Forum Discussion

gscholz's avatar
gscholz
Icon for Nimbostratus rankNimbostratus
Feb 20, 2019

Request for interpretation of iRule entries in ltm log and further troubleshooting steps

I have set up a wildcard forwarding virtual server in order to let outbound traffic from backend servers through the F5 to the internet. In order to restrict the permitted traffic (DNS, HTTP, HTTPS, NTP and ICMP) I have created the following iRule and associated it with the VS:

when CLIENT_ACCEPTED {
     if { not (
        ([TCP::local_port] == 53
        or [TCP::local_port] == 80
        or [TCP::local_port] == 443
        or [UDP::local_port] == 53
        or [UDP::local_port] == 123
        or [IP::protocol] == 1)
    } then {
        reject
        switch [IP::protocol] {
            6 { 
                log local0. "Request rejected from backend server: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
            }
            17 {    
                log local0. "Request rejected from backend server: [IP::client_addr]:[UDP::client_port] -> [IP::local_addr]:[TCP::local_port]"
            }
            default {
                log local0. "Request rejected from backend server: [IP::client_addr], IP Protocol [IP::protocol] -> [IP::local_addr]:[TCP::local_port]"
            }
        }
    }
}

I would expect this iRule to log only connections where the backend server initiates the connection. However, in some cases it also logs connections that I expect to have been initiated from the internet towards the backend servers. I am logging those as well now, and in the ltm log I can see the following behaviour:

Feb 19 11:00:49 f5-ltm info tmm1[21115]: Rule /Common/ir_inbound : Connection from external_host:34450 -> vs_ip:443
Feb 19 11:00:49 f5-ltm info tmm2[21115]: Rule /Common/ir_inbound : Connection from external_host:34454 -> vs_ip:443
Feb 19 11:00:49 f5-ltm info tmm[21115]: Rule /Common/ir_inbound : Connection from external_host:34458 -> vs_ip:443
[non-failing connections snipped]
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:0 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm2[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34454
Feb 19 11:00:51 f5-ltm info tmm2[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:0 -> external_host:34454
Feb 19 11:00:51 f5-ltm info tmm2[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:0 -> external_host:34454

As you can see, the inbound connections get accepted, but for some of them it looks as if the response two seconds later gets interpreted as a new connection and therefore dropped. It happens maybe once or twice per day, at irregular intervals, and has no massive impact as it is only a monitoring tool that then gets the required information the next time.

Several questions:

  1. Why, oh why does that happen? 🙂
  2. What can I do to further troubleshoot these connections without massive impact on the system?
  3. What does it mean if the connection shows 0 as the source port?

Thanks in advance!

1 Reply

  • What do the virtual servers look like? Just a 443 incoming and 0.0.0.0/0 forwarding for the outbound traffic? The 0 port typically means an all ports VIP, but that doesn't make sense for this scenario. It almost looks like the return traffic is missing the connection table on the inbound VIP, and hitting the forwarding VIP.

     

    Can you post the second iRule and "tmsh list virtual" for those VIPs?

     

    I'd recommend working with support on this, they should be able to hop on a call with you to track it down.