cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Deb_Allen_18
Historic F5 Account

Problem this snippet solves:

TFTP works in similar fashion to active FTP, using a callback from a random high port for the data stream: 1. The initiating host A sends a request packet to host B at Well Known Port 69. 1. B replies with a packet sent from an ephemeral port, which should be used for the remainder of the request for all data packets between Host A and host B.

To support the callback connection, you would: 1. Configure the UDP virtual server on port 69 to accept the control connection 1. Configure & apply a SNAT enabled at least on the server-side VLAN 1. Apply the following iRule to establish for each data connection a temporary listen on the appropriate port of the SNAT address.

Note: Requires LTM version > v9.0.3

How to use this snippet:

  • Timeout should match the timeout in the UDP profile applied to the virtual server.
  • Works with or without SNAT.

It is important to note that the LTM has to have a route back to the client since the new listener that is brought up to handle the data flow back to the client will not have an associate last-hop value.

Beware : because of simultaneous access by tftp client, the following error appears : TCL error: P_TFTP_NAT_IRULE - command returned bad code: 12

Code :

rule tftp_rule {
  when SERVER_CONNECTED {
    listen {
      proto 17
      timeout 60
      bind [LINK::vlan_id] [IP::local_addr] [serverside {UDP::local_port}]
      server [peer {client_addr}] [peer {UDP::client_port}]
      allow [IP::server_addr]
    }
  }
}
Comments
Kupauw_233756
Nimbostratus
Nimbostratus
Thanks for the iRule but what do you mean with the "route back to the client" and how do i build this?
jcrew
Nimbostratus
Nimbostratus
How can you view the ephemeral listener that is created for each connection? In test, I notice that when multiple requests come into the virtual server within the timeout from the same source IP same source port that only the first request is successful.
ms_g
Nimbostratus
Nimbostratus

Hi Is this supposed to work with 12 and 13 siftware versions. Thanks!

 

ms_g
Nimbostratus
Nimbostratus

Hi Guys Is this working for you? I tried to use it as I have a TFTP server that I have to load-balance! I used UDP 69 but and I applied the rule but I see in the logs this : TFTP notice: failed to open listener for xxxxxxx%1:54865 TFTP notice: failed to open listener for xxxxxxxxx%1:2164 TFTP notice: failed to open listener for xxxxxxxxx%1:54865

 

I mention that before applying the iRule I managed to have the file on the TFTP server but with 0kb. In the tcpdumps on the F5 I've seen this: write request which is hitting the server. server ack and then the serverr is sending opcode 5 and an "undefined error" opcode 5 in TFTP is a TID (transfer ID)

 

Any ideas!

 

Version history
Last update:
‎18-Mar-2015 15:59
Updated by:
Contributors