TFTP load balancing

Problem this snippet solves:

TFTP works in similar fashion to active FTP, using a callback from a random high port for the data stream: 1. The initiating host A sends a request packet to host B at Well Known Port 69. 1. B replies with a packet sent from an ephemeral port, which should be used for the remainder of the request for all data packets between Host A and host B.

To support the callback connection, you would: 1. Configure the UDP virtual server on port 69 to accept the control connection 1. Configure & apply a SNAT enabled at least on the server-side VLAN 1. Apply the following iRule to establish for each data connection a temporary listen on the appropriate port of the SNAT address.

Note: Requires LTM version > v9.0.3

How to use this snippet:

  • Timeout should match the timeout in the UDP profile applied to the virtual server.
  • Works with or without SNAT.

It is important to note that the LTM has to have a route back to the client since the new listener that is brought up to handle the data flow back to the client will not have an associate last-hop value.

Beware : because of simultaneous access by tftp client, the following error appears : TCL error: P_TFTP_NAT_IRULE - command returned bad code: 12

Code :

rule tftp_rule {
  when SERVER_CONNECTED {
    listen {
      proto 17
      timeout 60
      bind [LINK::vlan_id] [IP::local_addr] [serverside {UDP::local_port}]
      server [peer {client_addr}] [peer {UDP::client_port}]
      allow [IP::server_addr]
    }
  }
}
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules
  • Kupauw_233756's avatar
    Kupauw_233756
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2015
    Thanks for the iRule but what do you mean with the "route back to the client" and how do i build this?
  • jcrew's avatar
    jcrew
    Icon for Nimbostratus rankNimbostratus
    Dec 15, 2015
    How can you view the ephemeral listener that is created for each connection? In test, I notice that when multiple requests come into the virtual server within the timeout from the same source IP same source port that only the first request is successful.
  • ms_g's avatar
    ms_g
    Icon for Nimbostratus rankNimbostratus
    Jan 18, 2018

    Hi Is this supposed to work with 12 and 13 siftware versions. Thanks!

     

  • ms_g's avatar
    ms_g
    Icon for Nimbostratus rankNimbostratus
    Jan 19, 2018

    Hi Guys Is this working for you? I tried to use it as I have a TFTP server that I have to load-balance! I used UDP 69 but and I applied the rule but I see in the logs this : TFTP notice: failed to open listener for xxxxxxx%1:54865 TFTP notice: failed to open listener for xxxxxxxxx%1:2164 TFTP notice: failed to open listener for xxxxxxxxx%1:54865

     

    I mention that before applying the iRule I managed to have the file on the TFTP server but with 0kb. In the tcpdumps on the F5 I've seen this: write request which is hitting the server. server ack and then the serverr is sending opcode 5 and an "undefined error" opcode 5 in TFTP is a TID (transfer ID)

     

    Any ideas!