Forum Discussion
prajith_nsg
Nimbostratus
NimbostratusBIGIP unable to send tcp/udp packets to syslog servers
Hi Team, We have deployed partner solution https://aws.amazon.com/solutions/partners/f5-big-ip-ve/ in AWS and HA mode has come up as expected, we can access management UI and configure our backend. ...
I think you should be able to run the same configuration with "All protocols" and match both TCP+UDP traffic
prajith_nsgNimbostratus
NimbostratusHi CA_Valli, Thank you so much for taking time to respond.
I have changed the virtual server type to use fastL4, attached is the screenshot of configuration.
From my basiton host, I am able to reach bigIP on VIP address (10.0.10.101) on port 5514 as expected.
[ec2-user@ip-10-0-10-251 ~]$ nc -v -i 1 -w 1 10.0.10.101 5514
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.10.101:5514.
Ncat: Idle timeout expired (1000 ms).Similarly from my BIGIP box, I am reach backend on port 5514 (syslog server port)
[admin@failover01:Active:In Sync] ~ # nc -v -i 1 -w 1 10.0.12.112 5514
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 10.0.12.112:5514.
Ncat: Idle timeout expired (1000 ms).
[admin@failover01:Active:In Sync] ~ # nc -v -i 1 -w 1 10.0.22.74 5514
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 10.0.22.74:5514.
Ncat: Idle timeout expired (1000 ms).The client information shows port translation works as expected now.
[admin@failover01:Active:In Sync] ~ # tmsh show /sys connection cs-client-addr 10.0.10.251
Sys::Connections
10.0.10.251:60134 10.0.10.101:5514 10.0.10.11:60134 10.0.12.112:5514 tcp 0 (tmm: 1) none none
Total records returned: 1However, when I am using logger command to generate a log message manually from basiton host(ip-10-0-10-251). Targeting VIP configured on bigip : 10.0.10.101
[ec2-user@ip-10-0-10-251 ~]$ while date "+INFO Syslog check for F5 BIGIP on HA mode %T" | logger -s -n 10.0.10.101 -P 5514; do sleep 1; done
<13>1 2022-12-20T12:03:27.277895+00:00 ip-10-0-10-251.ap-south-1.compute.internal ec2-user - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="6480"] INFO Syslog check for F5 BIGIP on HA mode 12:03:27
<13>1 2022-12-20T12:03:28.283155+00:00 ip-10-0-10-251.ap-south-1.compute.internal ec2-user - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="6980"] INFO Syslog check for F5 BIGIP on HA mode 12:03:28
<13>1 2022-12-20T12:03:29.286621+00:00 ip-10-0-10-251.ap-south-1.compute.internal ec2-user - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="7480"] INFO Syslog check for F5 BIGIP on HA mode 12:03:29Capturing Tcpdump on BIG IP box doesn't show the any packets reaching bigip
#TCPDUMP command to check for traffic from the client to the VIP and from VIP to the backend pool members
[admin@failover01:Active:In Sync] ~ # tcpdump -nni 0.0:nnnp -s 0 host 10.0.10.101 and host 10.0.22.74
and
[admin@failover01:Active:In Sync] ~ # tmsh show /sys connection cs-client-addr 10.0.10.251
Sys::Connections
Total records returned: 0Any specific configuration is missing to cause this?
I want my syslogs to be sent to remote-server which in turn will be sent to kibana dashboard.
[admin@failover01:Active:In Sync] ~ # tmsh list sys syslog
sys syslog {
remote-servers {
remotesyslog1 {
host 10.0.12.112
remote-port 5514
}
remotesyslog2 {
host 10.0.22.74
remote-port 5514
}
}
}
prajith_nsgNimbostratus
NimbostratusCA_Valli - I got it working after changing the security group to use UDP instead of TCP. However, our agents can take incoming request on port 5514 on UDP as well as TCP. I highly appreciate your inputs, i will take it from here and figure out. Thanks again. 🙂
CA_ValliMVP
I think you should be able to run the same configuration with "All protocols" and match both TCP+UDP traffic
- prajith_nsg
Thanks you CA_Valli, yes that works too. I have tested my requests are landing on nsg-agent and syslogs are populated in kibana as expected. Appreciated your valueable inputs.