BIG-IP for SIP resources running in Kubernetes
Hello, We are trying to setup Virtual Server using BIG-IP that would server as a Load Balancer for SIP traffic for resources that are deployed in Kubernetes cluster and exposed through NodePort. Our F5 is not part of the Kubernetes cluster and it is a standalone Virtual Machine that sends its traffic to NodePort service of our SIP resources. We are facing few issues and hope someone can help us understand them. UDP not working When we try to use UDP the problem is that F5 (10.224.64.223) sends SIP OPTIONS to ip address/port that we defined as access point for SIP elements in Kubernetes (Node IP and NodePort port, 10.224.64.222, port:31131). But due to Kubernetes deployment, responses are sent from different IP address and port (10.224.64.222, port 30834). And this gets rejected by the F5. 10:17:23.695039 IP 10.224.64.223.51938 > 10.224.64.222.31131: UDP, length 575 out slot1/tmm1 lis=mon_mrf_sip_udp port=1.2 trunk= 10:17:23.700849 IP 10.224.64.220.30834 > 10.224.64.223.51938: UDP, length 520 in slot1/tmm0 lis= port=1.2 trunk= 10:17:23.700949 IP 10.224.64.223 > 10.224.64.220: ICMP 10.224.64.223 udp port 51938 unreachable, length 36 out slot1/tmm0 lis= port=1.2 trunk= Even the usage of macvlan on Kubernetes pods does not help. With macvlan we manage to achieve that IP address is preserved (10.226.64.225), but still the port changes (5060 -> 25404). And F5 rejects it. 10:42:07.370926 IP 10.224.64.223.54412 > 10.224.64.225.5060: SIP: OPTIONS sip:10.224.64.225:5060 SIP/2.0 out slot1/tmm0 lis= port=1.2 trunk= 10:42:07.378237 IP 10.224.64.225.25404 > 10.224.64.223.54412: UDP, length 425 in slot1/tmm0 lis= port=1.2 trunk= 10:42:07.378325 IP 10.224.64.223 > 10.224.64.225: ICMP 10.224.64.223 udp port 54412 unreachable, length 36 out slot1/tmm0 lis= port=1.2 trunk= So I guess there is no way to have it working for UDP at all with resources being deployed in Kubernets cluster? (host-network is not an option). TCP (in Message Routing mode) not working When we try to use TCP we found out that "Standard (SIP - legacy profile)" mode behaves differently then "Message Routing" one. In case when we use "Legacy" SIP monitor via TCP it establishes a TCP connection with destination server prior to sending the SIP Options message. This is OK for us. But when we try to use "Message Routing" (from what I understood this is generally advisable for SIP traffic) for TCP monitoring, TCP connection is not established before OPTIONS message is sent and this is not acceptable by our SIP servers. So I have few questions: Is it even possible to use F5 BIG-IP TLM VE as SIP LB for SIP resources operating in Kubernetes cluster (for both UDP and TCP) or the ONLY option is to use F5 BIG-IP Next Service Proxy Kubernetes (SPK) for SIP traffic? Is there a way to somehow force F5 that does Monitoring usin Message Routing mode to open TCP connection prior to sending SIP requests? Due to UDP problem above (that probably is solvable only if SPK version is used) is some way for F5 to do the UDP-2-TCP conversion of SIP traffic? Kind Regards, Zvonimir
SIP irule for checking dialed string
Hi guys, Please help me with creating na irule for checking a dialed string in SIP INVITE request. I need to drop every call that has !=8 or !=0 symbols in the SIP INVITE. Like this: sip:3286184@206.81.166.10 I need to strip only "3286184" portion, then check if it has 8 or 0 symbols, if not I have to drop the call. That's the irule I've made but it's not working for some reason... when SIP_REQUEST { set meeting_nbr [findstr [SIP::header "INVITE"] ":" 1 "@"] if { not [string length $meeting_nbr] == 8} || { not [string length $meeting_nbr] == 0} { log local0. "SIP Drop [SIP::uri]" drop } } Please help. thanks.
Setting connection limit(call limit) to nodes while load balancing sip traffic over UDP
I have the following setup. SIP call is distributed from SBC to F5 LTM over UDP. Created a SIP persistence profile in LTM using call id as persistence key. Calls are being distributed to all nodes in the round robin and SIP messages are getting persisted. My requirement is to load balance the calls to the least active call node and limit the number of active calls to each node. i.e Nodes shall take only x number of active calls at any time. Active call is a call to which BYE is not received yet. Tried setting connection limit to each node but number of connections is always 1 on the statistics page. The connection limit is always 1 as in my case SIP is over UDP, source and destination IP & Port will be same for all calls. Is there any way in F5 LTM where we can limit the number of calls to each node and load balance the calls to the least call-taking node for SIP over UDP?
SIP TCP 5061 packets dropped by IP Forwarding Virtual Server
Hello I have a HA F5 LTM Solution running v14.1.2.3 I have an internal vlan (192.168.10.8 as Floating IP) and external vlan (192.168.13.5 as Floating IP) I also have an IP Forwarding Virtual Server that allows all 192.168.10.x servers to send packets through the F5 without making any NAT configuration. So servers in 192.168.10.0/24 network can send all protocol packets through the f5 to reach external networks. For example, 192.168.10.50 server sends a packet to 10.16.75.50 server. First, it reaches 192.168.10.8 (F5 internal vlan), then the packet is sent to a firewall (192.168.13.2 which is in the same vlan as external vlan in f5), then the firewall reaches 10.16.75.50 by static route or because it is one of its local networks. The problem comes when this packets are from SIP protocol (TCP 5061 SIP REGISTER), I see that the f5 drops this packets even though the IP Forwarding Virtual Server should allow them because it allows TCP packets and all ports are permitted. Do I need to create something different from my IP Forwarding virtual server? ps: When I run tcpdump in F5, I see SIP traffic coming to internal vlan interface but nothing egresses by the external vlan interface
F5 LTM and simple centos voice server
i want to load balance 2 centos web servers created pool , pol members with port 5060 created udp profile choose udp for virtual server selected snat automap / in another time created a snat pool connected ip phone to the ip of the virtual server the ip phone registered succesfully but when the first back end server is down or forced down / the phone doesnt register to the second identical one it is stuck on the firstSIP 200 OK dropped when used NAT rules in LTM.
In one of our customer deployment, where BIG-IP LTM is used, sometime we have noticed that for certain SIP MESSAGE packets when 200 OK is received from SIP server, then LTM is dropping the 200 OK when NAT is configured. All the flow is happening over UDP. Can you please indicate any troubleshoot guide by which we can identify the possible reason of packet drop. does LTM has capability to identify SIP 200 OK of SIP MESSAGE only and due to some miss configuration it will get dropped. Please helpSource port of SIP UDP request gets translated regardless of source port setting 'preserve strict'
Hi Guys, I configured a SIP (UDP) service on a 11.5.1 HF3 LTM at a customer site. A SIP profile is bound to the SIP Virtual Service. The LTM ist set up in the L3 Path. Most of the VS configuration ist default. What I see is, that the LTM translates the source port on the traffic from the LTM to the SIP server. The behaviour does not change if I configure 'preserve strict' on the source port setting in the VS: 09:47:50.418275 IP 1.1.1.1.sip > 1.1.2.1.sip: SIP, length: 452 (client to SIP VS on LTM) 09:47:50.418560 IP 1.1.1.1.25350 > 1.1.3.1.sip: SIP, length: 547 (forwarded request to SIP server) 09:47:50.424877 IP 1.1.3.1.sip > 1.1.1.1.25350: SIP, length: 378 (response from SIP server) 09:47:50.424927 IP 1.1.2.1.sip > 1.1.1.1.sip: SIP, length: 277 (response form LTM VS to client) Any ideas? Thanks, RolfPlain old NAT and SIP
Hello, What would be the easiest way to just NAT SIP traffic without terminating SIP connection on F5 as suggested in their official document here https://www.f5.com/pdf/deployment-guides/load-balancing-sip-dg.pdf. I don't want any SIP traffic engineering or anything fancy. Just NAT and SIP adjustment accordingly. I have a SIP gateway and a separate media server (on a different IP). So clients (firewall inside) always go to SIP gateway (firewall outside) and never talk to each other directly. Please advise. Thank You! Bojan