For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kev_245_28249's avatar
kev_245_28249
Icon for Nimbostratus rankNimbostratus
Apr 21, 2011

Nexthop

Hi,

 

I am trying to configure the nexthop global cmd via an iRule inorder to send traffic to a particular gateway depending upon which vlan it hits.

 

In a simple vm lab I have one vlan 'Prod' with a server node of 10.20.0.111. The virtual server is addressed as 10.20.0.250. I have removed the default route on the Ltm and configured the global nexthop irule and applied it to the VIP. What seems to happen when i attempt to pass traffic is that the VIP holds on to the traffic. For eg, for an FTP I get a connected to 'vip ip'

 

 

(I have tried using the mac address and ip address of the destination server with the same results.

 

 

irule

 

when CLIENT_ACCEPTED {

 

nexthop Prod 00:0C:29:16:04:7B

 

}

 

 

or

 

 

when CLIENT_ACCEPTED {

 

nexthop Prod 10.20.0.111

 

}

 

application delivery
dev
devops
iRules

22 Replies

  • kev_245_28249's avatar
    kev_245_28249
    Icon for Nimbostratus rankNimbostratus
    Apr 21, 2011
    I am just trying SSH now,

     

     

    Virtual Public_SSH {

     

    snat automap

     

    pool Public_SSH

     

    destination 10.20.0.250:ssh

     

    ip protocol tcp

     

    rules Next_hop

     

    }

     

     

    i have tried this with the default route on the box as well as with it removed..

     

    my tcpdumps on the ltm for say port 22 (for the above config) show me the ip address of the destination server (when I don't have the irule applied). The tcpdumps only show me the VIP address being involved when the irule is applied.

     

  • kev_245_28249's avatar
    kev_245_28249
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2011
    Got it sorted, reset my lab ltm's back to last known good build and also turned logging on for my iRule.

     

     

    Closed

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2011
    does it work? really? i got the same problem in my test unit.

     

     

    i'm upgrading to 9.4.8.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2011
    it doesn't work even upgrading to 9.4.8. i'm going to escalate and will also update here.

     

     

    any suggestions are welcome. thanks!
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2011
    this is feedback from escalation engineer.

     

     

    ------------------------------

     

    the virtual should be transparent.

     

    translate address disable

     

    translate service disable

     

    ------------------------------

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 26, 2011
    PD is checking on this. The case is C870230. Will let you know when getting any feedback from them.
  • kev_245_28249's avatar
    kev_245_28249
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2011
    Just to confirm, I was testing over the weekend and just relying on the var/log/ltm file for proof.

     

    Now in my work lab I confirm I don't see this working.

     

     

     

  • kev_245_28249's avatar
    kev_245_28249
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2011
    Just to confirm, I was testing from home over the easter weekend and just relying on the var/log/ltm file for proof.

     

    Now in my work lab I confirm I don't see this working, despite seeing the iRule being correctly hit in the log file.