Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to log failed connections along with SNAT information?

natti
Nimbostratus
Nimbostratus

Hi,

 

What I would like to accomplish is to log to a central syslog-server when the F5 (set up as a load balancer), is unable to connect to any of the real servers. And preferably, log SNAT information with it.

 

So far I've been able to send the logs to a central syslog server (SOL13080), and based on a question I found here I've been able to log the SNAT information for all successful connections. (used this solution here: https://devcentral.f5.com/questions/how-to-monitor-internal-ip-translate-to-which-ip-snat-in-pool)

 

The problem is, if for some reason the server doesn't respond to this one query, the event "SERVER_CONNECTED" obviously never happens, so I don't get any logs for that particular connection attempt. Now, I've tried to play around and change the event to client_accepted or client_closed, but in these cases the "ss [client|server]" syslog lines only contains the client and F5 addresses, but not post-nat and real-server addresses.

 

So is there any way to log SNAT(destination-real-server-ip & port, and the F5 source-ip-address(natted) and port) for failed connections? (And on that note, is there any good guideline on how to spot/log these failed connections?)

 

Thanks ...

 

(I'm very new to F5, so although I was unable to find my answer I might be looking for the wrong keywords, so apologies if this questions has an obvious answer somewhere else...)

 

4 REPLIES 4

nitass
F5 Employee
F5 Employee

have you tried LB_FAILED?

 

e.g.

 

config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 41 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when LB_FAILED { log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [IP::local_addr]:[TCP::local_port] \ ss src [serverside {IP::local_addr}]:[serverside {TCP::local_port}] dst [IP::server_addr]:[TCP::server_port]" } when SERVER_CONNECTED { log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [clientside {IP::local_addr}]:[clientside {TCP::local_port}] \ ss src [IP::local_addr]:[TCP::local_port] dst [IP::server_addr]:[TCP::server_port]" } } trace [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:33:30.234595 IP 172.28.24.1.46920 > 172.28.24.10.80: S 2765154856:2765154856(0) win 5840 in slot1/tmm0 lis= 18:33:30.234675 IP 172.28.24.10.80 > 172.28.24.1.46920: S 420746216:420746216(0) ack 2765154857 win 4380 out slot1/tmm0 lis=/Common/bar 18:33:30.236318 IP 172.28.24.1.46920 > 172.28.24.10.80: . ack 1 win 5840 in slot1/tmm0 lis=/Common/bar 18:33:30.237491 IP 172.28.24.1.46920 > 172.28.24.10.80: P 1:156(155) ack 1 win 5840 in slot1/tmm0 lis=/Common/bar 18:33:30.237555 IP 200.200.200.14.46920 > 200.200.200.101.80: S 4231709820:4231709820(0) win 4380 out slot1/tmm0 lis=/Common/bar 18:33:30.237568 IP 172.28.24.10.80 > 172.28.24.1.46920: . ack 156 win 4535 out slot1/tmm0 lis=/Common/bar 18:33:30.261632 IP 200.200.200.101.80 > 200.200.200.14.46920: R 0:0(0) ack 4231709821 win 0 in slot1/tmm0 lis=/Common/bar 18:33:30.261805 IP 172.28.24.10.80 > 172.28.24.1.46920: R 1:1(0) ack 156 win 4535 out slot1/tmm0 lis=/Common/bar /var/log/ltm [root@ve11a:Active:In Sync] config tail -f /var/log/ltm Jun 22 18:33:30 ve11a info tmm[9801]: Rule /Common/qux : cs src 172.28.24.1:46920 dst 172.28.24.10:80 ss src 200.200.200.14:46920 dst 200.200.200.101:80

Yup! Thanks, just what I needed, works perfectly 🙂

nitass_89166
Noctilucent
Noctilucent

have you tried LB_FAILED?

 

e.g.

 

config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 41 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when LB_FAILED { log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [IP::local_addr]:[TCP::local_port] \ ss src [serverside {IP::local_addr}]:[serverside {TCP::local_port}] dst [IP::server_addr]:[TCP::server_port]" } when SERVER_CONNECTED { log local0. "cs src [IP::client_addr]:[TCP::client_port] dst [clientside {IP::local_addr}]:[clientside {TCP::local_port}] \ ss src [IP::local_addr]:[TCP::local_port] dst [IP::server_addr]:[TCP::server_port]" } } trace [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:33:30.234595 IP 172.28.24.1.46920 > 172.28.24.10.80: S 2765154856:2765154856(0) win 5840 in slot1/tmm0 lis= 18:33:30.234675 IP 172.28.24.10.80 > 172.28.24.1.46920: S 420746216:420746216(0) ack 2765154857 win 4380 out slot1/tmm0 lis=/Common/bar 18:33:30.236318 IP 172.28.24.1.46920 > 172.28.24.10.80: . ack 1 win 5840 in slot1/tmm0 lis=/Common/bar 18:33:30.237491 IP 172.28.24.1.46920 > 172.28.24.10.80: P 1:156(155) ack 1 win 5840 in slot1/tmm0 lis=/Common/bar 18:33:30.237555 IP 200.200.200.14.46920 > 200.200.200.101.80: S 4231709820:4231709820(0) win 4380 out slot1/tmm0 lis=/Common/bar 18:33:30.237568 IP 172.28.24.10.80 > 172.28.24.1.46920: . ack 156 win 4535 out slot1/tmm0 lis=/Common/bar 18:33:30.261632 IP 200.200.200.101.80 > 200.200.200.14.46920: R 0:0(0) ack 4231709821 win 0 in slot1/tmm0 lis=/Common/bar 18:33:30.261805 IP 172.28.24.10.80 > 172.28.24.1.46920: R 1:1(0) ack 156 win 4535 out slot1/tmm0 lis=/Common/bar /var/log/ltm [root@ve11a:Active:In Sync] config tail -f /var/log/ltm Jun 22 18:33:30 ve11a info tmm[9801]: Rule /Common/qux : cs src 172.28.24.1:46920 dst 172.28.24.10:80 ss src 200.200.200.14:46920 dst 200.200.200.101:80

Yup! Thanks, just what I needed, works perfectly 🙂