Forum Discussion
conorh_17335
Nimbostratus
NimbostratusTCL error for basic port translation iRule
Background: I've set up a simple iRule that translates the requested VIP:PORT to NODE:PORT. Although, this iRule works well, I continue getting these TCL errors. I have tried using IF statements but this has ended up breaking my iRule. Does anyone know what would be causing this error? Thanks
LTM Version: BIG-IP 11.2.0 Build 2557.0 Hotfix HF2
Log > Local Traffic
err
TCL error: /Common/port_translation - bad IP address format (line 3) invoked from within "node $node_address_port"
Data Group List
Name: port_translation
Type: String
Example: 12080 := 10.0.0.120:8080
iRule
when HTTP_REQUEST {
set node_address_port [class match -value [TCP::local_port] equals /Common/port_translation]
log local0.info "Node address/port is $node_address_port"
node $node_address_port
}
14 Replies
What_Lies_Bene1Cirrostratus
Can I ask why you're doing this translation?
conorh_17335I need to monitor all of our backend services from a proxy that lives outside of our LTMs. The port translation is due the limitation of available public IPs. As you can see, I'm including the host address and portion of the internal port within the external port being accessed by our monitoring system as a way to more easily id the node/service_port.- What_Lies_Bene1Can you configure your proxy to monitor specific URLs? If so I just answered another post relating to an iRule used to help monitor nodes behind a VIP: https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2164722/showtab/groupforums/Default.aspx
- conorh_17335To be more clear, our objective for this type of monitoring requires that we use low layer networking like port translation to mimic some environments using only firewalls.
hoolioI think you need to pass separate node and port parameters to the node command:
node [getfield $node_address_port ":" 1] [getfield $node_address_port ":" 2]
Aaron- conorh_17335After changing, this still returns:
TCL error: /Common/stage_google_port_translation - bad IP address format (line 3) invoked from within "node [getfield $node_address_port ":" 1] [getfield $node_address_port ":" 2]" - hoolioDoes the data group lookup return a value? Can you log that or the output from the getfield commands to make sure they're returning an IP and port?
Aaron - nitass
Employee
it seems okay to me.root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.19.252:0 ip-protocol tcp mask 255.255.255.255 profiles { http { } tcp { } } rules { myrule } snat automap vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_REQUEST { set node_address_port [class match -value [TCP::local_port] equals /Common/port_translation] log local0.info "Node address/port is $node_address_port" node $node_address_port } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal port_translation ltm data-group internal port_translation { records { 12080 { data 200.200.200.101:8080 } } type string } packet trace [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 12080 or port 8080 New TCP connection 1: 172.28.20.11(34527) <-> 172.28.19.252(12080) 1350968783.1644 (0.0010) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12080 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.11(34527) <-> 200.200.200.101(8080) 1350968783.1654 (0.0007) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12080 Accept: */* --------------------------------------------------------------- log [root@ve11a:Active:Changes Pending] config tail /var/log/ltm Oct 23 13:06:21 tmm notice tmm[23647]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:49831 Oct 23 13:06:23 tmm info tmm[23647]: Rule /Common/myrule : Node address/port is 200.200.200.101:8080 Oct 23 13:06:25 tmm notice tmm[23647]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:49831 - nitassin case of external data group.
[root@ve11a:Active:Changes Pending] config cat /config/filestore/files_d/Common_d/data_group_d/\:Common\:port_translation_file_1 "12080" := "200.200.200.101:8080", "12081" := "200.200.200.111:8080", root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group external port_translation ltm data-group external port_translation { external-file-name port_translation_file type string } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_REQUEST { set node_address_port [class match -value [TCP::local_port] equals /Common/port_translation] log local0.info "Node address/port is $node_address_port" node $node_address_port } } packet trace [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 12080 or port 8080 New TCP connection 1: 172.28.20.11(34534) <-> 172.28.19.252(12080) 1350976437.3284 (0.0009) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12080 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.11(34534) <-> 200.200.200.101(8080) 1350976437.3315 (0.0010) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12080 Accept: */* --------------------------------------------------------------- [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 12081 or port 8080 New TCP connection 1: 172.28.20.11(49751) <-> 172.28.19.252(12081) 1350976511.4554 (0.0009) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12081 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.11(49751) <-> 200.200.200.111(8080) 1350976511.4564 (0.0009) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12081 Accept: */* --------------------------------------------------------------- log [root@ve11a:Active:Changes Pending] config tail /var/log/ltm Oct 23 15:13:22 tmm notice tmm[23647]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:33582 Oct 23 15:13:57 tmm info tmm[23647]: Rule /Common/myrule : Node address/port is 200.200.200.101:8080 Oct 23 15:14:43 tmm notice tmm[23647]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:47996 Oct 23 15:15:09 tmm notice tmm[23647]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:39223 Oct 23 15:15:11 tmm info tmm[23647]: Rule /Common/myrule : Node address/port is 200.200.200.111:8080 Oct 23 15:15:13 tmm notice tmm[23647]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:39223 - conorh_17335This is the output I get when making the request to my VIP with the [getfield] iRule applied.
Rule /Common/port_translation : Node address/port is 10.0.0.120:8080
While it does work, I still get the same error
TCL error: /Common/port_translation - bad IP address format (line 3) invoked from within "node [getfield $node_address_port ":" 1] [getfield $node_address_port ":" 2]"
Thanks running the verification, nitass -- I am still stumped here.
