Forum Discussion
AltostratusiRules executed on both device when connection mirroring enabled
Dear all,
I have a question about iRule and the activation of connection mirroring on a VIP.
On the majority on my services, I've bound an iRule to send a log to my syslog server. This iRule, is sending information such as client ip address, the requested VIP, the SNAT address and the real server (node) it has been load balanced to. Here is an example of the output I have into my syslog server
Mar 20 07:20:15 1.1.1.8 : Client IP: 10.45.49.80:55726 -> 1.1.1.144:443 to SNAT To: 1.1.1.122:55726 -> 10.32.96.179:443
When I enable the "connection mirroring" for a particular service, that I want to have the connection table being transferred to the standby device (we are running in an active-standy mode), it seems not only the connection will be sent to the standby device, but the iRule will also be executed. This will send a log to my syslog server that comes from the standby device ip address. I'm wondering if that is a normal behavior with F5 LTM.
One of the strange thing is the, even if the iRules are the same on both devices, the log being sent to my syslog server is not the same line I've put into the iRule. In fact, the line being sent by the standby device in that case, seems using an older version of the iRule I have used a while ago. I really don't understand that behavior.
Here are the two different lines that are sent to my syslog server:
Mar 23 07:09:44 1.1.1.7 : Client IP: 10.45.49.65:48994 -> 1.1.1.18:389 to SNAT To: 1.1.1.120:48994 -> 10.32.104.172:389
Mar 23 07:09:44 1.1.1.8 Client IP: 10.45.49.65%7:48994 -> Dest VIP: 1.1.1.18%7:389 to SNAT To: 1.1.1.120%7:48994 -> 10.32.104.172%7:389
The .8 is the standby device and the .7 is the active device. The .8 shows the wrong line, and after double check the iRule on the standby device, it is exactly the same as the active device. I really don't understand.
Here is the line I have into my iRules:
HSL::send $hsl "<[lindex [split [virtual name] /] 1]>: Client IP: [getfield $cip_LCT % 1]:$cport_LCT -> [getfield $vip_LCT % 1]:$vport_LCT to SNAT To: [getfield [IP::local_addr] % 1]:[TCP::local_port] -> [getfield [IP::server_addr] % 1]:[TCP::server_port] "
Is there someone who can help my on this problem?
Thanks you all and best regards, Yanick
jaikumar_f5Noctilucent
Hi Yanick,
Can you show your complete Irule. Mirroring holds the connection and persistence info to the standby unit with every packet flow. So whenever a connection is established to your setup, the same will be captured in your standby too. So this is expected. Can you share your complete Irule. I suspect there is some event in which some other log is getting captured too.
yquirionHi, jaikumar,
Thank you for taking the time to answer my question, I appreciate it.
Here is my really simple iRule for logging purpose.
priority 2 when CLIENT_ACCEPTED { set cip_LCT [getfield [IP::client_addr] % 1 ] set cport_LCT [TCP::client_port] set vip_LCT [getfield [IP::local_addr] % 1 ] set vport_LCT [TCP::local_port] } when SERVER_CONNECTED { set sip [IP::server_addr] set sport [TCP::server_port] set snat_ip [IP::local_addr] set snat_port [TCP::local_port] set timestamp [clock format [clock seconds] -format {%Y-%m-%d_%H:%M:%S}] set partition [lindex [split [virtual name] /] 1] set script_name "logging_clients_tcp" set hsl [HSL::open -proto UDP -pool /[lindex [split [virtual name] /] 1]/syslogi_pool ] HSL::send $hsl "<$partition>:<$script_name> Client IP: $cip:$cport -> Dest VIP: $vip:$vport to SNAT To: $snat_ip:$snat_port -> $sip:$sport" HSL::send $hsl "<[lindex [split [virtual name] /] 1]>: Client IP: [getfield $cip_LCT % 1]:$cport_LCT -> [getfield $vip_LCT % 1]:$vport_LCT to SNAT To: [getfield [IP::local_addr] % 1]:[TCP::local_port] -> [getfield [IP::server_addr] % 1]:[TCP::server_port] " }This is a really simple rule. I don't understand the behavior of not having the exact same line being sent to my syslog server.
You confirm me that it is normal to have iRules being executed on every device in my device group (I have 2 devices in fact, one active, one standby) that aren't active?
If that is the case, is there a variable that I can use onto an iRules to know if the device is active or standby? Having that, I will add a condition to only send logs to my syslog server for the "Active" device. Thank you again and best regards, Yanick
- jaikumar_f5
So when mirroring is enabled for the VS, the Irule does executes on the Standby too. To get the device status, you can use the HA::status option,
when CLIENT_ACCEPTED { log local0. "active: [HA::status active]" log local0. "standby: [HA::status standby]" } /var/log/ltm log output: : active: 1 : standby: 0