Forum Discussion

Bryce_Halkerst1's avatar
Bryce_Halkerst1
Icon for Nimbostratus rankNimbostratus
Mar 18, 2013

YourAmigo lookup and forward irule

Having issues with new F5's lookup forwarding YourAmigo.com. Have a ticket opened with F5 and the engineer provided the following solution from DevCentral https://devcentral.f5.com/community/group/asg/50/aft/27982/showtab/groupforums. Still getting TCL error.

 

Rewrite HTTP Host header

 

HTTP::header replace Host "blah.youramigo.com"

 

Hold HTTP and perform DNS lookup

 

NAME::lookup blah.youramigo.com

 

HTTP::collect

 

}

 

when NAME_RESOLVED {

 

log local0. "Forwarding to YourAmigo at [NAME::response address 0]"

 

node [NAME::response address 0] 80

 

HTTP::release

 

node 69.36.35.147 80

 

 

Mon Mar 18 14:11:57 GMT 2013 err tmm tmm[7845] 01220001 TCL error: /Common/YourAmigo-Baby_offsite_logger - while executing "NAME::response address 0"

 

Mon Mar 18 14:11:57 GMT 2013 info tmm tmm[7845] Rule /Common/YourAmigo-Baby_offsite_logger : Forwarding to YourAmigo at

 

cat /var/named/config/named.conf

 

restrict rndc access to local machines

 

use the key in the default place: /config/rndc.key

 

controls { inet 127.0.0.1 port 953 allow { 127.0.0.1 ;}; };

 

logging {

 

channel logfile {

 

syslog daemon;

 

severity error;

 

print-category yes;

 

print-severity yes;

 

print-time yes;

 

};

 

category default {

 

logfile;

 

};

 

category config {

 

logfile;

 

};

 

category notify {

 

logfile;

 

};

 

};

 

options {

 

listen-on port 53 { 127.0.0.1; };

 

listen-on-v6 port 53 { ::1; };

 

set this to yes when you want to resolve off

 

box. setting it to yes when you dont actuallly

 

have a bind server configured will result in

 

bind timeouts for many commmands

 

recursion yes;

 

forward only;

 

directory "/config/namedb";

 

allow-transfer {

 

localhost;

 

};

 

check-names master warn;

 

change to "no" if you want to be able to add

 

MX records that do not reference a record that has an A record

 

check-integrity yes;

 

max-journal-size 1M;

 

forwarders {209.x.x.x; 209.x.x.x; };

 

};

 

acl "zrd-acl-000-000" {

 

127.10.0.0;

 

};

 

acl "local-loopback-clients" {

 

127.0.0.0/8;

 

};

 

view "internal" {

 

match-clients { "local-loopback-clients"; };

 

recursion yes;

 

};

 

view "external" {

 

match-clients { "zrd-acl-000-000"; any; };

 

};

 

server 209.x.x.x {

 

};

 

server 209.x.x.x {

 

};

 

application delivery
dev
devops
iRules

9 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Mar 18, 2013
    Can you please enable the logging and confirm that you are getting a value other than null returned with the [NAME::response address 0] command.
  • Bryce_Halkerst1's avatar
    Bryce_Halkerst1
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2013
    I enabled logging.

     

     

    Error:

     

    Mon Mar 18 20:01:10 GMT 2013 err tmm1 tmm1[7846] 01220001 TCL error: /Common/YourAmigo-Baby_offsite_logger - while executing "NAME::response address 0"

     

    Mon Mar 18 20:01:10 GMT 2013 info tmm1 tmm1[7846] Rule /Common/YourAmigo-Baby_offsite_logger : Forwarding to YourAmigo at

     

     

     

    Rewrite HTTP Host header

     

    HTTP::header replace Host "blah.youramigo.com"

     

    Hold HTTP and perform DNS lookup

     

    NAME::lookup blah.youramigo.com

     

    HTTP::collect

     

    }

     

    when NAME_RESOLVED {

     

    log local0. "Forwarding to YourAmigo at [NAME::response address 0]"

     

    node [NAME::response address 0] 80

     

    HTTP::release

     

    node 69.36.35.147 80

     

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Mar 18, 2013
    Sorry, I wasn't clear, please remove the hash from this line; 

    
log local0. "Forwarding to YourAmigo at [NAME::response address 0]"
  • Bryce_Halkerst1's avatar
    Bryce_Halkerst1
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2013
    I removed the from the log. Looks like there is a routing issue, there is 2 DFGW's defined on the F5's. Gui shows DFGW as 0.0.0.0 0.0.0.0 63.X.X.X. Netstat -rn is showing the following. Looks like the network deployment team is entering the routes via cmd line. Need to check with F5 to resolve.

     

     

    netstat -rn

     

    Active F5:

     

    0.0.0.0 10.X.X.X 0.0.0.0 UG 0 0 0 eth0

     

     

    Standby F5

     

    0.0.0.0 63.X.X.X 0.0.0.0 UG 0 0 0 SLB_External

     

    0.0.0.0 10.X.X.X 0.0.0.0 UG 0 0 0 eth0
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Mar 19, 2013
    This is a common misconception (I think that's the right word!) There are effectively two routing tables on a BIG-IP, one for the Linux Host Management System (HMS) and one for TMM/LTM. The HMS route(s) can only be viewed at the CLI and generally use eth0; these routes are only used for management traffic such as SNMP sourced from the device, not for traffic handled by LTM. The LTM routes as seen in the GUI or at the CLI with [tmsh] show net route command are the routes used when handling traffic via a VS, NAT or SNAT.

     

     

    Anyway, this may all be moot, according to this article: https://devcentral.f5.com/wiki/iRules.NAME__lookup.ashx - "If you do not include the @{IP/Virtual Name} argument, local bind will be the target of the query. If your local bind is not set up to query recursively, and is not authoritative for the domain in question, you will receive no response"

     

     

    Is that what you are seeing, no response?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 20, 2013
    as Steve mentioned, can you try to include @IP in NAME::lookup instead of using local bind?

    e.g. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   destination 172.28.19.252:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   log local0. "--"
   HTTP::collect
   HTTP::header replace Host "www.youramigo.com"
   NAME::lookup @8.8.8.8 www.youramigo.com
}
when NAME_RESOLVED {
   log local0. "--"
   node [NAME::response address 0] 80
   HTTP::release
}
when HTTP_RESPONSE {
   log local0. "--"
   log local0. "server [IP::server_addr]:[TCP::server_port] | status [HTTP::status]"
}
}

 client

[root@centos251 ~] curl -I http://172.28.19.252/
HTTP/1.1 200 OK
Date: Wed, 20 Mar 2013 04:31:21 GMT
Server: Apache
Last-Modified: Thu, 21 Feb 2013 05:45:08 GMT
ETag: "c419ae-429a-4d63593cae100"
Accept-Ranges: bytes
Content-Length: 17050
Vary: Accept-Encoding
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Type: text/html

 /var/log/ltm

[root@ve10:Active] config  tail -f /var/log/ltm
Mar 20 12:20:30 local/tmm info tmm[4950]: Rule myrule : --
Mar 20 12:20:30 local/tmm info tmm[4950]: Rule myrule : --
Mar 20 12:20:30 local/tmm info tmm[4950]: Rule myrule : --
Mar 20 12:20:30 local/tmm info tmm[4950]: Rule myrule : serevr 69.36.35.145:80 | status 200
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 20, 2013
    if you want to use local bind, i understand you need to configure "BIND Forwarder Server List" (system > devices > dns) and correct recursion option which is described in the sol below.

     

     

    sol12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file

     

    https://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html

     

     

    hope this helps.