Forum Discussion
C_14818
Nimbostratus
Nimbostratusirule to figure out source and destination
Hi,
I am looking for a way to see what is source and destination and VIP/VS that is used for this traffic
tcpdump -ni external:nnn -s0 tcp port 22
I am seeing Self IP of F5 as source and destination as 192.168.1.10 server. But not sure about what is the source of this connection. Can irule help find which VS is used and where the connection is originated from?
I thoguht :nnn will give more information but as the source is self IP not sure how to troubleshoot this further
BIG-IP 10.1.0 Build 3341.0 Final
I saw few irule examples for HTTP / TCP / UDP but not sure which VS should i apply this to get more information
Any help on this will be appreciated
Thanks
C
20 Replies
- nitass
Employee
you may check source port. bigip tries to use the same source port on server-side. irule logging is also usable.
e.g.[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.252:22 ip protocol 6 rules myrule } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:22 {} } [root@ve10:Active] config b self 200.200.200.10 list self 200.200.200.10 { netmask 255.255.255.0 vlan internal allow default } (1) - (3) is client-side connection and (4) - (6) is server-side connection [root@ve10:Active] config tcpdump -nni 0.0 -s0 port 22 and not host 192.168.206.75 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes (1) 22:07:04.047446 IP 172.28.20.120.46154 > 172.28.19.252.22: S 2301043389:2301043389(0) win 14600 in slot1/tmm0 lis= (2) 22:07:04.047481 IP 172.28.19.252.22 > 172.28.20.120.46154: S 1607017789:1607017789(0) ack 2301043390 win 4380 out slot1/tmm0 lis=bar (3) 22:07:04.050367 IP 172.28.20.120.46154 > 172.28.19.252.22: . ack 1 win 115 in slot1/tmm0 lis=bar (4) 22:07:04.050407 IP 200.200.200.10.46154 > 200.200.200.101.22: S 3026268657:3026268657(0) win 4380 out slot1/tmm0 lis=bar (5) 22:07:04.051415 IP 200.200.200.101.22 > 200.200.200.10.46154: S 2681472808:2681472808(0) ack 3026268658 win 5792 in slot1/tmm0 lis=bar (6) 22:07:04.051427 IP 200.200.200.10.46154 > 200.200.200.101.22: . ack 1 win 4380 out slot1/tmm0 lis=bar [root@ve10:Active] config b rule myrule list rule myrule { when SERVER_CONNECTED { log local0. "client-side [IP::client_addr]:[TCP::client_port] > [clientside {IP::local_addr}]:[clientside {TCP::local_port}] | server-side [IP::local_addr]:[TCP::local_port] > [IP::remote_addr]:[TCP::remote_port]" } } [root@ve10:Active] config tail /var/log/ltm Feb 27 22:07:04 local/tmm info tmm[22185]: Rule myrule : client-side 172.28.20.120:46154 > 172.28.19.252:22 | server-side 200.200.200.10:46154 > 200.200.200.101:22 
C_14818Thanks nitass!!
This command doesn't show any information - b virtual bar list
Can you please clarify?- nitassThis command doesn't show any information - b virtual bar list "bar" is my virtual server name. i used it to show you my testing configuration just for reference. why did you run that command??
- C_14818aah! my bad. Can you please give more info on troubleshooting? what tcpdump should i run for this?
- C_14818I have only one VS with port 22 but i don't see any connections on it. Anyways to find out which VS is used for that specific traffic? Thanks
- nitassCan you please give more info on troubleshooting? what tcpdump should i run for this?you may run tcpdump on f5 special interface 0.0. interface 0.0 will capture packet from all vlan. normally bigip tries to use same source port number if it is available.
e.g.
tcpdump -nni 0.0 -s0 tcp port 22
or you may use irule similiar to the one i posted to log ip address.
Anyways to find out which VS is used for that specific traffic?virtual server name should be displayed in tcpdump output (e.g. lis=bar). - C_14818I get this result when i run tcpdump which is confusing. Need your help
09:39:39.610871 IP 10.11.11.5.39992 > 192.168.1.10.22: S 3011534899:3011534899(0) win 5840 out slot1/tmm0 lis= - nitassyou should see 2 packets; one is on client-side (between client and bigip) and the other one is on server-side (between bigip and server). source port number could be same (e.g. 46154).
e.g.
(1) 22:07:04.047446 IP 172.28.20.120.46154 > 172.28.19.252.22: S 2301043389:2301043389(0) win 14600 in slot1/tmm0 lis=
...snipped...
(4) 22:07:04.050407 IP 200.200.200.10.46154 > 200.200.200.101.22: S 3026268657:3026268657(0) win 4380 out slot1/tmm0 lis=bar
this sol explains how connection is setup. hope it is helpful.
sol8082: Overview of TCP connection set-up for BIG-IP LTM virtual server types
http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html - C_14818I am not seeing packets from Client to BigIP. Thanks for SOL. Is there any other way to figure out packets from clients to BigIP. I see just packets from BigIP to server. Thanks
- nitassI am not seeing packets from Client to BigIP. Thanks for SOL. Is there any other way to figure out packets from clients to BigIP. I see just packets from BigIP to server.what tcpdump command did you use? was it "tcpdump -nni 0.0 -s0 tcp port 22"?
