I am trying to capture the source port coming back from the node but I only get the pool member port. Any idea how I can capture this so I can snat my traffic?

Hi, What protocol are you working with? Why wouldn't the source port of the node be the pool member port? Aaron

Using active FTPS. The source port needs to be what is coming from the node because we need to SNAT our traffic based on a range of source ports coming from the node.

If you are from CA and like Indian food then you are probably already familiar with this.

does TCP::remote_port in CLIENT_ACCEPTED of wildcard virtual server on server VLAN not work? FTPS Offload via iRules by Colin https://devcentral.f5.com/tutorials/tech-tips/ftps-offload-via-irules

No. I also asked an engineer last week while in Seattle and he indicated that the CLIENT_ACCEPTED was for client side connections and would not work in firing on the server side events for what we were trying to do.

Cannot capture the source port coming back from node.

8 Replies

hoolio
Cirrostratus
Oct 29, 2012
Hi,

What protocol are you working with? Why wouldn't the source port of the node be the pool member port?

Aaron
Blueluke_85810
Nimbostratus
Oct 30, 2012
Using active FTPS. The source port needs to be what is coming from the node because we need to SNAT our traffic based on a range of source ports coming from the node.
Blueluke_85810
Nimbostratus
Oct 30, 2012
If you are from CA and like Indian food then you are probably already familiar with this.
nitass
Employee
Oct 30, 2012
does TCP::remote_port in CLIENT_ACCEPTED of wildcard virtual server on server VLAN not work?

FTPS Offload via iRules by Colin

https://devcentral.f5.com/tutorials/tech-tips/ftps-offload-via-irules
Blueluke_85810
Nimbostratus
Oct 30, 2012
No. I also asked an engineer last week while in Seattle and he indicated that the CLIENT_ACCEPTED was for client side connections and would not work in firing on the server side events for what we were trying to do.
nitass
Employee
Oct 30, 2012
i thought you are asking about passthrough active mode ftps load balancing, aren't you?
Blueluke_85810
Nimbostratus
Oct 30, 2012
This is the irule being applied at the any vip.

when CLIENT_ACCEPTED {

log local0.debug "Client_accepted triggered"

log local0.debug "remote addy is [IP::remote_addr] remote port is [TCP::remote_port] local addy is [IP::local_addr] port is [TCP::local_port]"

if { [TCP::remote_port] >= 6500 and [TCP::remote_port] <= 6549} {

log local0.emerg "Matched port range - Remote port was: [TCP::remote_port] "

snat 10.118.48.100 989

}

}

This never seems to fire as far as I can see. If I use something like SERVER_CONNECTED I do see the event firing but it only returns the port of the pool member and not the actual node port. You can see our problem.
Mohamed_Lrhazi
Altocumulus
Oct 30, 2012
when CLIENT_ACCEPTED {

log local0.debug "Client_accepted triggered"

That log line, once uncommenetd, should and must work. You need to understand why it does not, first.