Hi, I am looking for a way to see what is source and destination and VIP/VS that is used for this traffic tcpdump -ni external:nnn -s0 tcp port 22 I am seeing Self IP of F5 as source and destination as 192.168.1.10 server. But not sure about what is the source of this connection. Can irule help find which VS is used and where the connection is originated from? I thoguht :nnn will give more information but as the source is self IP not sure how to troubleshoot this further BIG-IP 10.1.0 Build 3341.0 Final I saw few irule examples for HTTP / TCP / UDP but not sure which VS should i apply this to get more information Any help on this will be appreciated Thanks C

you may check source port. bigip tries to use the same source port on server-side. irule logging is also usable. e.g. [root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.252:22 ip protocol 6 rules myrule } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:22 {} } [root@ve10:Active] config b self 200.200.200.10 list self 200.200.200.10 { netmask 255.255.255.0 vlan internal allow default } (1) - (3) is client-side connection and (4) - (6) is server-side connection [root@ve10:Active] config tcpdump -nni 0.0 -s0 port 22 and not host 192.168.206.75 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes (1) 22:07:04.047446 IP 172.28.20.120.46154 > 172.28.19.252.22: S 2301043389:2301043389(0) win 14600 in slot1/tmm0 lis= (2) 22:07:04.047481 IP 172.28.19.252.22 > 172.28.20.120.46154: S 1607017789:1607017789(0) ack 2301043390 win 4380 out slot1/tmm0 lis=bar (3) 22:07:04.050367 IP 172.28.20.120.46154 > 172.28.19.252.22: . ack 1 win 115 in slot1/tmm0 lis=bar (4) 22:07:04.050407 IP 200.200.200.10.46154 > 200.200.200.101.22: S 3026268657:3026268657(0) win 4380 out slot1/tmm0 lis=bar (5) 22:07:04.051415 IP 200.200.200.101.22 > 200.200.200.10.46154: S 2681472808:2681472808(0) ack 3026268658 win 5792 in slot1/tmm0 lis=bar (6) 22:07:04.051427 IP 200.200.200.10.46154 > 200.200.200.101.22: . ack 1 win 4380 out slot1/tmm0 lis=bar [root@ve10:Active] config b rule myrule list rule myrule { when SERVER_CONNECTED { log local0. "client-side [IP::client_addr]:[TCP::client_port] > [clientside {IP::local_addr}]:[clientside {TCP::local_port}] | server-side [IP::local_addr]:[TCP::local_port] > [IP::remote_addr]:[TCP::remote_port]" } } [root@ve10:Active] config tail /var/log/ltm Feb 27 22:07:04 local/tmm info tmm[22185]: Rule myrule : client-side 172.28.20.120:46154 > 172.28.19.252:22 | server-side 200.200.200.10:46154 > 200.200.200.101:22

Thanks nitass!! This command doesn't show any information - b virtual bar list Can you please clarify?

This command doesn't show any information - b virtual bar list "bar" is my virtual server name. i used it to show you my testing configuration just for reference. why did you run that command??

aah! my bad. Can you please give more info on troubleshooting? what tcpdump should i run for this?

I have only one VS with port 22 but i don't see any connections on it. Anyways to find out which VS is used for that specific traffic? Thanks

irule to figure out source and destination

20 Replies

C_14818
Nimbostratus
Feb 28, 2013
Command: tcpdump -nni 0.0 -s0 tcp port 22
nitass
Employee
Feb 28, 2013
is 10.11.11.5 floating selfip or non-floating selfip?

does the virtual server have snat automap (snat automap setting under virtual server configuration)?

does the pool have health monitor?
C_14818
Nimbostratus
Feb 28, 2013
self 10.11.11.5 {

netmask 255.255.255.0

vlan external

allow default

I am not sure if this Virtual server is used but below is setup for Virtual server where SSH is allowed

It is not using SNAT Auto Map but using a custom SNAT Pool

snatpool my_ftpvm_snat {

members 10.11.11.5

}

IT is using gateway_icmp Health monitor. One more setting i see is Type Performance (Layer 4) in VS and Protocol is TCP
C_14818
Nimbostratus
Mar 02, 2013
Any help on this? Is there any other way to find out where the traffic is getting originated?

Thanks
nitass
Employee
Mar 02, 2013
Is there any other way to find out where the traffic is getting originated?what about "b conn" or "tmsh show sys connection"?
C_14818
Nimbostratus
Mar 02, 2013
Thanks! I still don't see the source as different IP address

Source is F5 - End server - End server. This is so weird. Cannot find where is the connection originating from?

Other possibilities?

nitass

Employee

Mar 02, 2013

this is mine.

 bigpipe

[root@ve10:Active] config  b conn ss server 200.200.200.101 show all
VIRTUAL 172.28.19.252:22 <-> NODE 200.200.200.101:22   TYPE any   1/0
    CLIENTSIDE 192.168.206.75:62025 <-> 172.28.19.252:22
        (pkts,bits) in = (20, 2520)   out = (16, 3136)
    SERVERSIDE 200.200.200.10:62025 <-> 200.200.200.101:22
        (pkts,bits) in = (21, 3336)   out = (19, 2480)
    PROTOCOL 6   UNIT 1   IDLE 85 (300)   LASTHOP external 00:01:e8:d5:d4:47

 tmsh

[root@ve10:Active] config  tmsh show sys connection ss-server-addr 200.200.200.101 all-properties
Sys::Connections
192.168.206.75:62025 - 172.28.19.252:22 - 200.200.200.101:22
------------------------------------------------------------
  TMM           0
  Type          any
  Protocol      tcp
  Idle Time     116
  Idle Timeout  300
  Unit ID       1
  Lasthop       external 00:01:e8:d5:d4:47
  Virtual Path  172.28.19.252:22

                         ClientSide            ServerSide
  Client Addr  192.168.206.75:62025  200.200.200.10:62025
  Server Addr      172.28.19.252:22    200.200.200.101:22
  Bits In                     20.1K                 26.6K
  Bits Out                    25.0K                 19.8K
  Packets In                     20                    21
  Packets Out                    16                    19

Total records returned: 1

C_14818
Nimbostratus
Mar 02, 2013
I see this

[admin@F5-01:Active] ~ b conn ss server 192.168.1.10 show all

VIRTUAL any%65535 <-> NODE 192.168.1.10:8 TYPE local 1/1

CLIENTSIDE 10.11.11.5:17343 <-> 192.168.1.10:8

(pkts,bits) in = (1, 40) out = (1, 40)

SERVERSIDE 10.11.11.5:17343 <-> 192.168.1.10:8

(pkts,bits) in = (1, 40) out = (1, 40)

PROTOCOL icmp UNIT 0 IDLE 9 (10) LASTHOP external 00:01:d7:b0:45:04

VIRTUAL any%65535 <-> NODE 192.168.1.10:8 TYPE local 1/0

CLIENTSIDE 10.11.11.5:34690 <-> 192.168.1.10:8

(pkts,bits) in = (1, 40) out = (1, 40)

SERVERSIDE 10.11.11.5:34690 <-> 192.168.1.10:8

(pkts,bits) in = (1, 40) out = (1, 40)

PROTOCOL icmp UNIT 0 IDLE 4 (10) LASTHOP external 00:01:d7:b0:45:04

[admin@F5-01:Active] ~ tmsh show sys connection ss-server-addr 192.168.1.10 all-properties

Sys::Connections

10.11.11.5:34162 - 192.168.1.10:8 - 192.168.1.10:8

-----------------------------------------------------

TMM 0

Type self

Protocol icmp

Idle Time 4

Idle Timeout 10

Unit ID 0

Lasthop external 00:01:d7:b0:45:04

Virtual Path 192.168.1.10:8

ClientSide ServerSide

Client Addr 10.11.11.5:34162 10.11.11.5:34162

Server Addr 192.168.1.10:8 192.168.1.10:8

Bits In 320 320

Bits Out 320 320

Packets In 1 1

Packets Out 1 1

10.11.11.5:14811 - 192.168.1.10:8 - 192.168.1.10:8

-----------------------------------------------------

TMM 1

Type self

Protocol icmp

Idle Time 9

Idle Timeout 10

Unit ID 0

Lasthop external 00:01:d7:b0:45:04

Virtual Path 192.168.1.10:8

ClientSide ServerSide

Client Addr 10.11.11.5:14811 10.11.11.5:14811

Server Addr 192.168.1.10:8 192.168.1.10:8

Bits In 320 320

Bits Out 320 320

Packets In 1 1

Packets Out 1 1

Total records returned: 2

you can see client side is also F5 IP address. Does this give any info?
nitass
Employee
Mar 02, 2013
you can see client side is also F5 IP address. Does this give any info?that is gateway_icmp health monitor.
C_14818
Nimbostratus
Mar 02, 2013
I saw sometime SSH connections too. I will try and capture that but only difference is destination port is SSH

Thanks

Forum Discussion

irule to figure out source and destination

20 Replies

Recent Discussions

iRule resulting in too many redirects

When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost

cat and grep command for rst messages

iControl for Gtm wideip

Telemetry streaming to Elasticsearch

Related Content

Block destination IP by source IP

Destination address at F5

Solving for true-source IP with global load balancers in Google Cloud

F5 AFM Source / Destination NAT

Different policies same destination and pool