HOW-TO: View Active Sessions End-To-End on the Netscalers
hide
First, the easiest way to see what the source IP's for traffic are is via the ASA firewall logs in syslog.
So to see where ftp connections are coming from, you could use something like
grep [ftp cluster vip] syslog | grep -v ICMP | grep -v [monitoring host's ip] | grep -v local-host
Which greps for the netscaler virtual ip of the ftp-cluster in the syslog file and filters out ICMP and monitoring-host traffic. (As well as connections to itself.)
Additionally, you can see all the active connections on a netscaler by ssh'ing to the CLI and running:
> show connectiontable | grep [ftp cluster vip]
[client ip] 45534 [ftp cluster vip] 21 FTP 7 TIME_WAIT
[client ip] 32570 [ftp cluster vip] 21 FTP 9 ESTABLISHED
That shows you where they're coming from. To find out where they're going to, also, you need to check the persistent connections:
> show persistence
Type SRC-IP DST-IP PORT VSNAME TIMEOUT REF_CNT
SOURCEIP [client ip] [ftp server ip] 21 ftp_cluster 103 1
SOURCEIP [client ip] [ftp server ip] 21 ftp_cluster 0 1
SOURCEIP [client ip] [ftp server ip] 21 ftp_cluster 75 0
SOURCEIP [client ip] [ftp server ip] 21 ftp_cluster 91 0
NOTE: This only works on vservers where persistence is handled by source-ip.
In the case of HTTP traffic, you can add a header to ip with the original ip, in the http traffic that hits the backend services.
There are also a number of Netscaler products allow you to do extensive log analysis.
No comments:
Post a Comment