Forum Discussion
Hans_Goes_36210
Nimbostratus
Nimbostratuslogging iRule with 443 pool-members
Hi,
We have 2 Citrix Secure Gateway servers loadbalanced behind a F5-cluster.
The Virtual-Server balances every user to one of the 2 members which also run on port 443.
How can we log source/destination (and maybe other info) for this Virtual Server ?
Applying an iRule is not working as you need a http profile, but it's not http :)
Any thoughts on this ?
thanks,
Hans
8 Replies
- You can do this through the event when client_accepted like below
when CLIENT_ACCEPTED {
llog local0. "Complete connection: [IP::client_addr]:[TCP::client_port]<->LTM<->[IP::server_addr]:[TCP::server_port]"
} 
natheCirrocumulus
hgoes
I take it your terminating the SSL connection (and possibly re-encrypting to the SAG) or an irule won't be able to inspect the traffic.
N- Kevin_Stewart
Employee
You definitely can't terminate the SSL for CSG traffic. In this case you only have access to TCP-based iRule events.
So Richard's example above is a good one. 
Hans_Goes_36210Hi Kevin, Richard,
Thanks for your assistance : but I can't apply an Irule as far as I know because for an iRule you need a http profile and I can't use that because I am not terminating the SSL traffic on the F5's.
I was thinking of terminating and re-encrypting but that's way too much hassle for just a piece of logging.
Hans- Kevin_StewartActually, you can't use HTTP events and commands in an iRule without an HTTP profile. You can, however, as long as you have a TCP profile, apply TCP-based events and commands.
For example, the following would work in an non-HTTP iRule:
when CLIENT_ACCEPTED {
log local0. "[IP::client_addr]"
} - Hans_Goes_36210Thanks, it works !
Sep 7 10:43:08 abcdefgh info tmm1[8540]: Rule /Common/iRule_Citrix_logging : Citrix-hit from:10.200.6.1 
hoolioCirrostratus
If you want to log the server address you'd need to use SERVER_CONNECTED as a serverside connection hasn't been established in CLIENT_ACCEPTED:
when SERVER_CONNECTED {
log local0. "Complete connection: [IP::client_addr]:[TCP::client_port]<->[clientside {[IP::local_addr]:[TCP::local_port]}] LTM [IP::local_addr]:[TCP::local_port] <-> [IP::server_addr]:[TCP::server_port]"
}
Aaron- Hans_Goes_36210I rewote your iRule as it gave an error:
Sep 11 08:21:13 lb30 err tmm1[8540]: 01220001:3: TCL error: /Common/iRule_Citrix_logging - invalid command name "x.x.x.10:443" while executing "[IP::local_addr]:[TCP::local_port]"invalid peer expression (line 1) invoked from within "clientside {[IP::local_addr]:[TCP::local_port]}"
Now it's :
iRule Citrix Logging
when CLIENT_ACCEPTED {
log local0. "Citrix-hit from:[IP::client_addr]" }
when SERVER_CONNECTED {
log local0. "Complete connection: [IP::client_addr]:[TCP::client_port] - [IP::server_addr]:[TCP::server_port]"
}
Sep 11 08:25:39 lb30 info tmm1[8540]: Rule /Common/iRule_Citrix_logging : Complete connection: x.x.x.79:50554 - x.x.x.12:443
