cancel
Showing results for 
Search instead for 
Did you mean: 

YourAmigo lookup and forward irule

Bryce_Halkerst1
Nimbostratus
Nimbostratus

Having issues with new F5's lookup forwarding YourAmigo.com. Have a ticket opened with F5 and the engineer provided the following solution from DevCentral https://devcentral.f5.com/community/group/asg/50/aft/27982/showtab/groupforums. Still getting TCL error.

 

Rewrite HTTP Host header

 

HTTP::header replace Host "blah.youramigo.com"

 

Hold HTTP and perform DNS lookup

 

NAME::lookup blah.youramigo.com

 

HTTP::collect

 

}

 

when NAME_RESOLVED {

 

log local0. "Forwarding to YourAmigo at [NAME::response address 0]"

 

node [NAME::response address 0] 80

 

HTTP::release

 

node 69.36.35.147 80

 

 

Mon Mar 18 14:11:57 GMT 2013 err tmm tmm[7845] 01220001 TCL error: /Common/YourAmigo-Baby_offsite_logger - while executing "NAME::response address 0"

 

Mon Mar 18 14:11:57 GMT 2013 info tmm tmm[7845] Rule /Common/YourAmigo-Baby_offsite_logger : Forwarding to YourAmigo at

 

cat /var/named/config/named.conf

 

restrict rndc access to local machines

 

use the key in the default place: /config/rndc.key

 

controls { inet 127.0.0.1 port 953 allow { 127.0.0.1 ;}; };

 

logging {

 

channel logfile {

 

syslog daemon;

 

severity error;

 

print-category yes;

 

print-severity yes;

 

print-time yes;

 

};

 

category default {

 

logfile;

 

};

 

category config {

 

logfile;

 

};

 

category notify {

 

logfile;

 

};

 

};

 

options {

 

listen-on port 53 { 127.0.0.1; };

 

listen-on-v6 port 53 { ::1; };

 

set this to yes when you want to resolve off

 

box. setting it to yes when you dont actuallly

 

have a bind server configured will result in

 

bind timeouts for many commmands

 

recursion yes;

 

forward only;

 

directory "/config/namedb";

 

allow-transfer {

 

localhost;

 

};

 

check-names master warn;

 

change to "no" if you want to be able to add

 

MX records that do not reference a record that has an A record

 

check-integrity yes;

 

max-journal-size 1M;

 

forwarders {209.x.x.x; 209.x.x.x; };

 

};

 

acl "zrd-acl-000-000" {

 

127.10.0.0;

 

};

 

acl "local-loopback-clients" {

 

127.0.0.0/8;

 

};

 

view "internal" {

 

match-clients { "local-loopback-clients"; };

 

recursion yes;

 

};

 

view "external" {

 

match-clients { "zrd-acl-000-000"; any; };

 

};

 

server 209.x.x.x {

 

};

 

server 209.x.x.x {

 

};

 

9 REPLIES 9

What_Lies_Bene1
Cirrostratus
Cirrostratus
Can you please enable the logging and confirm that you are getting a value other than null returned with the [NAME::response address 0] command.

Bryce_Halkerst1
Nimbostratus
Nimbostratus
I enabled logging.

 

 

Error:

 

Mon Mar 18 20:01:10 GMT 2013 err tmm1 tmm1[7846] 01220001 TCL error: /Common/YourAmigo-Baby_offsite_logger - while executing "NAME::response address 0"

 

Mon Mar 18 20:01:10 GMT 2013 info tmm1 tmm1[7846] Rule /Common/YourAmigo-Baby_offsite_logger : Forwarding to YourAmigo at

 

 

 

Rewrite HTTP Host header

 

HTTP::header replace Host "blah.youramigo.com"

 

Hold HTTP and perform DNS lookup

 

NAME::lookup blah.youramigo.com

 

HTTP::collect

 

}

 

when NAME_RESOLVED {

 

log local0. "Forwarding to YourAmigo at [NAME::response address 0]"

 

node [NAME::response address 0] 80

 

HTTP::release

 

node 69.36.35.147 80

 

 

 

What_Lies_Bene1
Cirrostratus
Cirrostratus
Sorry, I wasn't clear, please remove the hash from this line;

 

log local0. "Forwarding to YourAmigo at [NAME::response address 0]"

Bryce_Halkerst1
Nimbostratus
Nimbostratus
I removed the from the log. Looks like there is a routing issue, there is 2 DFGW's defined on the F5's. Gui shows DFGW as 0.0.0.0 0.0.0.0 63.X.X.X. Netstat -rn is showing the following. Looks like the network deployment team is entering the routes via cmd line. Need to check with F5 to resolve.

 

 

netstat -rn

 

Active F5:

 

0.0.0.0 10.X.X.X 0.0.0.0 UG 0 0 0 eth0

 

 

Standby F5

 

0.0.0.0 63.X.X.X 0.0.0.0 UG 0 0 0 SLB_External

 

0.0.0.0 10.X.X.X 0.0.0.0 UG 0 0 0 eth0

What_Lies_Bene1
Cirrostratus
Cirrostratus
This is a common misconception (I think that's the right word!) There are effectively two routing tables on a BIG-IP, one for the Linux Host Management System (HMS) and one for TMM/LTM. The HMS route(s) can only be viewed at the CLI and generally use eth0; these routes are only used for management traffic such as SNMP sourced from the device, not for traffic handled by LTM. The LTM routes as seen in the GUI or at the CLI with [tmsh] show net route command are the routes used when handling traffic via a VS, NAT or SNAT.

 

 

Anyway, this may all be moot, according to this article: https://devcentral.f5.com/wiki/iRules.NAME__lookup.ashx - "If you do not include the @{IP/Virtual Name} argument, local bind will be the target of the query. If your local bind is not set up to query recursively, and is not authoritative for the domain in question, you will receive no response"

 

 

Is that what you are seeing, no response?

nitass
F5 Employee
F5 Employee
as Steve mentioned, can you try to include @IP in NAME::lookup instead of using local bind?

 

 

e.g.

 

[root@ve10:Active] config b virtual bar list virtual bar { snat automap destination 172.28.19.252:80 ip protocol 6 rules myrule profiles { http {} tcp {} } } [root@ve10:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { log local0. "--" HTTP::collect HTTP::header replace Host "www.youramigo.com" NAME::lookup @8.8.8.8 www.youramigo.com } when NAME_RESOLVED { log local0. "--" node [NAME::response address 0] 80 HTTP::release } when HTTP_RESPONSE { log local0. "--" log local0. "server [IP::server_addr]:[TCP::server_port] | status [HTTP::status]" } } client [root@centos251 ~] curl -I http://172.28.19.252/ HTTP/1.1 200 OK Date: Wed, 20 Mar 2013 04:31:21 GMT Server: Apache Last-Modified: Thu, 21 Feb 2013 05:45:08 GMT ETag: "c419ae-429a-4d63593cae100" Accept-Ranges: bytes Content-Length: 17050 Vary: Accept-Encoding P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Content-Type: text/html /var/log/ltm [root@ve10:Active] config tail -f /var/log/ltm Mar 20 12:20:30 local/tmm info tmm[4950]: Rule myrule : -- Mar 20 12:20:30 local/tmm info tmm[4950]: Rule myrule : -- Mar 20 12:20:30 local/tmm info tmm[4950]: Rule myrule : -- Mar 20 12:20:30 local/tmm info tmm[4950]: Rule myrule : serevr 69.36.35.145:80 | status 200

nitass
F5 Employee
F5 Employee
if you want to use local bind, i understand you need to configure "BIND Forwarder Server List" (system > devices > dns) and correct recursion option which is described in the sol below.

 

 

sol12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file

 

https://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html

 

 

hope this helps.

Bryce_Halkerst1
Nimbostratus
Nimbostratus
Just to clarify would the 8.8.8.8 be my dns resource server?

Bryce_Halkerst1
Nimbostratus
Nimbostratus
All,

 

Works like a champ! Thanks for all of input!

 

Bryce