Forum Discussion
Krzysztof_Kozlo
Nimbostratus
Nimbostratuslisting live connections (to programmatically de-NAT)
Our environment makes extensive use of source NAT to avoid having to have L2 connectivity to the F5. It would be nice to have some programmatic way to detangle the NAT. 'b conn all show all' shows the client IP:port for each destination IP:port, but I can't find any corresponding SNMP MIB or iControl widget to get this data.
Example:
VIRTUAL ny1bgpvip58.ms.com:any <-> NODE pawas359.ms.com:5060 MIRROR
CLIENTSIDE dynamic-144-14-223-237.ms.com:2696 <-> ny1bgpvip58.ms.com:5060
(pkts,bits) in = (160, 419640), out = (155, 1.186M)
SERVERSIDE ny1bgpvip58.ms.com:60136 <-> pawas359.ms.com:5060
(pkts,bits) in = (151, 1.173M), out = (131, 407144)
PROTOCOL tcp UNIT 1 IDLE 162 (300) LASTHOP 4094 00:0e:d6:0b:9a:c0
Let's say I'm on pawas359 and I do a netstat and I see a connekction from ny1bgpvip58 (NAT address) port 60136. I want to be able to ask the LTM what the real client IP address is for that connection.
Any ideas?
Regards,
Chris
Krzysztof_KozloBump. No one has any interest in functionality like this?- Krzysztof_KozloThis is becoming a more urgent task for us, particularly since F5 doesn't seem to recommend using the LTM as a default gateway for servers which are behind it since it requires enabling loose initiation and teardown of flows, but our app owners expect on-demand access to client source IPs connected to LTM VIPs and source-NATted on the back-end.
Right now what I had to do was create a service which on one end physically logs into the BigIP and issues a "b conn destination show" command, which I then parse and package into a SOAP message for consumption by application support tools.
This strikes me as a very awkward way to get this information which should be exposed with iControl!