database of
                     address bindings.  This value is expected to be unique for all
                     clients in an administrative domain.
                    
                        binary scan $value H2H2H2H2H2H2H2@1H* ht m(a) m(b) m(c) m(d) m(e) m(f) option_value($option_id)
                        if {$ht == 01} { set option_value($option_id) "$m(a):$m(b):$m(c):$m(d):$m(e):$m(f)" }
                        set mac_up [string toupper $option_value($option_id)]
                    }
                    255 { 
                     End Option
                     The end option marks the end of valid information in the vendor
                     field.  Subsequent octets should be filled with pad options.
                    
                        break
                    }
                }
            }
        } else {
            log local0.info "$log_prefix Ignored due to length\(less than 200 octet\)" 
            drop 
            return 
        }
    
        persist uie $mac_up
    
        if {$DBG} {log local0.debug "$log_prefix_d  ***** iRule: $static::RULE_NAME completed *****"}
    }