iRule - unexpected behavior
Hello Community, I have recently experienced an unexpected behavior from an iRule, where the http responses were intermittent and failure detected on the last event in the iRule HTTP_RESPONSE_RELEASE. We have noticed the odd behaviour started when the log destination pool members failed to respond to health-check monitor (server down). Below is a snippt of the iRule event where the failure observed. when HTTP_RESPONSE_RELEASE { # figure out the final duration and add it to the IPFIX log set stop [expr {[clock click -milliseconds] - $start}] IPFIX::msg set $rule1_msg1 flowDurationMilliseconds $stop # send the IPFIX log IPFIX::destination send $static::http_rule1_dest $rule1_msg1 } I'm questioning two things: Why the failure was intermittent and havent affeted all responses? Why the pool memebrs status affected the iRule when they went down? I'd appreciate any explanation. Regards, Sarah.542Views0likes6CommentsIPFIX Elements
Hello Everyone, I have created an iRule to query HTTP hostname, URI, and respose code and ship them along with other infoto Elsatic collectors through ipfix log publisher. but we came to an issue that the collectors were not able to decode the template with an error msg "unsupported field in template" I have been using the standard ipfix elements built into big-ip system in my iRule. below is a snippet of the iRule and the used ipfix elements: if { $static::http_rule1_tmplt == ""} { # if the template has not been created yet, create the template set static::http_rule1_tmplt [IPFIX::template create "flowStartMilliseconds \ sourceIPv4Address \ tcpSourcePort \ destinationIPv4Address \ tcpDestinationPort \ postNATDestinationIPv4Address \ postNAPTDestinationTransportPort \ httpHostname \ httpUrl \ httpResponseCode \ flowEndMilliseconds \ "] } When trying to analyze the traffic through wireshark, we noticed the HTTP elements are showing as [pen: F5 Networks Inc]; i wonder if this has to do with the collectors not able to decode the template? Thank you!Solved815Views0likes2CommentsF5 Integration with Cisco Stealthwatch (Lacope) via IPFIX/SFLOW
Has anyone been able to integrate F5 with Cisco Stealthwatch (Lacope)? We are interested in collecting information about the client, virtual server and pool member IPs. I was trying this via an iRule for IPFIX, but ran into issues. Has anyone set this up with sflow as well? If you have any alternatives for logging this SNAT information via a different means, that would be helpful as well.438Views0likes0CommentsReferencing flowEndSysUpTime (21) and flowStartSysUpTime (22) IPFIX Entities in iRule
I am trying to see if I can setup F5 to sent IPFIX data to Cisco Stealthwatch (Lancope). Two required IP Flow Information Export (IPFIX) Entities are flowEndSysUpTime (21) and flowStartSysUpTime (22). I have been following instructions from here to create the IPFIX template iRule. How do I reference relative timestamps in this iRule? IANA Documentation mentions that this is related to sysUpTime or systemInitTimeMilliseconds on the F5. I am guessing that I need to reference this at the beginning and end of flow, but I am not sure 100% how to do this. Thanks for your help.353Views0likes0Comments