Forum Discussion

sstafford's avatar
sstafford
Icon for Nimbostratus rankNimbostratus
Dec 04, 2014

HSL iRule broken after the move from 11.4 to 11.6

Here's the basic iRule. We're using to record client ip addresses for ldap requests in a snatted environment. Working without issue in 11.4. Failing entirely in 11.6. Any help is immensely appreciate...
application delivery
devops
hsl
iRules
LTM
sstafford's avatar
sstafford
Icon for Nimbostratus rankNimbostratus
Dec 04, 2014

I think we got it. It appears to be somewhat related to the issues in this old SOL; https://support.f5.com/kb/en-us/solutions/public/11000/600/sol11659

 

The firewall logs are recording a large number of denies on traffic between the LTMs and the syslog servers that look like this;

 

Dec 4 14:21:00 152.19.253.108 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 127.1.1.2/5966->172.27.47.21/514 junos-syslog 17(0) DC-UNIVERSAL-DENY(global) F5-Datacenter-DMZ ITS-OS-DMZ-prod UNKNOWN UNKNOWN N/A(N/A) reth0.1641

 

Nothing like this appears in those logs prior to the upgrade to 11.6.

 

So, for whatever reason, the ip address the F5 is using to communicate via HSL changed from the floating ip to 127.1.1.2. Any ideas on how to address that?

 

Related Content