Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Find connection attempts via source IP

Go to solution
TFleming
Nimbostratus
Nimbostratus

‎17-Apr-2020 09:05

Hey guys, I'm fairly new to F5. We have one configured before I started working here. We have a windows terminal server virtual server in our F5 that load balances between 18 different back end terminal servers. We chose this method as apposed to a windows terminal server broker for some reason.

 

We are having clients try to connect and they are getting an error. We can see through packet captures they are able to get a secure connection to our F5 virtual server, but we can't see which backend terminal server the F5 is trying to send them to. We believe the error is in relation to that backend terminal server that's a member of the pool the virtual server is associated with.

 

My question is, is there a log I can search via the clients source IP address to see connection attempts? I know they are hitting our virtual server IP, but I need to know which pool member the F5 is sending them to for authentication. I know about the "tmsh show" that will tell me about active connections, but I need to troubleshoot one step back.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Beaker
Cirrus
Cirrus
In response to TFleming

‎20-Apr-2020 07:38 - last edited on ‎04-Jun-2023 21:30 by Fog 

when CLIENT_ACCEPTED {
  set LogString "Client [IP::client_addr]"
  log local0. "==== $LogString (request) ====="
}
 
when SERVER_CONNECTED {
  log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ===="
}

I have tested that this works

View solution in original post

0 Kudos
12 REPLIES 12

Go to solution
Beaker
Cirrus
Cirrus

‎17-Apr-2020 09:47 - last edited on ‎04-Jun-2023 21:30 by Fog

You can accomplish this with an Irule on the VIP that would log the connections and output them into the ltm log.

Something like this should help with troubleshooting. But I would only use while troubleshooting not as a permanent addition:

when HTTP_REQUEST {
  set LogString "Client [IP::client_addr]:[TCP::client_port] -> Requested Host[HTTP::host][HTTP::uri]"
  log local0. "==== $LogString (request) ====="
}
 
when SERVER_CONNECTED {
  log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ===="
}
 
when HTTP_RESPONSE {
  log local0. "==== $LogString (response) - status: [HTTP::status] ===="
}
0 Kudos

Go to solution
TFleming
Nimbostratus
Nimbostratus
In response to Beaker

‎17-Apr-2020 10:46

Great thank you! One quick question because I don't want to make any assumptions, will this cause an outage of any kind? Will I need to restart anything to have he iRule work?

0 Kudos

Go to solution
Beaker
Cirrus
Cirrus
In response to TFleming

‎17-Apr-2020 11:31

This should no impact on actual traffic as all that is happening is the F5 is logging details of the connection. Depending on the traffic load it could lead to a lot of entries in the ltm log but that is why it is recommended for troubleshooting not permanent use.

0 Kudos

Go to solution
TFleming
Nimbostratus
Nimbostratus
In response to TFleming

‎17-Apr-2020 11:34

Great thank you!

0 Kudos

Go to solution
TFleming
Nimbostratus
Nimbostratus
In response to Beaker

‎17-Apr-2020 11:36

One slight hickup, it's not an http request, but using RDP so a port 3389 request maybe? So I get an error when I try to apply the iRUle.

0 Kudos

Go to solution
TFleming
Nimbostratus
Nimbostratus
In response to TFleming

‎17-Apr-2020 11:48

​Here is a screencap of our virtual server overview if it helps.0691T000008cq7gQAA.jpg

0 Kudos

Go to solution
Beaker
Cirrus
Cirrus

‎17-Apr-2020 11:48 - last edited on ‎04-Jun-2023 21:30 by Fog

You should be able to just remove the HTTP calls from the rule I posted above like so and it should work:

when CLIENT_CONNECTED {
  set LogString "Client [IP::client_addr]:[TCP::client_port]
  log local0. "==== $LogString (request) ====="
}
 
when SERVER_CONNECTED {
  log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ===="
}
0 Kudos

Go to solution
TFleming
Nimbostratus
Nimbostratus
In response to Beaker

‎17-Apr-2020 11:56

​Sadly I still get an error "01071912:3: HTTP_REQUEST event in rule (/Common/LogLocalConnections) requires an associated HTTP or FASTHTTP profile on the virtual-server (/Common/RDS-2016-VIP)." with the above iRule.

0 Kudos

Go to solution
Beaker
Cirrus
Cirrus
In response to TFleming

‎17-Apr-2020 18:47

Sorry forgot to change the irule event when I edited it before. I have updated the code above. This does not use http processing events rather just tcp events

0 Kudos

Go to solution
TFleming
Nimbostratus
Nimbostratus
In response to TFleming

‎20-Apr-2020 06:16 - last edited on ‎22-Nov-2022 15:13 by Fog

​Good morning Beaker. New error. "01070151:3: Rule [/Common/LogLocalConnections] error: /Common/LogLocalConnections:1: error: [unknown event (CLIENT_CONNECTED)][when CLIENT_CONNECTED {

set LogString "Client [IP::client_addr]:[TCP::client_port]"

log local0. "==== $LogString (request) ====="

}]". The code I have is:

 

when CLIENT_CONNECTED {
      set LogString "Client [IP::client_addr]:[TCP::client_port]"
      log local0. "==== $LogString (request) ====="
    }
     
    when SERVER_CONNECTED {
      log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ===="
    }

0 Kudos

Go to solution
Beaker
Cirrus
Cirrus
In response to TFleming

‎20-Apr-2020 07:38 - last edited on ‎04-Jun-2023 21:30 by Fog 

when CLIENT_ACCEPTED {
  set LogString "Client [IP::client_addr]"
  log local0. "==== $LogString (request) ====="
}
 
when SERVER_CONNECTED {
  log local0. "==== $LogString (server connected) - server: [LB::server addr]:[LB::server port] ===="
}

I have tested that this works

0 Kudos

Go to solution
TFleming
Nimbostratus
Nimbostratus
In response to TFleming

‎20-Apr-2020 07:52

​Perfect that worked! And in the logs I can see client IP, and the node they ended up connecting to behind our virtual server. Much appreciated!

 

ltm 04-20 14:48:24 info atscmn-prod-f5-lb02 tmm[18071]: Rule /Common/LogLocalConnections <CLIENT_ACCEPTED>: ==== Client 10.20.3.230 (request) =====

ltm 04-20 14:48:29 info atscmn-prod-f5-lb02 tmm1[18071]: Rule /Common/LogLocalConnections <SERVER_CONNECTED>: ==== Client 10.20.3.230 (server connected) - server: 172.17.99.45:3389 ====

0 Kudos
Copyright © 2023 Khoros, LLC