it seems in case of fastL4 CLIENT_ACCEPTED is triggered before finishing 3-ways handshake.
e.g.
snat 123.123.123.123 is dummy one (invalid). so, 3-ways handshake will never be established.
configuration
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual norf
ltm virtual norf {
destination 172.28.24.10:80
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
fastL4 { }
}
rules {
qux
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 7
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
members {
200.200.200.101:80 {
address 200.200.200.101
}
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
log local0. ""
if { [IP::addr [IP::client_addr] equals 172.28.24.1/32] } {
snat 123.123.123.123
}
}
when SERVER_CONNECTED {
log local0. ""
}
}
trace
[root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:54:12.913262 IP 172.28.24.1.56738 > 172.28.24.10.80: S 3457045251:3457045251(0) win 5840 in slot1/tmm0 lis=
11:54:12.913445 IP 123.123.123.123.56738 > 200.200.200.101.80: S 3457045251:3457045251(0) win 5840 out slot1/tmm0 lis=/Common/norf
/var/log/ltm
[root@ve11a:Active:In Sync] config cat /var/log/ltm
Dec 9 11:54:10 ve11a notice tmm1[14890]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:35239
Dec 9 11:54:10 ve11a notice tmm[14890]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:35239
Dec 9 11:54:12 ve11a info tmm[14890]: Rule /Common/qux :
Dec 9 11:54:18 ve11a notice tmm1[14890]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:35239
Dec 9 11:54:18 ve11a notice tmm[14890]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:35239