Forum Discussion
Faintly_Lucky
Mar 17, 2011Nimbostratus
iRule not triggered on target VIP after using the virtual iRule command to direct traffic to it
My company has a pair of 1600s (9.4.8 HF4) that accept and load balance all of the syslog traffic generated by our devices to several syslog pools.
Recently, we had a requirement come down to pass access-control messages from the TACACS servers for a certain subset of devices to a different, dedicated pool.
So, I wrote up a rule on the main syslog VIP that switched on the addresses of the TACACS servers and pushed them to a secondary VIP that I created specifically to handle the traffic.
I wrote another rule that matched the addresses of the pertinent devices in the UDP payload and selected the proper pool for them and applied it to the secondary VIP, then implemented the rule on the main VIP.
The rule on the main VIP acted like it should:
Mar 16 13:48:53 tmm tmm[1706]: Rule syslog-pool-select-v4 : Sending traffic to other virtual as expected
Mar 16 13:48:53 tmm tmm[1706]: Rule syslog-pool-select-v4 : Sending traffic to other virtual as expected
Mar 16 13:48:54 tmm tmm[1706]: Rule syslog-pool-select-v4 : Sending traffic to other virtual as expected
Mar 16 13:49:13 tmm tmm[1706]: Rule syslog-pool-select-v4 : Sending traffic to other virtual as expected
The secondary VIP rule never logged anything and when I checked the statistics, they were zeroed like the rule wasn't being triggered even though I confirmed that it was applied to the secondary VIP.
Any Ideas?
Thanks in advance,
Lucky
Main Syslog VIP
rule syslog-pool-select-v4 {
when CLIENT_ACCEPTED {
set addr [IP::client_addr]
switch $addr {
xxx.xxx.xxx.xxx -
xxx.xxx.xxx.xxx { virtual seim-syslog-tacacs
log local0.info "Sending traffic to other virtual as expected" }
}
if { [matchclass $addr starts_with $::syslog_chan1_string] }
{ pool syslog_pool_Channel_1 }
elseif { [matchclass $addr starts_with $::syslog_chan2_string] }
{ pool syslog_pool_Channel_2 }
else { pool syslog_pool_Channel_0 }
}
}
Secondary Syslog VIP
rule syslog-tacacs-pool-select {
when CLIENT_DATA {
set addr [findstr [UDP::payload] Address 8 ,]
if { [matchclass $addr equals $::XXXXX_subnets_network] } { pool syslog_pool_XXXXXX
log local0.info "I selected the XXXXX pool, YAY!.....addr $sddr" }
else { pool syslog_pool_Channel_1
log local0.info "selected syslog channel 1" }
}
}
- Faintly_LuckyNimbostratusI'd really appreciate it if someone could give me some ideas on this or explain what's happening.
- hooleylistCirrostratusHi Lucky,
- Faintly_LuckyNimbostratusSure can, but all that typing gets to you eventually. I started using aliased commands and functions a long time ago :)
- hooleylistCirrostratusI don't see anything obviously wrong with the iRule. I haven't tested the virtual command with UDP before though. Can you try a simplified test with an iRule that just calls the second virtual server for all connections and see if that works to start with?
- spark_86682Historic F5 AccountThe problem is in your syslog-pool-select-v4 iRule. Although your switch statement will set the destination to the virtual, your else statement at the bottom will send it to the syslog_pool_Channel_0 pool instead, essentially overriding the earlier "virtual" statement. In your case, you need to make sure that you don't call a "pool" command if you've already called "virtual". There are a couple ways of doing that; the easiest might be to do a "return" after calling your log statement.
- hooleylistCirrostratusHi Spark,
- Faintly_LuckyNimbostratusSpark/Aaron:
[root@:Active] config br syslog-pool-select-v5 syslog-tacacs-pool-select-v2 list rule syslog-pool-select-v5 { when CLIENT_ACCEPTED { set addr [IP::client_addr] switch $addr { xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx { virtual seim-syslog-tacacs } } if { [matchclass $addr starts_with $::syslog_chan1_string] } { pool syslog_pool_Channel_1 } elseif { [matchclass $addr starts_with $::syslog_chan2_string] } { pool syslog_pool_Channel_2 } } } rule syslog-tacacs-pool-select-v2 { when CLIENT_DATA { set paddr [findstr [UDP::payload] Address 8 ,] log local0.info "address $paddr" if { [matchclass $paddr starts_with $::xxxxxsubnetstring] } { set ::xxxxx 1 log local0.info "I matched the xxxxx pool, YAY!.....addr $paddr" } else { set ::xxxxx 0 log local0.info "selected syslog channel 1" } } when LB_SELECTED { set paddr [findstr [UDP::payload] Address 8 ,] switch $::xxxxx { 1 { LB::reselect pool syslog_pool_xxxxx log local0.info "I selected the xxxxx pool, YAY!.....addr $paddr" } } } }
- hooleylistCirrostratusCan you add the return command and some debug logging and then reproduce the issue?
rule syslog-pool-select-v5 { when CLIENT_ACCEPTED { switch [IP::client_addr] { xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx { virtual seim-syslog-tacacs; return } } if { [matchclass [IP::client_addr] starts_with syslog_chan1_string] } { pool syslog_pool_Channel_1 } elseif { [matchclass [IP::client_addr] starts_with syslog_chan2_string] } { pool syslog_pool_Channel_2 } } when LB_SELECTED { log local0. "[IP::client_addr]:[UDP_::client_port]: selected: [LB::server]" } when SERVER_CONNECTED { log local0. "[IP::client_addr]:[UDP_::client_port]: Connected: [IP::server_addr]:[UDP::server_port]" } } rule syslog-tacacs-pool-select-v2 { when CLIENT_DATA { set paddr [findstr [UDP::payload] Address 8 ,] log local0.info "address $paddr" if { [matchclass $paddr starts_with $::xxxxxsubnetstring] } { set ::xxxxx 1 log local0.info "I matched the xxxxx pool, YAY!.....addr $paddr" } else { set ::xxxxx 0 log local0.info "selected syslog channel 1" } } when LB_SELECTED { set paddr [findstr [UDP::payload] Address 8 ,] switch $::xxxxx { 1 { LB::reselect pool syslog_pool_xxxxx log local0.info "I selected the xxxxx pool, YAY!.....addr $paddr" } } } when LB_SELECTED priority 501 { log local0. "[IP::client_addr]:[UDP_::client_port]: selected: [LB::server]" } when SERVER_CONNECTED { log local0. "[IP::client_addr]:[UDP_::client_port]: Connected: [IP::server_addr]:[UDP::server_port]" } }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects