Forum Discussion
Subrun
Cirrostratus
CirrostratusSysLog UDP Load Balancing
Hello,
1st of all I require some guideline/suggestion here. I am configuring a Virtual Server from F5 listening on 514 and translating port to 8514 at backend servers. Idea is Systems will send the syslog through this F5 and F5 VIP will eventually send logs to Backend Syslog Connectors.
Traffic Flow is like below
Client >> F5 VIP_IP [ 2.2.2.2] ( Service Port 514 ) ( UDP Profile with FastL4 Profile ) -- >> Backend Syslog Connector 2.2.2.6, 7 on 8514 Port.
Clearly to specify VIP IP and Backend IP are in the same subnet hence I do not need to enable SNAT. Also I was thinking if I enable SNAT at backend how do they identify actually who send the Log. What is the Guideline for this to make sure Syslog can see actual source and Syslog Servers follow return traffic through F5 ?. ( Note that Servers gateway are at Network Device not in F5 )
Also if I set monitor TCP or Gateway ICMP Pool Goes Down. Pool is live only if I set Monitor as UDP. Why is that ?
How I should check that UDP Traffic is load balanced. But this is less important as I need to be sure about the Traffic Flow.
Please advise.
Below is the Virtual Server Config
tmsh list ltm virtual Virtual_Server all-properties
[api-status-warning] ltm/virtual, properties : deprecated : mobile-app-tunnel, urldb-feed-policy
ltm virtual Virtual_Server {
address-status yes
app-service none
auth none
auto-lasthop default
bwc-policy none
clone-pools none
cmp-enabled yes
connection-limit 0
creation-time 2020-02-25:18:47:05
description "Supports Syslog"
destination 2.2.2.2:514
enabled
fallback-persistence none
flow-eviction-policy none
gtm-score 0
ip-protocol udp
last-hop-pool none
last-modified-time 2020-02-25:20:04:58
mask 255.255.255.255
metadata none
mirror disabled
mobile-app-tunnel disabled
nat64 disabled
partition Common
per-flow-request-access-policy none
persist none
policies none
pool SYSLOG_Pool
profiles {
fastL4 {
context all
}
}
rate-class none
rate-limit disabled
rate-limit-dst-mask 0
rate-limit-mode object
rate-limit-src-mask 0
related-rules none
rules none
security-log-profiles none
service-down-immediate-action none
service-policy none
source 0.0.0.0/0
source-address-translation {
pool none
type none
}
source-port preserve
syn-cookie-status not-activated
traffic-classes none
traffic-matching-criteria none
translate-address enabled
translate-port enabled
transparent-nexthop none
urldb-feed-policy none
vlans {
vlan_222
}
vlans-enabled
vs-index 97
}
consul_2019Cirrus
You're setup is essentially one-armed LB. You must have a SNAT enabled so that traffic returns through BIG-IP; the SYSLOG messages should be in the UDP payload anyway, so I don't think there would be a problem using SNAT.
Regarding your monitors, yes SYSLOG can also work over TCP 514 but is your server listening on TCP as well as UDP? Either way, I would suggest it makes more sense to have a UDP monitor in this case. Not that I like UDP monitors, but you might need to use it along with a secondary monitor (it's only UDP!). If you can ping or telnet to your servers from F5, then TCP and ICMP should work. Not sure why you want to use gateway_icmp as opposed to just ICMP.
A quick google, brings up this article: https://support.f5.com/csp/article/K6143
To check the LB of your pool, look at the stats.
- Mayur_Sutare
MVP
Having F5 VIP and backend server in same subnet does not mean SNAT is not required. If you do not want to enable SNAT, your syslog server default gateway should be F5 so it will complete the session. Else you must have SNAT enabled to complete session.
Hope it helps!
Mayur
SubrunThank You Both of you for reply.
But Look like SysLog team is not able to get the Actual Source from Syslog Payload. So from F5 side what I can do while this is also not possible to set the Gateway of Backend Servers to F5 rather than now at L3 Network Firewall ?
- Mayur_Sutare
Then you can configure X-Forwarder-For under http profile. So F5 will add client IP under http header and send it to syslog server. So syslog will be able see source IP address with SNAT enabled on F5.
But there is configuration to be done on syslog/server end too in order to extract http header.
Ref link - https://support.f5.com/csp/article/K4816
Mayur
- Subrun
Hello Mayur,
If You see attached image there is no HTTP Profile as this is a Performance Layer 4 VIP and Service Port is listening on 514 UDP Port. Hence it does not allow me to set that ( X-Forwarded ) option from HTTP Profile.
- Subrun
- Mayur_Sutare
Yes, with layer 4 VIP, we can't configure X-Forwarded-For.
danmassa7Nimbostratus
We are also standing up a VIP to receive UDP syslog traffic on 514. We then want to send it to a cluster of back-end LogStash servers on UDP port 6008.
Since UDP syslog is unacknowledged uni-directional traffic it seems we don't need to setup an SNAT. Without the SNAT the packet with its original src addr will arrive at the LogStash servers.
Does that sound fine? That's what we were planning, but have not put it in place yet.
- RedWave25
Late reply but for people that might still google search this.
"Having F5 VIP and backend server in same subnet does not mean SNAT is not required. If you do not want to enable SNAT, your syslog server default gateway should be F5 so it will complete the session"
Nothing is needed to complete any session. As you pointed out this is a one way traffic that doesn't need to return back to clients that sends their syslogs through F5. No SNAT required and servers are not required to have F5 as their gateway. I'd also use stateless virtual server as opposed to Performance. Also use special UDP profile.
https://my.f5.com/manage/s/article/K3605
