Forum Discussion

William_Benett1's avatar
William_Benett1
Icon for Nimbostratus rankNimbostratus
Sep 08, 2008

iRules in Forwarding Virtual Servers

So I have a specific problem I'm trying to solve. I have a virtual server for UDP port 162. This VIP load balances traffic as expected. The problem is that once the server receives the client packet on port 162, it responds back to it, and then sends a 2nd packet on port 161.

 

The problem is that the client will only accept that 2nd packet if it matches what it expects, that being the source address matches the one in the VIP. For administrative reasons beyond my control, I have several VIPs listening on UDP port 162, and several virtual interfaces on the servers behind the LTM device.

 

 

What I wanted to do was write an iRule that would track incoming connections in a global variable, and then perform SNAT translations on the "out of session" packets from the servers. I'm using a Forwarding virtual server to allow the boxes behind the LTM device to talk to the rest of the world.

 

 

So the code below was my attempt at doing so. In my configuration I apply the iRule to both the virtual server handling the initial client packet, as well as the Forwarding virtual server used by the servers to non-load balanced traffic to the rest of the world. The sessions are tracked correctly, but there appears to be an issue where the address the BIG-IP translates the packet to is "100.166.76.0". Which is not what I intended. F5 support suggested looking at the snmp_session_table variable, as it may be a factor in what is going on. I've been doing some reading today on TCL variables, but as I'm not a real programmer, I don't see what I'm missing. As an odd aside, even if I disable the rule the LTM device continues to translate packets using the strange address listed above. Reboots make that go away until I re-enable the iRule. The traffic I was working against never died so that may cause some entry to linger.

 

 

I suspect that I'm getting a little too cute, trying to write one iRule to apply to multiple virtual servers. Any assistance would be appreciated.

 

 

 
 when RULE_INIT { 
 array set snmp_session_table { } 
 } 
 when CLIENT_ACCEPTED { 
 if {[virtual name] contains "Forward"} { 
 if {[UDP::client_port] eq "3000"} { 
 snat $snmp_session_table([IP::server_addr]) 
 log "port 3000, called in forward server, $temp $snmp_session_table([IP::server_addr])" 
 } 
 } 
 } 
 when CLIENT_DATA { 
 if {[virtual name] contains "SNMPE"} { 
 set snmp_session_table([IP::remote_addr]) [IP::local_addr] 
 log "called from load balanced VIP table: $snmp_session_table([IP::remote_addr])" 
 } 
 } 
 when CLIENT_CLOSED { 
 if {[UDP::local_port] eq "162"} { 
 set cip [IP::client_addr] 
 log "cleared $cip from table, called from [IP::local_addr]" 
 unset snmp_session_table($cip) 
 } 
 }
application delivery
dev
devops
iRules
No RepliesBe the first to reply