For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

TFTP load balancing

Problem this snippet solves:

TFTP works in similar fashion to active FTP, using a callback from a random high port for the data stream: 1. The initiating host A sends a request packet to host B at Well Known Port 69. 1. B replies with a packet sent from an ephemeral port, which should be used for the remainder of the request for all data packets between Host A and host B.

To support the callback connection, you would: 1. Configure the UDP virtual server on port 69 to accept the control connection 1. Configure & apply a SNAT enabled at least on the server-side VLAN 1. Apply the following iRule to establish for each data connection a temporary listen on the appropriate port of the SNAT address.

Note: Requires LTM version > v9.0.3

How to use this snippet:

  • Timeout should match the timeout in the UDP profile applied to the virtual server.
  • Works with or without SNAT.

It is important to note that the LTM has to have a route back to the client since the new listener that is brought up to handle the data flow back to the client will not have an associate last-hop value.

Beware : because of simultaneous access by tftp client, the following error appears : TCL error: P_TFTP_NAT_IRULE - command returned bad code: 12

Code :

rule tftp_rule {
  when SERVER_CONNECTED {
    listen {
      proto 17
      timeout 60
      bind [LINK::vlan_id] [IP::local_addr] [serverside {UDP::local_port}]
      server [peer {client_addr}] [peer {UDP::client_port}]
      allow [IP::server_addr]
    }
  }
}
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules

4 Comments

  • Kupauw_233756's avatar
    Kupauw_233756
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2015
    Thanks for the iRule but what do you mean with the "route back to the client" and how do i build this?
  • jcrew's avatar
    jcrew
    Icon for Nimbostratus rankNimbostratus
    Dec 15, 2015
    How can you view the ephemeral listener that is created for each connection? In test, I notice that when multiple requests come into the virtual server within the timeout from the same source IP same source port that only the first request is successful.
  • ms_g's avatar
    ms_g
    Icon for Nimbostratus rankNimbostratus
    Jan 18, 2018

    Hi Is this supposed to work with 12 and 13 siftware versions. Thanks!

     

  • ms_g's avatar
    ms_g
    Icon for Nimbostratus rankNimbostratus
    Jan 19, 2018

    Hi Guys Is this working for you? I tried to use it as I have a TFTP server that I have to load-balance! I used UDP 69 but and I applied the rule but I see in the logs this : TFTP notice: failed to open listener for xxxxxxx%1:54865 TFTP notice: failed to open listener for xxxxxxxxx%1:2164 TFTP notice: failed to open listener for xxxxxxxxx%1:54865

     

    I mention that before applying the iRule I managed to have the file on the TFTP server but with 0kb. In the tcpdumps on the F5 I've seen this: write request which is hitting the server. server ack and then the serverr is sending opcode 5 and an "undefined error" opcode 5 in TFTP is a TID (transfer ID)

     

    Any ideas!