cancel
Showing results for 
Search instead for 
Did you mean: 

Find connection attempts via source IP

TFleming
Nimbostratus
Nimbostratus

Hey guys, I'm fairly new to F5. We have one configured before I started working here. We have a windows terminal server virtual server in our F5 that load balances between 18 different back end terminal servers. We chose this method as apposed to a windows terminal server broker for some reason.

 

We are having clients try to connect and they are getting an error. We can see through packet captures they are able to get a secure connection to our F5 virtual server, but we can't see which backend terminal server the F5 is trying to send them to. We believe the error is in relation to that backend terminal server that's a member of the pool the virtual server is associated with.

 

My question is, is there a log I can search via the clients source IP address to see connection attempts? I know they are hitting our virtual server IP, but I need to know which pool member the F5 is sending them to for authentication. I know about the "tmsh show" that will tell me about active connections, but I need to troubleshoot one step back.

1 ACCEPTED SOLUTION

when CLIENT_ACCEPTED { set LogString "Client [IP::client_addr]" log local0. "==== $LogString (request) =====" } when SERVER_CONNECTED { log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ====" }

I have tested that this works

View solution in original post

12 REPLIES 12

Beaker
Cirrus
Cirrus

You can accomplish this with an Irule on the VIP that would log the connections and output them into the ltm log.

Something like this should help with troubleshooting. But I would only use while troubleshooting not as a permanent addition:

 

when HTTP_REQUEST { set LogString "Client [IP::client_addr]:[TCP::client_port] -> Requested Host[HTTP::host][HTTP::uri]" log local0. "==== $LogString (request) =====" }   when SERVER_CONNECTED { log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ====" }   when HTTP_RESPONSE { log local0. "==== $LogString (response) - status: [HTTP::status] ====" }

 

 

Great thank you! One quick question because I don't want to make any assumptions, will this cause an outage of any kind? Will I need to restart anything to have he iRule work?

This should no impact on actual traffic as all that is happening is the F5 is logging details of the connection. Depending on the traffic load it could lead to a lot of entries in the ltm log but that is why it is recommended for troubleshooting not permanent use.

Great thank you!

One slight hickup, it's not an http request, but using RDP so a port 3389 request maybe? So I get an error when I try to apply the iRUle.

​Here is a screencap of our virtual server overview if it helps.0691T000008cq7gQAA.jpg

Beaker
Cirrus
Cirrus

You should be able to just remove the HTTP calls from the rule I posted above like so and it should work:

when CLIENT_CONNECTED { set LogString "Client [IP::client_addr]:[TCP::client_port] log local0. "==== $LogString (request) =====" } when SERVER_CONNECTED { log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ====" }

 

​Sadly I still get an error "01071912:3: HTTP_REQUEST event in rule (/Common/LogLocalConnections) requires an associated HTTP or FASTHTTP profile on the virtual-server (/Common/RDS-2016-VIP)." with the above iRule.

Sorry forgot to change the irule event when I edited it before. I have updated the code above. This does not use http processing events rather just tcp events

​Good morning Beaker. New error. "01070151:3: Rule [/Common/LogLocalConnections] error: /Common/LogLocalConnections:1: error: [unknown event (CLIENT_CONNECTED)][when CLIENT_CONNECTED {

set LogString "Client [IP::client_addr]:[TCP::client_port]"

log local0. "==== $LogString (request) ====="

}]". The code I have is:

 

when CLIENT_CONNECTED { set LogString "Client [IP::client_addr]:[TCP::client_port]" log local0. "==== $LogString (request) =====" } when SERVER_CONNECTED { log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ====" }

when CLIENT_ACCEPTED { set LogString "Client [IP::client_addr]" log local0. "==== $LogString (request) =====" } when SERVER_CONNECTED { log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ====" }

I have tested that this works

​Perfect that worked! And in the logs I can see client IP, and the node they ended up connecting to behind our virtual server. Much appreciated!

 

ltm 04-20 14:48:24 info atscmn-prod-f5-lb02 tmm[18071]: Rule /Common/LogLocalConnections <CLIENT_ACCEPTED>: ==== Client 10.20.3.230 (request) =====

ltm 04-20 14:48:29 info atscmn-prod-f5-lb02 tmm1[18071]: Rule /Common/LogLocalConnections <SERVER_CONNECTED>: ==== Client 10.20.3.230 (server connected) - server: 172.17.99.45:3389 ====