For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Blueluke_85810's avatar
Blueluke_85810
Icon for Nimbostratus rankNimbostratus
Oct 29, 2012

Cannot capture the source port coming back from node.

I am trying to capture the source port coming back from the node but I only get the pool member port. Any idea how I can capture this so I can snat my traffic?

 

application delivery
dev
devops
iRules

8 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 29, 2012
    Hi,

     

     

    What protocol are you working with? Why wouldn't the source port of the node be the pool member port?

     

     

    Aaron
  • Blueluke_85810's avatar
    Blueluke_85810
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2012

    Using active FTPS. The source port needs to be what is coming from the node because we need to SNAT our traffic based on a range of source ports coming from the node.

     

  • Blueluke_85810's avatar
    Blueluke_85810
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2012

    If you are from CA and like Indian food then you are probably already familiar with this.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 30, 2012
    does TCP::remote_port in CLIENT_ACCEPTED of wildcard virtual server on server VLAN not work?

     

     

    FTPS Offload via iRules by Colin

     

    https://devcentral.f5.com/tutorials/tech-tips/ftps-offload-via-irules
  • Blueluke_85810's avatar
    Blueluke_85810
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2012

    No. I also asked an engineer last week while in Seattle and he indicated that the CLIENT_ACCEPTED was for client side connections and would not work in firing on the server side events for what we were trying to do.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 30, 2012

    i thought you are asking about passthrough active mode ftps load balancing, aren't you?

     

  • Blueluke_85810's avatar
    Blueluke_85810
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2012

    This is the irule being applied at the any vip.

     

     

    when CLIENT_ACCEPTED {

     

    log local0.debug "Client_accepted triggered"

     

    log local0.debug "remote addy is [IP::remote_addr] remote port is [TCP::remote_port] local addy is [IP::local_addr] port is [TCP::local_port]"

     

    if { [TCP::remote_port] >= 6500 and [TCP::remote_port] <= 6549} {

     

    log local0.emerg "Matched port range - Remote port was: [TCP::remote_port] "

     

    snat 10.118.48.100 989

     

    }

     

    }

     

     

    This never seems to fire as far as I can see. If I use something like SERVER_CONNECTED I do see the event firing but it only returns the port of the pool member and not the actual node port. You can see our problem.

     

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 30, 2012
    when CLIENT_ACCEPTED {

     

    log local0.debug "Client_accepted triggered"

     

     

    That log line, once uncommenetd, should and must work. You need to understand why it does not, first.