Forum Discussion

Jeff_Nguyen_449's avatar
Jeff_Nguyen_449
Icon for Nimbostratus rankNimbostratus
Oct 15, 2015

Radius irule

Needs some help with my irule that we use to load balance AAA UDP traffic. my rule works fine for 1812/1813 traffic but when it comes to 1645/1646 traffic it fails. I'm sure its something wrong with the coding but needs to assistance with it... Thanks in advance..

 

when CLIENT_ACCEPTED { if { ([UDP::local_port] != 1645) && ([UDP::local_port] != 1646) && ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } { log local0. "packet on port [UDP::local_port] dropped" drop } else { set CALLID [RADIUS::avp 31 string] persist uie $CALLID log local0. "persisted $CALLID" } } when CLIENT_DATA { if { ([UDP::local_port] == 1646) or ([UDP::local_port] == 1813) } { set CALLID [RADIUS::avp 31 string] set IP [RADIUS::avp 8 ip4] if { $IP != "" } { table set $IP [LB::server addr] 900 log local0. "Radius maps $IP to [LB::server addr] for $CALLID" } } } when LB_SELECTED { log local0. "Selected [LB::server addr] [LB::server port]" } when SERVER_DATA { persist add uie $CALLID log local0. "persist added for $CALLID to [LB::server addr]" }

 

  • - From your logic, there does not seem to be a reason for diffrent behavior if port is 1812 or 1645! - Why set CALLID is done in CLIENT_ACCEPTED, then again in CLIENT_DATA ? - What version of BIGIP you have? this persistence is supported in newer version of 11, not sure starting from what version though.
  • Your code, maybe better formatted:

     

    when CLIENT_ACCEPTED {
        if { ([UDP::local_port] != 1645) && ([UDP::local_port] != 1646) && ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } {
        log local0. "packet on port [UDP::local_port] dropped"
        drop
        } else {
        set CALLID [RADIUS::avp 31 string]
        persist uie $CALLID
        log local0. "persisted $CALLID"
        }
    }
    
    when CLIENT_DATA {
        if { ([UDP::local_port] == 1646) or ([UDP::local_port] == 1813) } {
        set CALLID [RADIUS::avp 31 string]
        set IP [RADIUS::avp 8 ip4]
        if { $IP != "" } {
            table set $IP [LB::server addr] 900
            log local0. "Radius maps $IP to [LB::server addr] for $CALLID"
        }
        }
    }
    
    when LB_SELECTED {
        log local0. "Selected [LB::server addr] [LB::server port]"
    }
    
    when SERVER_DATA {
        persist add uie $CALLID
        log local0. "persist added for $CALLID to [LB::server addr]"
    }
  • I assume you have a port wildcard (port = 0) listener to which this iRule is attached. You may get more mileage if you define four VSs, one for each port, all pointing to the same iRule (and pool). The VS matcher is faster than the iRule limiter, but it also allows you to more easily troubleshoot this case.

     

    Either way, when you say it doesn't work for 1645, what is logged? You have a log statement for when the traffic is dropped, and one for when it is persisted. Which message is logged? Is the SERVER_DATA message being logged?