For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jakub_Hornik_16's avatar
Jakub_Hornik_16
Icon for Nimbostratus rankNimbostratus
Jul 10, 2014

Redirection of RADIUS traffic to specific member of pool using iRule - not working properly.

Dear experts,

for troubleshooting purposes (especially when running RADIUS [freeradius to be exact] in debug mode), I only want that particular host to be hitting a specific member of pool. For that purpose, I devised a simple iRule:

when CLIENT_ACCEPTED {

if { [IP::addr [IP::client_addr] equals x.x.x.x] } {

   pool pl_radius member y.y.y.y

} else {

   pool pl_radius member z.z.z.z

}

}

Furthermore, on RADIUS VIP, there is 60 seconds source address affinity persistence. Now to the problem. When I apply iRule to VIP, it works as expected and immediately it starts forwarding traffic to member z.z.z.z. However, no matter how long I wait (longest I tried was ~30 minutes), there is always around 20 connections (normal value is around 200) active on the y.y.y.y member which are not coming from the host defined in the beginning of the iRule. Is this a standard behavior? If not, woule you mind poiting me to the right direction of investigation? Mind you I do not want to just cut the active connections, but seamlessly move them to the othe pool member. Thank you very much and have a nice day.

application delivery
availability
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
security

2 Replies

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jul 29, 2014
    Are those active connections from a client or maybe from the f5 monitor sessions? Might be worth doing a tcpdump simultaneously to see exactly what's happening on the wire.
  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Jul 29, 2014

    Hi Jakub,

     

    is there just server y.y.y.y and z.z.z.z in the mentioned pool? What behavior do you expect/require if one of these two servers went down (by its monitor)? I can't remember exactly at the moment, but I also had strange behavior with direct poolmember assignment via iRule. What about the option to put each of these two servers in a dedicated pool and just reference to the correct poolname within your iRule?

     

    Regarding your persistence, 60 seconds is really short for it (do your RADIUS requests really require persistence???), but maybe you have these 20 clients in your network, which are loving to talk with the LB ;). You can check the persistence table/statistics to identify these 20 sourceIPs. If possible you can also delete these persistence entries via the command line.

     

    Ciao Stefan :)