For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sven_89244's avatar
Sven_89244
Icon for Nimbostratus rankNimbostratus
Jan 13, 2009

Assistance needed for SNATing plus other irules

I've got a task to do some snat and some other traffic modification.     connections with destination-port 6200,6201,6202 should have a timeout of 6 hours.   connections with certain i...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 13, 2009
When you say the connection couldn't be established, what do you see in a tcpdump? Is the connection from the client to the VIP address established? Do you see any serverside packets sent? Is there a RST from the VIP address back to the client and/or a RST sent from the LTM address to the destination? Or does it time out with no response?

 

 

If you're using a fastL4 profile, you'll need to run tcpdump on the port number to see all packets (tcpdump -ni 1.1 host CLIENT_IP or host DESTINATION_IP).

 

 

Also, I think you mean to use TCP::local_port instead of TCP::client_port in the first iRule as I assume you want to check the port the client made the request to--not from.

 

 

Can you add logging to each case in the iRules and post anonymized copies of the debug from /var/log/ltm for the failure?

 

 

Aaron