Forum Discussion

Egbert_Bryant_1's avatar
Egbert_Bryant_1
Icon for Nimbostratus rankNimbostratus
Oct 10, 2007

irule decision process

I have the following irule that looks at matchclass "Ports" and sends that traffic to the default gateway member 69.74.121.60 and all other traffic to default gateway member 64.94.182.254, however, it seems that the irule is not functioning correctly - when I attempt an SSH/Port 22 connection outbound it sends the traffic to gateway member 69.74.121.60 and not member 64.94.182.254. Please look at the syntax and let me know how to improve it.


when CLIENT_ACCEPTED {
  if { [matchclass [IP::client_addr] equals $::nonat_host ]} {         
    snat none  
    pool default_gateway_pool member 64.94.182.254
  } else {
    if { [matchclass [TCP::local_port] equals $::ports] } { 
      if { [LB::status pool default_gateway_pool member  69.74.121.60 0] equals "up"}{
        pool default_gateway_pool member 69.74.121.60
      } else {
        pool default_gateway_pool member 64.94.182.254
      }
    }
  }
}
class ports {
   25
   80
   443
   554
   1080
   1755
   1863
   3101
   5050
   5190
}

application delivery
dev
devops
iRules
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Oct 10, 2007
    I'd recommend adding some logging to the rule to see what conditions are when the decision points are reached.

     

     

    I suspect that the wildcard pool members are not reflecting an "up" status.

     

     

    For that to happen, you'd need to be monitoring the gateway pool members on port 0 with a custom monitor that checks at least to the node on a specific port, or better yet transparent through the pool member to a remote service to validate its ability to act as a gateway.

     

     

    If you just want to check the gateway address only with an icmp monitor against the local address, you could consider using "LB::status node " instead of checking the status of the pool member on a specific port. (For more on the LB::status command, Click here)

     

     

    HTH

     

    /deb

     

     

     

  • Egbert_Bryant_1's avatar
    Egbert_Bryant_1
    Icon for Nimbostratus rankNimbostratus
    Oct 11, 2007
    It stops processing after the first else statement "Rule tcp_fw_rule_class_rlip CLIENT_ACCEPTED: 1st else statement" this is the message the logging generated. All of the suggestions in your third paragraph are in effect, I will try changing the LB::Status to node. Hopefully this helps, do you have any other suggestions that may help me out.