Forum Discussion
Altostratus"General database error retrieving information" when accessing System> Users> User list in GUI
NimbostratusYou're right, small data pckts because of ftp-control.
Below is the first iRule calling the second. And then the log. I'd be very interested to see what you think might be happening.
The log lookup of both the STRING value and the $var value on the second virtual server does not work, despite occurring later in time than when they are put in the tables. It seems like they are saved to different tables, or that, the table is somehow reset before the lookup. The IP::client_addr is the same on both virtual servers, so the key is consistent - at least, that's what the log says. When the key is set as a string, it doesn't work either.
iRule 1
when CLIENT_ACCEPTED {
log local0.debug "client accepted VS1"
log local0.debug "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
SSL::disable
TCP::respond "220 My ftp server\r\n"
TCP::collect 10
}
when CLIENT_DATA {
log local0.debug "client data VS1"
log local0.debug "[TCP::payload] is the payload VS1"
log local0.debug "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
TCP::respond "234 AUTH TLS Successful\r\n"
TCP::payload replace 0 [TCP::payload length] ""
log local0.debug "[TCP::payload] is the payload (should be empty) VS1"
log -noname local0.info "CLIENT_DATA found client data"
log -noname local0.info "CLIENT_DATA send to virtual vs-test-02"
virtual /Common/VIP2
SSL::enable
TCP::release
log local0.debug "TCP Release Completed VS1"
}
when SERVER_CONNECTED {
log local0.debug "This is server connected event VS1"
log local0.debug "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
TCP::collect
}
when SERVER_DATA {
log local0.debug "this is server data event VS1"
log local0.debug "[TCP::payload] payload from server VS1"
log local0.debug "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
if { [TCP::payload] contains "220 " } {
TCP::payload replace 0 [TCP::payload length] ""
log local0.debug "[TCP::payload] (empty) payload line (server data event line 27) on VS1"
}
TCP::release
TCP::collect
}
when CLIENTSSL_CLIENTHELLO {
log local0. "This is clientssl_clienthello - VS1"
}
when CLIENTSSL_CLIENTCERT {
log local0. "This is clientssl_clientcert - VS1"
set sidc [SSL::sessionid]
log local0. "CLIENTSSL session ID is $sidc"
set myCount [SSL::cert count]
log local0. "Count of certificates is $myCount"
set client_cert [SSL::cert 0]
<<EXTRACT CERT VALUE in $var local variable>>
log local0. "this is VAR value $var"
set srcip [IP::client_addr]
table add -subtable "blacklist" $srcip "$var" 5 5
log -noname local0.info "send to virtual vs-test-02"
set result [table lookup -subtable "blacklist" $srcip]
log -noname local0.info "result is $result"
}
when CLIENTSSL_HANDSHAKE {
log local0. "This is clientssl_handshake - VS1"
}
when CLIENT_CLOSED {
log local0.debug "Closed TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
}iRule 2
when CLIENT_ACCEPTED {
log local0.debug "client accepted VS2"
log local0.debug "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
TCP::release
TCP::collect
}
when CLIENT_DATA {
log local0.debug "[TCP::payload] VS2 client data event"
log local0. "This is client data"
log local0.debug [TCP::payload]
log local0.debug "This is line 29"
TCP::release
TCP::collect
}
when SERVER_CONNECTED {
log local0.debug "VS2 server connected event - on inner F5 this is connection to FTP server"
log local0.debug "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
TCP::collect
}
when SERVER_DATA {
log local0.debug "[TCP::payload] server data event VS2"
TCP::release
TCP::collect
}
when SERVERSSL_CLIENTHELLO_SEND {
log local0. "This is SERVERSSL_CLIENTHELLO_SEND - VS2"
TCP::collect
TCP::release
}
when SERVERSSL_SERVERCERT {
log local0. "This is SERVERSSL_SERVERCERT - VS2"
set srcip [IP::client_addr]
set result [table lookup -subtable "blacklist" $srcip]
log -noname local0.info "SERVERSSL_SERVERCERT result for $srcip is $result."
TCP::respond "VAR_$result\r\n"
}
when SERVERSSL_SERVERHELLO {
log local0. "This is SERVERSSL_SERVERHELLO - VS2"
}
when SERVERSSL_HANDSHAKE {
log local0. "This is SERVERSSL_HANDSHAKE - VS2"
}
when SERVERSSL_DATA {
log local0. "This is SERVERSSL_DATA - VS2"
}
MVPwow, that is quite something, while i find it weird your ticket(s) with F5 aren't picked up im also a bit worried if they will work on this, as there is a lot of stuff going on.
i would like to built some of it myself but im still a bit confused about what you are doing. is the first VS a plain FTP front to an actual FTPS server?
or is that a way to check client certificates?
but why do you want to do a IP black list check on the second VS, or is this a cleaned up version and normally you do something else?
perhaps you can explain the functional requirement here and there is a better way to solve that.
and looking at your iRule you know more about this then i do, still im a bit woried about all those TCP::collect and TCP::release. are all those needed?
- JRahm
Admin
You can do that with HSL, all the pieces you need are in this article. Post back with some code fragments if you have any questions and we'll help you out!
- Jaspreetgurm
Altocumulus
Thanks, Jason :)
I just prepared the configuration as below. Please revert with your kind suggestion on this.
1) Adding Splunk server as pool member.
Navigate to Local Traffic > Pools
Click Create.
Name:-Splunk_HSL_Pool
IP address :-10.10.10.10
Port :-514
Click Finished.
2) Log Destination
Navigate to System > Logs > Configuration > Log Destinations .
Click Create.
Name field :- Splunk_HSL_logging
Type:- Remote High-Speed Log
Pool Name :- Splunk_HSL_Pool
Protocol :- HSL
Click Finished.
3) Log Formatt
Navigate to System > Logs > Configuration > Log Destinations .
Click Create.
Name:- Splunk_Logs
Type:- Splunk.
Forward To :- Splunk_HSL_logging
Click Finished.
4) Publisher
Navigate to System > Logs > Configuration > Log Publishers .
Click Create.
Name :- Splunk_Publisher
Destinations :-Splunk_HSL_logging.
Click Finished.
Irule for virtual Server.
******************************
Goto->Local Traffic-Irule
Name:- Splunk_logging
Copy paste below code.
when CLIENT_ACCEPTED {
set client_address [IP::client_addr]
set vip [IP::local_addr]
set hsl [HSL::open -proto TCP -pool Splunk_HSL_Pool]
}
when HTTP_REQUEST {
set http_host [HTTP::host]:[TCP::local_port]
set http_uri [HTTP::uri]
set http_method [HTTP::method]
set http_version [HTTP::version]
set virtual_server [LB::server]
set http_user_agent [HTTP::header "User-Agent"]
set http_content_type [HTTP::header "Content-Type"]
set tcp_start_time [clock clicks -milliseconds]
set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
if { [HTTP::header Content-Length] > 0 } then {
set req_length [HTTP::header "Content-Length"]
} else {
set req_length 0
}
}
when HTTP_RESPONSE {
# set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set node [IP::server_addr]
set node_port [TCP::server_port]
set http_status [HTTP::status]
set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
if { [HTTP::header Content-Length] > 0 } then {
set res_length [HTTP::header "Content-Length"]
} else {
set res_length 0
}
set hsl [HSL::open -proto UDP -pool Splunk_HSL_Pool]
HSL::send $hsl "<514> HSL, CLIENT_IP=$client_address, VIP=$vip, VIP_NAME=\"$virtual_server\", SERVER_NODE=$node, SERVER_NODE_PORT=$node_port, HTTP_URL=$http_url, HTTP_VERSION=$http_version, HTTP_STATUS=$http_status, HTTP_METHOD=$http_method, HTTP_CONTENT_TYPE=$http_content_type, HTTP_USER_AGENT=\"$http_user_agent\", HTTP_REFERRER=\"$http_referrer\",REQUEST_START_TIME=$req_start_time,REQUEST_ELAPSED_TIME=$req_elapsed_time, BYTES_IN=$req_length, BYTES_OUT=$res_length\r\n"
}
Hi Jaspreet,
Amazing Instructions above, I followed it step by step thank you for the easy guide.
Can I ask did the above work for you? was you able to get logs regarding your virtual server?
I.e connectivity etc ?I am looking on Splunk and I can find any good data ?
jaikumar_f5Noctilucent
You'll have to modify your hsl cmd to avoid outage, there's a known bug & I learned it by experience. Hope it helps.
Also why would you need a TCP, set it as UDP protocol.
when CLIENT_ACCEPTED { set client_address [IP::client_addr] set vip [IP::local_addr] #Set the splunk hsl pool in a variable first set splunk_pool Splunk_HSL_Pool #Use that variable to call out in below command #Bug - https://support.f5.com/csp/article/K14505 set hsl [HSL::open -proto UDP -pool $splunk_pool] }And again i see you are creating an HSL open in HTTP RESPONSE which is not required. Just HSL send would be enough.
Sulabh_SrivastaCirrus
I followed the above steps and configured the iRule however when I am applying the iRule the virutal server stops working, getting message " This page isn’t working". I captured the traffic on LTM but don't see any issue.
Any help is greatly appreciated. Thanks!
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
