Forum Discussion
qingnian_74284
Nimbostratus
NimbostratusUrgent, please help to check why this irule didn't work
Hi everybody,
I create a irule try to send source IP in the defined range to CSG_IN pool, and send Server IP in the defined range to CSG_OUT pool, but it did't work, eg, I trace the traffic with source ip 192.168.253.2 hit the bigip but not shows up in the CSG_IN vlan. Please help, it is a urgent request, many Thanks.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 192.168.253.0/255.255.255.0] or [IP::addr [IP::client_addr] equals 192.168.254.0/255.255.255.0] or [IP::addr [IP::client_addr] equals 10.162.72.0/255.255.255.0] } {
pool CSG_IN
}
if { [IP::addr [IP::server_addr] equals 192.168.253.0/255.255.255.0] or [IP::addr [IP::server_addr] equals 192.168.254.0/255.255.255.0] or [IP::addr [IP::server_addr] equals 10.162.72.0/255.255.255.0] } {
pool CSG_OUT
}
else {
pool MO2_bigip
}
}
hoolioCirrostratus
IP::server_addr isn't a valid command in the CLIENT_ACCEPTED event as there isn't a server side connection established yet. You should see a TCL error in the /var/log/ltm log file.
You might be looking for IP::local_addr which will return the destination IP of the client's packet.
Also, what do you want to happen if 192.168.253.1 made a request to 192.168.254.1? With your current rule, it would be sent to the CSG_OUT pool.
For your reference, check this post for details on the IP:: command output in various events: (Click here)
Aaron
qingnian_74284Hi Aaron,
Many Thanks for your prompt reply, it relly help. Now There is no problem with rule syntax, but seems Bigip prevent the port 80 traffic to and from CSG, Here are my observations:
1. Using the existing rule traffic for www.gmail.com wotks fine.I can see it going to and coming from CSG.
2. Traffic for anything other than port 80 works fine .I mean it goes through the CSG.
E.g : Port 443 (https) ,ICMP ,Telnet etc.
But traffic for port 80 never reaches the CSG vlan
Even if I remove the internal rule completely.
Even if I assign pool :CSG_IN to the Internet VLAN.
I tried to telnet IP 5.6.7.8 from my air card:please see the dump
[root@ML02BIG006:Active] dataeng tcpdump -ni CSG_IN host 10.162.72.3
02:55:32.142977 10.162.72.3.4124 > 5.6.7.8.telnet: S 710742154:710742154(0) win 42300 (DF)
02:55:35.222239 10.162.72.3.4124 > 5.6.7.8.telnet: S 710742154:710742154(0) win 42300 (DF)
Also for ping
[root@ML02BIG006:Active] dataeng tcpdump -ni CSG_IN host 10.162.72.3
tcpdump: listening on CSG_IN
03:00:38.977723 10.162.72.3 > 5.6.7.8: icmp: echo request
03:00:43.716244 10.162.72.3 > 5.6.7.8: icmp: echo request
Conclusion is that only port 80 traffic doesn't reaches CSG.Reason can be any peculiar config,script or optimization by our vendor flashnetwork,because earlier port 80 traffic was being sent to Netgain and Netcash for compression.
Please help to figure out how can I change the config in bigip to life the screen for port 80 traffic.
Thanks
BRs
Qingnian- hoolioCan you post your current rule and the definition from the bigip.conf of your virtual server(s)? Can you also clarify what's working and what is failing?
This statement:
"Traffic for anything other than port 80 works fine."
seems to conflict with this statement:
"Conclusion is that only port 80 traffic doesn't reaches CSG"
When you run tcpdump, you can use interface 0.0 to capture traffic on all switch ports:
tcpdump -ni 0.0 -s0 host CLIENT_IP or host DESTINATION_IP
Thanks,
Aaron