How to log failed connections along with SNAT information?

Question

Hi,&nbsp;
What I would like to accomplish is to log to a central syslog-server when the F5 (set up as a load balancer), is unable to connect to any of the real servers. And preferably, log SNAT information with it.&nbsp;
So far I've been able to send the logs to a central syslog server (SOL13080), and based on a question I found here I've been able to log the SNAT information for all successful connections.
(used this solution here: https://devcentral.f5.com/questions/how-to-monitor-internal-ip-translate-to-which-ip-snat-in-pool)&nbsp;
The problem is, if for some reason the server doesn't respond to this one query, the event "SERVER_CONNECTED" obviously never happens, so I don't get any logs for that particular connection attempt.
Now, I've tried to play around and change the event to client_accepted or client_closed, but in these cases the "ss [client|server]" syslog lines only contains the client and F5 addresses, but not post-nat and real-server addresses.&nbsp;
So is there any way to log SNAT(destination-real-server-ip &amp; port, and the F5 source-ip-address(natted) and port) for failed connections?
(And on that note, is there any good guideline on how to spot/log these failed connections?)&nbsp;
Thanks ...&nbsp;
(I'm very new to F5, so although I was unable to find my answer I might be looking for the wrong keywords, so apologies if this questions has an obvious answer somewhere else...)&nbsp;

nitass_89166 · Answer

have you tried LB_FAILED?
e.g.
 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 41
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when LB_FAILED {
  log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [IP::local_addr]:[TCP::local_port] \
    ss src [serverside {IP::local_addr}]:[serverside {TCP::local_port}] dst [IP::server_addr]:[TCP::server_port]"
}
when SERVER_CONNECTED {
  log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [clientside {IP::local_addr}]:[clientside {TCP::local_port}] \
    ss src [IP::local_addr]:[TCP::local_port] dst [IP::server_addr]:[TCP::server_port]"
}
}

trace

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:33:30.234595 IP 172.28.24.1.46920 &gt; 172.28.24.10.80: S 2765154856:2765154856(0) win 5840  in slot1/tmm0 lis=
18:33:30.234675 IP 172.28.24.10.80 &gt; 172.28.24.1.46920: S 420746216:420746216(0) ack 2765154857 win 4380  out slot1/tmm0 lis=/Common/bar
18:33:30.236318 IP 172.28.24.1.46920 &gt; 172.28.24.10.80: . ack 1 win 5840  in slot1/tmm0 lis=/Common/bar
18:33:30.237491 IP 172.28.24.1.46920 &gt; 172.28.24.10.80: P 1:156(155) ack 1 win 5840  in slot1/tmm0 lis=/Common/bar
18:33:30.237555 IP 200.200.200.14.46920 &gt; 200.200.200.101.80: S 4231709820:4231709820(0) win 4380  out slot1/tmm0 lis=/Common/bar
18:33:30.237568 IP 172.28.24.10.80 &gt; 172.28.24.1.46920: . ack 156 win 4535  out slot1/tmm0 lis=/Common/bar
18:33:30.261632 IP 200.200.200.101.80 &gt; 200.200.200.14.46920: R 0:0(0) ack 4231709821 win 0 in slot1/tmm0 lis=/Common/bar
18:33:30.261805 IP 172.28.24.10.80 &gt; 172.28.24.1.46920: R 1:1(0) ack 156 win 4535 out slot1/tmm0 lis=/Common/bar

/var/log/ltm

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Jun 22 18:33:30 ve11a info tmm[9801]: Rule /Common/qux : cs src 172.28.24.1:46920 dst 172.28.24.10:80  ss src 200.200.200.14:46920 dst 200.200.200.101:80

nitass · Answer

have you tried LB_FAILED?
e.g.
 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 41
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when LB_FAILED {
  log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [IP::local_addr]:[TCP::local_port] \
    ss src [serverside {IP::local_addr}]:[serverside {TCP::local_port}] dst [IP::server_addr]:[TCP::server_port]"
}
when SERVER_CONNECTED {
  log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [clientside {IP::local_addr}]:[clientside {TCP::local_port}] \
    ss src [IP::local_addr]:[TCP::local_port] dst [IP::server_addr]:[TCP::server_port]"
}
}

trace

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:33:30.234595 IP 172.28.24.1.46920 &gt; 172.28.24.10.80: S 2765154856:2765154856(0) win 5840  in slot1/tmm0 lis=
18:33:30.234675 IP 172.28.24.10.80 &gt; 172.28.24.1.46920: S 420746216:420746216(0) ack 2765154857 win 4380  out slot1/tmm0 lis=/Common/bar
18:33:30.236318 IP 172.28.24.1.46920 &gt; 172.28.24.10.80: . ack 1 win 5840  in slot1/tmm0 lis=/Common/bar
18:33:30.237491 IP 172.28.24.1.46920 &gt; 172.28.24.10.80: P 1:156(155) ack 1 win 5840  in slot1/tmm0 lis=/Common/bar
18:33:30.237555 IP 200.200.200.14.46920 &gt; 200.200.200.101.80: S 4231709820:4231709820(0) win 4380  out slot1/tmm0 lis=/Common/bar
18:33:30.237568 IP 172.28.24.10.80 &gt; 172.28.24.1.46920: . ack 156 win 4535  out slot1/tmm0 lis=/Common/bar
18:33:30.261632 IP 200.200.200.101.80 &gt; 200.200.200.14.46920: R 0:0(0) ack 4231709821 win 0 in slot1/tmm0 lis=/Common/bar
18:33:30.261805 IP 172.28.24.10.80 &gt; 172.28.24.1.46920: R 1:1(0) ack 156 win 4535 out slot1/tmm0 lis=/Common/bar

/var/log/ltm

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Jun 22 18:33:30 ve11a info tmm[9801]: Rule /Common/qux : cs src 172.28.24.1:46920 dst 172.28.24.10:80  ss src 200.200.200.14:46920 dst 200.200.200.101:80

natti · Answer

Yup! Thanks, just what I needed, works perfectly :)

natti · Answer

Yup! Thanks, just what I needed, works perfectly :)

Forum Discussion

How to log failed connections along with SNAT information?

4 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

Related Content

External Monitor Information and Templates

Find CVE information on AskF5

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

F5 Distributed Cloud Kubernetes Integration: Securing Services with Direct Pod Connectivity

get_statistics method failing when trying to get current connection counts

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS