Forum Discussion
C_14818
Nimbostratus
Nimbostratusirule to figure out source and destination
Hi,
I am looking for a way to see what is source and destination and VIP/VS that is used for this traffic
tcpdump -ni external:nnn -s0 tcp port 22
I am seeing Self IP of F5 as source and destination as 192.168.1.10 server. But not sure about what is the source of this connection. Can irule help find which VS is used and where the connection is originated from?
I thoguht :nnn will give more information but as the source is self IP not sure how to troubleshoot this further
BIG-IP 10.1.0 Build 3341.0 Final
I saw few irule examples for HTTP / TCP / UDP but not sure which VS should i apply this to get more information
Any help on this will be appreciated
Thanks
C
20 Replies
C_14818Command: tcpdump -nni 0.0 -s0 tcp port 22- nitass
Employee
is 10.11.11.5 floating selfip or non-floating selfip?
does the virtual server have snat automap (snat automap setting under virtual server configuration)?
does the pool have health monitor? - C_14818self 10.11.11.5 {
netmask 255.255.255.0
vlan external
allow default
I am not sure if this Virtual server is used but below is setup for Virtual server where SSH is allowed
It is not using SNAT Auto Map but using a custom SNAT Pool
snatpool my_ftpvm_snat {
members 10.11.11.5
}
IT is using gateway_icmp Health monitor. One more setting i see is Type Performance (Layer 4) in VS and Protocol is TCP - C_14818Any help on this? Is there any other way to find out where the traffic is getting originated?
Thanks - nitassIs there any other way to find out where the traffic is getting originated?what about "b conn" or "tmsh show sys connection"?
- C_14818Thanks! I still don't see the source as different IP address
Source is F5 - End server - End server. This is so weird. Cannot find where is the connection originating from?
Other possibilities? - nitassthis is mine.
bigpipe [root@ve10:Active] config b conn ss server 200.200.200.101 show all VIRTUAL 172.28.19.252:22 <-> NODE 200.200.200.101:22 TYPE any 1/0 CLIENTSIDE 192.168.206.75:62025 <-> 172.28.19.252:22 (pkts,bits) in = (20, 2520) out = (16, 3136) SERVERSIDE 200.200.200.10:62025 <-> 200.200.200.101:22 (pkts,bits) in = (21, 3336) out = (19, 2480) PROTOCOL 6 UNIT 1 IDLE 85 (300) LASTHOP external 00:01:e8:d5:d4:47 tmsh [root@ve10:Active] config tmsh show sys connection ss-server-addr 200.200.200.101 all-properties Sys::Connections 192.168.206.75:62025 - 172.28.19.252:22 - 200.200.200.101:22 ------------------------------------------------------------ TMM 0 Type any Protocol tcp Idle Time 116 Idle Timeout 300 Unit ID 1 Lasthop external 00:01:e8:d5:d4:47 Virtual Path 172.28.19.252:22 ClientSide ServerSide Client Addr 192.168.206.75:62025 200.200.200.10:62025 Server Addr 172.28.19.252:22 200.200.200.101:22 Bits In 20.1K 26.6K Bits Out 25.0K 19.8K Packets In 20 21 Packets Out 16 19 Total records returned: 1 - C_14818I see this
[admin@F5-01:Active] ~ b conn ss server 192.168.1.10 show all
VIRTUAL any%65535 <-> NODE 192.168.1.10:8 TYPE local 1/1
CLIENTSIDE 10.11.11.5:17343 <-> 192.168.1.10:8
(pkts,bits) in = (1, 40) out = (1, 40)
SERVERSIDE 10.11.11.5:17343 <-> 192.168.1.10:8
(pkts,bits) in = (1, 40) out = (1, 40)
PROTOCOL icmp UNIT 0 IDLE 9 (10) LASTHOP external 00:01:d7:b0:45:04
VIRTUAL any%65535 <-> NODE 192.168.1.10:8 TYPE local 1/0
CLIENTSIDE 10.11.11.5:34690 <-> 192.168.1.10:8
(pkts,bits) in = (1, 40) out = (1, 40)
SERVERSIDE 10.11.11.5:34690 <-> 192.168.1.10:8
(pkts,bits) in = (1, 40) out = (1, 40)
PROTOCOL icmp UNIT 0 IDLE 4 (10) LASTHOP external 00:01:d7:b0:45:04
[admin@F5-01:Active] ~ tmsh show sys connection ss-server-addr 192.168.1.10 all-properties
Sys::Connections
10.11.11.5:34162 - 192.168.1.10:8 - 192.168.1.10:8
-----------------------------------------------------
TMM 0
Type self
Protocol icmp
Idle Time 4
Idle Timeout 10
Unit ID 0
Lasthop external 00:01:d7:b0:45:04
Virtual Path 192.168.1.10:8
ClientSide ServerSide
Client Addr 10.11.11.5:34162 10.11.11.5:34162
Server Addr 192.168.1.10:8 192.168.1.10:8
Bits In 320 320
Bits Out 320 320
Packets In 1 1
Packets Out 1 1
10.11.11.5:14811 - 192.168.1.10:8 - 192.168.1.10:8
-----------------------------------------------------
TMM 1
Type self
Protocol icmp
Idle Time 9
Idle Timeout 10
Unit ID 0
Lasthop external 00:01:d7:b0:45:04
Virtual Path 192.168.1.10:8
ClientSide ServerSide
Client Addr 10.11.11.5:14811 10.11.11.5:14811
Server Addr 192.168.1.10:8 192.168.1.10:8
Bits In 320 320
Bits Out 320 320
Packets In 1 1
Packets Out 1 1
Total records returned: 2
you can see client side is also F5 IP address. Does this give any info? - nitassyou can see client side is also F5 IP address. Does this give any info?that is gateway_icmp health monitor.
- C_14818I saw sometime SSH connections too. I will try and capture that but only difference is destination port is SSH
Thanks
