cancel
Showing results for 
Search instead for 
Did you mean: 

TCL error for basic port translation iRule

conorh_17335
Nimbostratus
Nimbostratus

Background: I've set up a simple iRule that translates the requested VIP:PORT to NODE:PORT. Although, this iRule works well, I continue getting these TCL errors. I have tried using IF statements but this has ended up breaking my iRule. Does anyone know what would be causing this error? Thanks

 

 

LTM Version: BIG-IP 11.2.0 Build 2557.0 Hotfix HF2

 

Log > Local Traffic

 

err

 

TCL error: /Common/port_translation - bad IP address format (line 3) invoked from within "node $node_address_port"

 

Data Group List

 

Name: port_translation

 

Type: String

 

Example: 12080 := 10.0.0.120:8080

 

iRule

 

 

when HTTP_REQUEST {

 

set node_address_port [class match -value [TCP::local_port] equals /Common/port_translation]

 

log local0.info "Node address/port is $node_address_port"

 

node $node_address_port

 

}

 

 

 

 

 

14 REPLIES 14

What_Lies_Bene1
Cirrostratus
Cirrostratus
Can I ask why you're doing this translation?

conorh_17335
Nimbostratus
Nimbostratus
I need to monitor all of our backend services from a proxy that lives outside of our LTMs. The port translation is due the limitation of available public IPs. As you can see, I'm including the host address and portion of the internal port within the external port being accessed by our monitoring system as a way to more easily id the node/service_port.

What_Lies_Bene1
Cirrostratus
Cirrostratus
Can you configure your proxy to monitor specific URLs? If so I just answered another post relating to an iRule used to help monitor nodes behind a VIP: https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2164722/showtab/groupforums/Default.aspx

conorh_17335
Nimbostratus
Nimbostratus
To be more clear, our objective for this type of monitoring requires that we use low layer networking like port translation to mimic some environments using only firewalls.

hoolio
Cirrostratus
Cirrostratus
I think you need to pass separate node and port parameters to the node command:

 

 

node [getfield $node_address_port ":" 1] [getfield $node_address_port ":" 2]

 

 

Aaron

conorh_17335
Nimbostratus
Nimbostratus
After changing, this still returns:

 

 

TCL error: /Common/stage_google_port_translation - bad IP address format (line 3) invoked from within "node [getfield $node_address_port ":" 1] [getfield $node_address_port ":" 2]"

hoolio
Cirrostratus
Cirrostratus
Does the data group lookup return a value? Can you log that or the output from the getfield commands to make sure they're returning an IP and port?

 

 

Aaron

nitass
F5 Employee
F5 Employee
it seems okay to me.

 

 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.19.252:0 ip-protocol tcp mask 255.255.255.255 profiles { http { } tcp { } } rules { myrule } snat automap vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_REQUEST { set node_address_port [class match -value [TCP::local_port] equals /Common/port_translation] log local0.info "Node address/port is $node_address_port" node $node_address_port } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal port_translation ltm data-group internal port_translation { records { 12080 { data 200.200.200.101:8080 } } type string } packet trace [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 12080 or port 8080 New TCP connection 1: 172.28.20.11(34527) <-> 172.28.19.252(12080) 1350968783.1644 (0.0010) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12080 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.11(34527) <-> 200.200.200.101(8080) 1350968783.1654 (0.0007) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12080 Accept: */* --------------------------------------------------------------- log [root@ve11a:Active:Changes Pending] config tail /var/log/ltm Oct 23 13:06:21 tmm notice tmm[23647]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:49831 Oct 23 13:06:23 tmm info tmm[23647]: Rule /Common/myrule : Node address/port is 200.200.200.101:8080 Oct 23 13:06:25 tmm notice tmm[23647]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:49831

nitass
F5 Employee
F5 Employee
in case of external data group.

 

 

[root@ve11a:Active:Changes Pending] config cat /config/filestore/files_d/Common_d/data_group_d/\:Common\:port_translation_file_1 "12080" := "200.200.200.101:8080", "12081" := "200.200.200.111:8080", root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group external port_translation ltm data-group external port_translation { external-file-name port_translation_file type string } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_REQUEST { set node_address_port [class match -value [TCP::local_port] equals /Common/port_translation] log local0.info "Node address/port is $node_address_port" node $node_address_port } } packet trace [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 12080 or port 8080 New TCP connection 1: 172.28.20.11(34534) <-> 172.28.19.252(12080) 1350976437.3284 (0.0009) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12080 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.11(34534) <-> 200.200.200.101(8080) 1350976437.3315 (0.0010) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12080 Accept: */* --------------------------------------------------------------- [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 12081 or port 8080 New TCP connection 1: 172.28.20.11(49751) <-> 172.28.19.252(12081) 1350976511.4554 (0.0009) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12081 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.11(49751) <-> 200.200.200.111(8080) 1350976511.4564 (0.0009) C>S --------------------------------------------------------------- HEAD /something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.252:12081 Accept: */* --------------------------------------------------------------- log [root@ve11a:Active:Changes Pending] config tail /var/log/ltm Oct 23 15:13:22 tmm notice tmm[23647]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:33582 Oct 23 15:13:57 tmm info tmm[23647]: Rule /Common/myrule : Node address/port is 200.200.200.101:8080 Oct 23 15:14:43 tmm notice tmm[23647]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:47996 Oct 23 15:15:09 tmm notice tmm[23647]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:39223 Oct 23 15:15:11 tmm info tmm[23647]: Rule /Common/myrule : Node address/port is 200.200.200.111:8080 Oct 23 15:15:13 tmm notice tmm[23647]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:39223

conorh_17335
Nimbostratus
Nimbostratus
This is the output I get when making the request to my VIP with the [getfield] iRule applied.

 

 

Rule /Common/port_translation : Node address/port is 10.0.0.120:8080

 

 

While it does work, I still get the same error

 

 

TCL error: /Common/port_translation - bad IP address format (line 3) invoked from within "node [getfield $node_address_port ":" 1] [getfield $node_address_port ":" 2]"

 

 

Thanks running the verification, nitass -- I am still stumped here.

nitass
F5 Employee
F5 Employee
can you put log command above line 3?

 

 

e.g.

 

 

log local0. "node [getfield $node_address_port ":" 1] [getfield $node_address_port ":" 2]"

Peter_Aeschlima
Nimbostratus
Nimbostratus
has anyone found a solution ? I got the exact same issue.

 

Looks like parameters to "node" are not expanded and only direct IP addresses are possible

 

OK: node 1.2.3.4 80

 

NOT: node $destination $port

 

NOT: node [whatever command]

 

 

Thanks, P

Peter_Aeschlima
Nimbostratus
Nimbostratus

found it myself:

 

 

node [lindex [split $hostservice ":"] 0] [lindex [split $hostservice ":"] 1]

 

 

does the trick

 

Thanks, P

 

hoolio
Cirrostratus
Cirrostratus
Hi Peter,

 

 

node $ip $port

 

and

 

node [getfield $hostservice ":" 1] [getfield $hostservice ":" 2]

 

 

should both work.

 

 

Aaron