Hi, Apologies if this a dumb question, With loose initiation enable on fastL4 forwarding VS does CLIENT_ACCEPTED apply to all non SYN packets as well ?

loose initiation with CLIENT_ACCEPTED

5 Replies

nitass

Employee

Apr 15, 2014

only when entry is added into connection table.

e.g.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vs-index 3
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    app-service none
    loose-initialization enabled
    reset-on-timeout disabled
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  log local0. "[IP::remote_addr]:[TCP::remote_port] > [IP::local_addr]:[TCP::local_port]"
}
}

 log (only when entry is added into connection table)

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Apr 14 23:21:18 ve11a info tmm[13593]: Rule /Common/qux : 200.200.200.101:1000 > 172.28.24.1:80

 trace (it is twice because each packet has clientside and serverside)

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:21:18.760356 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 479343804 win 512 in slot1/tmm0 lis=
23:21:18.760479 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:19.761863 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 208842138 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:19.761879 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 208842138 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:20.763643 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 892741423 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:20.763661 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 892741423 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:21.765444 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 736318704 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:21.765462 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 736318704 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:22.767125 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1288840124 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:22.767145 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1288840124 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:23.767903 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 844006575 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:23.767920 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 844006575 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:24.768801 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1230728634 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:24.768818 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1230728634 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:25.770425 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 3901606585 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:25.770459 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 3901606585 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:26.772254 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 4097995636 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:26.772272 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 4097995636 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:27.774036 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 3847565380 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:27.774055 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 3847565380 win 512 out slot1/tmm0 lis=/Common/fwd

Patrik_Jonsson
MVP
Apr 15, 2014
Thorough and well written!

nitass_89166

Noctilucent

Apr 15, 2014

only when entry is added into connection table.

e.g.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vs-index 3
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    app-service none
    loose-initialization enabled
    reset-on-timeout disabled
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  log local0. "[IP::remote_addr]:[TCP::remote_port] > [IP::local_addr]:[TCP::local_port]"
}
}

 log (only when entry is added into connection table)

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Apr 14 23:21:18 ve11a info tmm[13593]: Rule /Common/qux : 200.200.200.101:1000 > 172.28.24.1:80

 trace (it is twice because each packet has clientside and serverside)

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:21:18.760356 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 479343804 win 512 in slot1/tmm0 lis=
23:21:18.760479 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:19.761863 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 208842138 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:19.761879 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 208842138 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:20.763643 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 892741423 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:20.763661 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 892741423 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:21.765444 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 736318704 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:21.765462 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 736318704 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:22.767125 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1288840124 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:22.767145 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1288840124 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:23.767903 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 844006575 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:23.767920 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 844006575 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:24.768801 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1230728634 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:24.768818 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 1230728634 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:25.770425 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 3901606585 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:25.770459 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 3901606585 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:26.772254 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 4097995636 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:26.772272 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 4097995636 win 512 out slot1/tmm0 lis=/Common/fwd
23:21:27.774036 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 3847565380 win 512 in slot1/tmm0 lis=/Common/fwd
23:21:27.774055 IP 200.200.200.101.1000 > 172.28.24.1.80: . ack 3847565380 win 512 out slot1/tmm0 lis=/Common/fwd

Patrik_Jonsson
MVP
Apr 15, 2014
Thorough and well written!

sb_2323_80570
Nimbostratus
Apr 17, 2014
Many thanks

Forum Discussion

loose initiation with CLIENT_ACCEPTED

5 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

Proxy Protocol Initiator

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

NAT traffic initiated by F5

Automate F5 Initial Setup - iControl & Ansible

Initialize Rule