Forum Discussion

ZANOOB's avatar
ZANOOB
Icon for Cirrus rankCirrus
Jul 23, 2021

iRule not working to have a RADIUS presistant load balancing.

Hello All,   I having trouble with an iRule that I created to load balance the RADIUS traffic on F5. I have a virtual server created that is listening on "all ports" and I have created an iRule ...
application delivery
BIG-IP
iRules
security
ZANOOB's avatar
ZANOOB
Icon for Cirrus rankCirrus
Jul 26, 2021

Hello Enes Afsin Al,

 

Thank you for your reply. Much appreciated.

The above iRule, I was not able to save it since it shows some syntax errors. Not an expert in scripts, so couldn't find what is wrong with the syntax of it.

-------------------------------

01070151:3: Rule [/Common/CallIDUIE2] error: /Common/CallIDUIE2:17: error: [parse error: PARSE syntax 501 {syntax error in expression "

set CALLID [RADIUS::avp 31 string]

log local0. ...": variable references require preceding $}][{

set CALLID [RADIUS::avp 31 string]

log local0. "persisted $CALLID"

 

if { $CALLID ne "" } {

persist uie $CALLID

}

}]

/Common/CallIDUIE2:24: error: [missing a script after "elseif"][]

/Common/CallIDUIE2:27: error: ["Duplicate event"][when CLIENT_DATA {

if { [UDP::local_port] == 1813 } {

set CALLID [RADIUS::avp 31 string]

set IP [RADIUS::avp 8 ip4]

if { $IP ne "" && $CALLID ne "" } {

table set $IP [LB::server addr] 900

log local0. "Radius maps $IP to [LB::server addr] for $CALLID"

}

}

}]

 

 

--------------------------------

 

The packet capture shows the AVP 31 attribute ( Calling-Station-Id) in it. So the issue is not the attribute value missing, however, something that F5 is not able to understand is the packet not processing it forwards.

 

 

Frame 2: 317 bytes on wire (2536 bits), 317 bytes captured (2536 bits)

Ethernet II, Src: Fortinet_09:00:12 (00:09:0f:09:00:12), Dst: VMware_f5:03:01 (00:50:56:f5:03:01)

802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 4091

Internet Protocol Version 4, Src: 172.17.70.60, Dst: 10.1.6.100

User Datagram Protocol, Src Port: 54892, Dst Port: 1812

RADIUS Protocol

   Code: Access-Request (1)

   Packet identifier: 0x5e (94)

   Length: 164

   Authenticator: e0a10849518a2fc1f0827505db9f8a5c

   Attribute Value Pairs

       AVP: t=NAS-IP-Address(4) l=6 val=172.17.70.60

       AVP: t=NAS-Port(5) l=6 val=0

       AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)

       AVP: t=User-Name(1) l=15 val=mgalantowicza

       AVP: t=User-Password(2) l=18 val=Encrypted

       AVP: t=Service-Type(6) l=6 val=Shell-User(6)

       AVP: t=Calling-Station-Id(31) l=14 val=b0b867cd68ee

           Type: 31

           Length: 14

           Calling-Station-Id: b0b867cd68ee

       AVP: t=Called-Station-Id(30) l=14 val=b0b867cd68ee

       AVP: t=Vendor-Specific(26) l=23 vnd=Aruba, a Hewlett Packard Enterprise company(14823)

       AVP: t=Vendor-Specific(26) l=18 vnd=Aruba, a Hewlett Packard Enterprise company(14823)

       AVP: t=Message-Authenticator(80) l=18 val=a0d082620a1137f9110e2a5975c7d6a8

F5 Ethernet Trailer Protocol

 

 

However, I will check the LTM logs. But last time I checked it really didn't give any error for the virtual server. It simply is not forwarding the traffic, to the load-balanced Radius servers.