Forum Discussion

Sven_89244's avatar
Sven_89244
Icon for Nimbostratus rankNimbostratus
Jan 13, 2009

Assistance needed for SNATing plus other irules

I've got a task to do some snat and some other traffic modification.

 

 

connections with destination-port 6200,6201,6202 should have a timeout of 6 hours.

 

connections with certain ip (x.y.234.167 and .170) and destination port 1100(openft) should be SNATed to a.b.20.d

 

 

now i've created following rules

 

 

x1

 

when CLIENT_ACCEPTED {

 

switch [TCP::client_port] {

 

6200-

 

6201-

 

6202{

 

IP::idle_timeout 21600

 

}

 

default {

 

IP::idle_timeout 3600

 

}

 

} }

 

 

x2

 

when CLIENT_ACCEPTED {

 

 

check if client_addr = any in the class

 

if { [matchclass [IP::client_addr] equals $::InternalHosts]} {

 

 

check if the class contains the server_port requested

 

if { [matchclass [TCP::local_port] equals $::openft_port]} {

 

 

snat using this source address

 

snat a.b.20.d

 

 

} else {

 

don't do any source address translation

 

forward

 

}

 

}

 

}

 

where

 

class InternalHosts {

 

host x.y.234.167

 

host x.y.234.170

 

}

 

class openft_port {

 

1100

 

}

 

 

 

 

and implemented it to a VS in this order.

 

virtual Routing_Back {

 

lasthop pool GW

 

pool GW

 

destination any:any

 

mask none

 

vlans internal enable

 

rules x1 x2

 

profiles int_fastL4

 

}

 

 

The effect was that new connections couldnt be established.

 

What mistake have i made?

 

 

Any help would be greatly appreciated.
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 13, 2009
    When you say the connection couldn't be established, what do you see in a tcpdump? Is the connection from the client to the VIP address established? Do you see any serverside packets sent? Is there a RST from the VIP address back to the client and/or a RST sent from the LTM address to the destination? Or does it time out with no response?

     

     

    If you're using a fastL4 profile, you'll need to run tcpdump on the port number to see all packets (tcpdump -ni 1.1 host CLIENT_IP or host DESTINATION_IP).

     

     

    Also, I think you mean to use TCP::local_port instead of TCP::client_port in the first iRule as I assume you want to check the port the client made the request to--not from.

     

     

    Can you add logging to each case in the iRules and post anonymized copies of the debug from /var/log/ltm for the failure?

     

     

    Aaron