Hi All I have created an iRules just now, however, it is failed when I tried to assigne to a virtual server. "01070394:3: UDP::payload in rule (FIP_Route) requires an associated UDP profiles on the virtual server (M1)." I cannot figure out what I have configured wrong or the problem on iRules itself. can anyone help? iRule --------- when CLIENT_ACCEPTED { if { [UDP::payload] matches " 10.12.1." } { use pool pool1 } elseif { [UDP::payload] contains "10.12.2." } { use pool pool2 } } -------------

Did you apply the UDP Profile to the VIP? /CB

Hi Thx for the advice. I solved this by asisgning back the UDP profile for the VIP. However, I found problem in iRule, it cannto really able to find the strings pattern "10.12.1." or "10.12.2." inside the UDP packet. is my syntax wrong? help!

Hi, What are you looking for ? the client IP address ? if yes it is not within the payload. The payload is the data transmitted for the application on the other end. If you are interested in the client IP address you may try this: when CLIENT_ACCEPTED { if { [IP::client_addr] starts_with " 10.12.1." } { use pool pool1 } elseif { [IP::client_addr] contains "10.12.2." } { use pool pool2 } }

Hi actually, I want to extract the value of RADIUS attribute "Framed-IP-Address" in RADIUS UDP packet. would you mind advising me what should I do? rk

Hi, to do so you'll need to transform the payload before doing any analysis with the command binary scan. Here is an article which show how to manipulate radius data: Click here Another one: Click here

UDP Profile? | DevCentral

44 Replies

rubbishking_110
Nimbostratus
Mar 27, 2008
Hi all

it seems that I have "any virtual" in both irules. any idea?

-rk

irule1: used for virtual server1 (extract the ip address for the payload. payload will use irule2 for decision)

when RULE_INIT {

array set ::msg_types {

4 "Accounting-Request"

5 "Accounting-Response"

255 "Reserved"

}

array set ::attr_types {

8 "Framed-IP-Address"

}

}

when CLIENT_ACCEPTED {

set client "[IP::client_addr]:[UDP::client_port]"

if { [UDP::payload length] > 4 } {

binary scan [UDP::payload] c hdr_code

Detect the 1st TLV until last

log local0. "RADIUS-Type: $::msg_types($hdr_code)($hdr_code) / RADIUS UDP Payload size: [UDP::payload length] bytes"

binary scan [UDP::payload] @20a* rest_string

while { [string length $rest_string] >4} {

binary scan $rest_string cca* attr_id attr_length rest_string

scan $attr_length %i length

set ff [format "a%da*" [expr {$length} - 2]]

switch $attr_id {

8 {

binary scan $rest_string c4a* IPtmp rest_string

set IP {}

foreach num $IPtmp {

lappend IP [expr ($num + 0x100) % 0x100]

}

set ::attr_value1 [join $IP .]

log local0. "$::attr_types($attr_id)($attr_id): $::attr_value1"

if {[IP::addr $::attr_value1 equals 10.11.0.0/255.255.0.0]} {

pool MPOOL1

log local0. "Pool used for RADIUS Request with Framed-IP-Address <$::attr_value1> from GGSN <$client>."

session add uie {$::attr_value1 any virtual} MPOOL1

Proved the lookup is working

set poolip [session lookup uie {$::attr_value1 any virtual}]

log local0. "$poolip"

}

elseif {[IP::addr $::attr_value1 equals 10.12.0.0/255.255.0.0]} {

pool MPOOL2

log local0. "Pool used for RADIUS Request with Framed-IP-Address <$::attr_value1> from GGSN <$client>."

session add uie {$::attr_value1 any virtual} MPOOL2

Proved the lookup is working

set poolip [session lookup uie {$::attr_value1 any virtual}]

log local0. "$poolip"

}

}

default {

binary scan $rest_string $ff attr_value rest_string

log local0. "attribute id: $::attr_types($attr_id); attribute length: $length; filed value: $attr_value"

}

}

}

}

}

irule2: used for virtual server 2 (packet with src ip 10.12.1.1 access)

when CLIENT_ACCEPTED {

set cIP "[IP::client_addr]"

set poolname [session lookup uie {$cIP any virtual}]

log local0. "fip=$cIP, pool=$poolname"

}
rubbishking_110
Nimbostratus
Mar 28, 2008
Hi Davie et al

it seems working now. but I have no idea why this is working. can spend sometime to explain to me?

BTW, once question how long will the data keep in the session table?

- rk
rubbishking_110
Nimbostratus
Mar 28, 2008
ok! my question is here.

Now, the framed-ip extracted from irule1 can be reused in irule2. however, I would like to know if there is no traffic from src ip (= framed-ip). e.g. 20 mins, will the data, stored in session table, being purge? I have tried to test this, and it is purged.

if this is the correct behavior, is there anyway to remain the data in session table until a session delete action is issued?

- rk
mathiew_58773
Nimbostratus
Aug 27, 2008

Hello Guys,

would like to ask your assistance , we are new to IRULES

we have a requirement to load balance connections to multiple routers going to destination servers

-- client needs to authenticate to the backend radius server, one authenticated, client connections to multiple services ( WEB,FTP,WAP) shoud be persisted to

the same router in which the client passes thru when it sends radius accounting start to the backend radius server.

-- we also need to delete the persistence table for a particular client once it sends radius accounting stop to the backend server.

we have 2 VS on the F5 box. 1 for udp traffic and another 1 for tcp traffic, these are wildcard virtual servers.

Problem we encountered, client1 and client to is always being redirected to Router1, client connections is not being distributed multiple routers going to the

destination.

what is the Irules that we can use to load balance the radius request to multiple routers and persist the client connection based on framed-IP attributes of radius accounting

request

below is the Irules that we use for the 2 VS that we defined on the F5 box.

========================

Irule for VS 1

========================

rule VS1 {

when RULE_INIT {

array set ::msg_types {

4 "Accounting-Request"

5 "Accounting-Response"

255 "Reserved"

}

array set ::attr_types {

8 "Framed-IP-Address"

}

}

when CLIENT_DATA {

if { [UDP::payload length] > 4 } {

log "UDP::payload length [UDP::payload length]"

binary scan [UDP::payload] c hdr_code

log "radius type $::msg_types($hdr_code)"

binary scan [UDP::payload] @20a* rest_string

while { [string length $rest_string] >4} {

binary scan $rest_string cca* attr_id attr_length rest_string

scan $attr_length %i length

set ff [format "a%da*" [expr {$length} - 2]]

log "==== $::attr_types($attr_id)"

switch $attr_id {

1 { if the type of attrbuite is Framed-IP-Address

binary scan $rest_string $ff attr_value rest_string

log "attribute id: $::attr_types($attr_id); attribute length: $length; value: $attr_value"

persist uie $attr_value

}

8 { if the type of attrbuite is RADIUS_ATTR_FRAMED_IP_ADDRESS

binary scan $rest_string c4a* IPtmp rest_string

set IP {}

foreach num $IPtmp {

lappend IP [expr ($num + 0x100) % 0x100]

}

set attr_value [join $IP .]

log "$::attr_types($attr_id) value $attr_value"

log "attribute id: $::attr_types($attr_id); attribute length: $length; value: $attr_value"

persist hash $attr_value

}

default {

binary scan $rest_string $ff attr_value rest_string

log "attribute id: $::attr_types($attr_id); attribute length: $length; filed value: $attr_value"

}

}

}

}

}

}

========================

Irule for VS 2

========================

rule rule_hash_irules {

when CLIENT_ACCEPTED {

set client_ip [IP::remote_addr]

log "cilent_is is $client_ip"

persist hash $client_ip

}

}

thanks in advance

Forum Discussion

UDP Profile?

44 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

ACME DNS RFC-2136 Let's Encrypt certs

MAC users unable to access Internet when on Netskope

Could not communicate with the system. Try to reload page.

F5 mssql health monitor failing

DNS Traffic from floating IP to public IP of a VIP

Related Content

UDP TCP Packet Duplication

UDP Datagram LB

X-Fowraded-For with a UDP profile?

F5 BIG-IP Advanced WAF – "dos profile" reporting

F5 XC - UDP traffic

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS