Forum Discussion

natti's avatar
natti
Icon for Nimbostratus rankNimbostratus
Jun 22, 2014

How to log failed connections along with SNAT information?

Hi,

 

What I would like to accomplish is to log to a central syslog-server when the F5 (set up as a load balancer), is unable to connect to any of the real servers. And preferably, log SNAT information with it.

 

So far I've been able to send the logs to a central syslog server (SOL13080), and based on a question I found here I've been able to log the SNAT information for all successful connections. (used this solution here: https://devcentral.f5.com/questions/how-to-monitor-internal-ip-translate-to-which-ip-snat-in-pool)

 

The problem is, if for some reason the server doesn't respond to this one query, the event "SERVER_CONNECTED" obviously never happens, so I don't get any logs for that particular connection attempt. Now, I've tried to play around and change the event to client_accepted or client_closed, but in these cases the "ss [client|server]" syslog lines only contains the client and F5 addresses, but not post-nat and real-server addresses.

 

So is there any way to log SNAT(destination-real-server-ip & port, and the F5 source-ip-address(natted) and port) for failed connections? (And on that note, is there any good guideline on how to spot/log these failed connections?)

 

Thanks ...

 

(I'm very new to F5, so although I was unable to find my answer I might be looking for the wrong keywords, so apologies if this questions has an obvious answer somewhere else...)

 

4 Replies

  • have you tried LB_FAILED?

    e.g.

     config
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:80
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            http { }
            tcp { }
        }
        rules {
            qux
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 41
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
    ltm rule qux {
        when LB_FAILED {
      log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [IP::local_addr]:[TCP::local_port] \
        ss src [serverside {IP::local_addr}]:[serverside {TCP::local_port}] dst [IP::server_addr]:[TCP::server_port]"
    }
    when SERVER_CONNECTED {
      log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [clientside {IP::local_addr}]:[clientside {TCP::local_port}] \
        ss src [IP::local_addr]:[TCP::local_port] dst [IP::server_addr]:[TCP::server_port]"
    }
    }
    
     trace
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
    18:33:30.234595 IP 172.28.24.1.46920 > 172.28.24.10.80: S 2765154856:2765154856(0) win 5840  in slot1/tmm0 lis=
    18:33:30.234675 IP 172.28.24.10.80 > 172.28.24.1.46920: S 420746216:420746216(0) ack 2765154857 win 4380  out slot1/tmm0 lis=/Common/bar
    18:33:30.236318 IP 172.28.24.1.46920 > 172.28.24.10.80: . ack 1 win 5840  in slot1/tmm0 lis=/Common/bar
    18:33:30.237491 IP 172.28.24.1.46920 > 172.28.24.10.80: P 1:156(155) ack 1 win 5840  in slot1/tmm0 lis=/Common/bar
    18:33:30.237555 IP 200.200.200.14.46920 > 200.200.200.101.80: S 4231709820:4231709820(0) win 4380  out slot1/tmm0 lis=/Common/bar
    18:33:30.237568 IP 172.28.24.10.80 > 172.28.24.1.46920: . ack 156 win 4535  out slot1/tmm0 lis=/Common/bar
    18:33:30.261632 IP 200.200.200.101.80 > 200.200.200.14.46920: R 0:0(0) ack 4231709821 win 0 in slot1/tmm0 lis=/Common/bar
    18:33:30.261805 IP 172.28.24.10.80 > 172.28.24.1.46920: R 1:1(0) ack 156 win 4535 out slot1/tmm0 lis=/Common/bar
    
     /var/log/ltm
    
    [root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
    Jun 22 18:33:30 ve11a info tmm[9801]: Rule /Common/qux : cs src 172.28.24.1:46920 dst 172.28.24.10:80  ss src 200.200.200.14:46920 dst 200.200.200.101:80
    
    • natti's avatar
      natti
      Icon for Nimbostratus rankNimbostratus
      Yup! Thanks, just what I needed, works perfectly :)
  • have you tried LB_FAILED?

    e.g.

     config
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:80
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            http { }
            tcp { }
        }
        rules {
            qux
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 41
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
    ltm rule qux {
        when LB_FAILED {
      log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [IP::local_addr]:[TCP::local_port] \
        ss src [serverside {IP::local_addr}]:[serverside {TCP::local_port}] dst [IP::server_addr]:[TCP::server_port]"
    }
    when SERVER_CONNECTED {
      log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [clientside {IP::local_addr}]:[clientside {TCP::local_port}] \
        ss src [IP::local_addr]:[TCP::local_port] dst [IP::server_addr]:[TCP::server_port]"
    }
    }
    
     trace
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
    18:33:30.234595 IP 172.28.24.1.46920 > 172.28.24.10.80: S 2765154856:2765154856(0) win 5840  in slot1/tmm0 lis=
    18:33:30.234675 IP 172.28.24.10.80 > 172.28.24.1.46920: S 420746216:420746216(0) ack 2765154857 win 4380  out slot1/tmm0 lis=/Common/bar
    18:33:30.236318 IP 172.28.24.1.46920 > 172.28.24.10.80: . ack 1 win 5840  in slot1/tmm0 lis=/Common/bar
    18:33:30.237491 IP 172.28.24.1.46920 > 172.28.24.10.80: P 1:156(155) ack 1 win 5840  in slot1/tmm0 lis=/Common/bar
    18:33:30.237555 IP 200.200.200.14.46920 > 200.200.200.101.80: S 4231709820:4231709820(0) win 4380  out slot1/tmm0 lis=/Common/bar
    18:33:30.237568 IP 172.28.24.10.80 > 172.28.24.1.46920: . ack 156 win 4535  out slot1/tmm0 lis=/Common/bar
    18:33:30.261632 IP 200.200.200.101.80 > 200.200.200.14.46920: R 0:0(0) ack 4231709821 win 0 in slot1/tmm0 lis=/Common/bar
    18:33:30.261805 IP 172.28.24.10.80 > 172.28.24.1.46920: R 1:1(0) ack 156 win 4535 out slot1/tmm0 lis=/Common/bar
    
     /var/log/ltm
    
    [root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
    Jun 22 18:33:30 ve11a info tmm[9801]: Rule /Common/qux : cs src 172.28.24.1:46920 dst 172.28.24.10:80  ss src 200.200.200.14:46920 dst 200.200.200.101:80
    
    • natti's avatar
      natti
      Icon for Nimbostratus rankNimbostratus
      Yup! Thanks, just what I needed, works perfectly :)