Jump to content
Welcome to our new Citrix community!

Migrate F5 iRule automap to NetScaler


Recommended Posts

Hi,

   I installed a some NS VPX to migrate F5 LTM, but a I've a problem to translate some configuration.

   I need help / guide to create a rewrite or reponder or similiar policy to migrate this iRule:

when LB_SELECTED {
    if { [IP::addr [IP::client_addr]/24 equals [LB::server addr]/24] } {
        snat automap
    }
}

   I already use USIP to send the Client IP to the servers, but some clients are in the same network that the server are, that gerenare asymetric traffic. In this case I need to send the SNIP as the source IP.

   I found this expresion to detect the client IP, CLIENT.IP.SRC.IN_SUBNET(x.x.x.x/24) , but I don't know how to replace the client IP when I send de request to the server.

Thanks.

Link to comment
Share on other sites

28 minutes ago, Carl Stalhood1709151912 said:

By default, ADC replaces source IP with SNIP. Just leave USIP unchecked and SNAT will occur.

Hi Carl.
Yes, I've several VS in this way, but this is a special case, the normal situation with this VS is with the USIP feature enabled, to present de Client IP to the server and works ok, but in the  situation decribed before, I need to make this snat.... I know it's  very special, but with the F5 irule this function works perfectly, I'm looking for something like this, if it's possible. Thanks.

 

Link to comment
Share on other sites

I think you're looking for content switching based on Client IP address. If expression is true then send the traffic to a LB vServer that has USIP disabled. Otherwise send to a LB vServer that has USIP enabled.

 

I don't see an expression that can get the VIP of the vServer but you can hard-code the VIP subnet in your Content Switching expression.

 

 

Link to comment
Share on other sites

17 minutes ago, Carl Stalhood1709151912 said:

I think you're looking for content switching based on Client IP address. If expression is true then send the traffic to a LB vServer that has USIP disabled. Otherwise send to a LB vServer that has USIP enabled.

 

I don't see an expression that can get the VIP of the vServer but you can hard-code the VIP subnet in your Content Switching expression.

 

 

Great !! I forgot the CS possibilities, I just need to create the correct regular expression, some help for that? I'm a beginner with these items, to known how to the use of policies, actions, ...

Link to comment
Share on other sites

I'm trying this configuration, at least the USIP traffic works ok, I need to test "automap" flows....

add serviceGroup SG_SERVERS_SNIP_443 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -monConnectionClose RESET
bind serviceGroup SG_SERVERS_SNIP_443 server01 443
add serviceGroup SG_SERVERS_USIP_443 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -monConnectionClose RESET
bind serviceGroup SG_SERVERS_USIP_443 server01 443

add lb vserver VS_SERVERS_SNIP_443 HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
bind lb vserver VS_SERVERS_SNIP_443 SG_SERVERS_SNIP_443
add lb vserver VS_SERVERS_USIP_443 HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
bind lb vserver VS_SERVERS_USIP_443 SG_SERVERS_USIP_443

add cs action ACT_SERVERS_SNIP_443 -targetLBVserver VS_SERVERS_SNIP_443
add cs policy POL_SERVERS_SNIP_443 -rule "CLIENT.IP.SRC.IN_SUBNET(10.10.20.0/24)\n" -action ACT_SERVERS_SNIP_443

add cs vserver VS_SERVERS_443 HTTP 10.10.10.10 443 -cltTimeout 180 -persistenceType NONE
bind cs vserver VS_SERVERS_443 -policyName POL_SERVERS_SNIP_443 -priority 100
bind cs vserver VS_SERVERS_443 -lbvserver VS_SERVERS_USIP_443

  The Monday more tests...

Thanks a lot Carl!!

Link to comment
Share on other sites

  • 1 month later...

Hi,

 

Finally I made the NetScaler worked as I needed, I had to do several configuration:

  •     Content Switching to separate the traffic based the client IP.
  •     Policies and actions to identify Client IP.
  •     NetProfiles to communicate with the servers based the Client IP.
  •     Virtual Servers and Service Groups for every different traffic.
  •     PBR to return traffic that comes from a VIP IP routed by the default gateway IP, instead the SNIP, where the client and server are.

After all of this, it works !!!

 

Thanks.

 

Link to comment
Share on other sites

One more thing:

 

   I had to change the Protocol in content switching, with 443 port and HTTP protocol:

  • add lb vserver VS_SERVERS_SNIP_443 HTTP 0.0.0.0 0
  • add cs vserver VS_SERVERS_443 HTTP 10.10.10.10 443 --> not work, certificate_too_long error reporting by the browser
  • add lb vserver VS_SERVERS_SNIP_443 TCP 0.0.0.0 0
  • add cs vserver VS_SERVERS_443 TCP 10.10.10.10 443 --> works fine, I don't know why not with HTTP protocol.
  • add lb vserver VS_SERVERS_SNIP_80 HTTP 0.0.0.0 0
  • add cs vserver VS_SERVERS_80 HTTP 10.10.10.10 80 --> works fine, too

 

If I configure a Virtual Server, with the same 443 port and HTTP protocol, and the same servicegroup, It works.

  • add lb vserver VS_SERVERS_SNIP_443 HTTP 10.10.10.20 443

Anyone know why ??

 

Thanks again.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...