This iRules command creates a related ephemeral listener and returns the TCL handle for the listener. bind address and port can be omitted. It is recommend that users don’t set this, so the command can choose an IP:port based on the server address specified and also conforms to source translation config. If the server address is on the clientside, then bind IP::port will be a valid endpoint on the clientside and conforms to the source translation config on the clientside. If the sever address is on the serverside, then bind IP::port will be a valid endpoint on the serverside and conforms to the source translation on config serverside, if any.
When configured source translation is LSN or SECURITY-DYNAMIC-PAT, a reserved endpoint is also created for bind address:port. If user has already created a reserved endpoint (using XLAT::src_endpoint_reservation), then it will be reused provided the allow address:port match the client address:port used to reserve the endpoint.
String representaion of the handle:
"<local addr>%<local route domain id>,<local port>,<remote addr>%<remote route domain id>,
<remote port>,<server addr>%<server route domain id>,<server port>,<vlan id>,<protocol number>".

Route domain is not printed when zero.


Deprecated in BIG-IP Next v20.0.1


XLAT::listen [-hairpin] [-inherit-main-rules] [-single-connection] [-translation-loose] <lifetime> {
  [proto <ip_protocol>]
  bind -allow|-deny <vlan list> [-ip <addr>] [-port <port>]
  server <addr> <port>
  [allow <addr> [<port>]]
  [inherit-vs <virtual name>]

Sets up a related ephemeral listener to allow an incoming related connection to be established:
  • -hairpin: This listener will be used for accepting hairpin connections only. This option is supported with LSN and SECURITY-DYNAMIC-PAT source translation config only. This option should be used when hairpin connections from other subscribers using LSN or SECURITY-DYNAMIC-PAT are anticipated, as such the incoming subscriber flow (does not have to be the same as listener subscriber) must match an existing virtual-server with a LSN or SECURITY-DYNAMIC-PAT source translation pool attached.
  • -inherit-main-rules: The created listener executes the main rules(tmsh list ltm virtual rules) attached to parent virtual. Related rules are executed by default(tmsh list ltm virtual related-rules)
  • -single-connection: Listener expires after one connection is received.
  • -translation-loose: The command will try to use the hint data(-ip and/or -port) provided. Command will not fail if the provided hints cannot be used.
  • lifetime: The number of seconds to hold the listener open waiting on a connection, parameter is required.
  • proto: Set the protocol that the listener should listen for. If not specified this is determined using the parent connection.
  • bind: vlan/ifc list, addr, port to listen on. -allow/-deny determine if the vlan list is an allow or a deny list. “*” can be used to denote all vlans. For hairpin connections a separate listener must be created. Just enabling the listener on all VLANS will not work for hairpinning.
  • server: The address and port to connect the listening connection to.
  • allow: The address and optional port to restrict the incoming connection to.
  • inherit-vs: inherit the profiles, irules, and protocol of the provided virtual server.


    set listen [XLAT::listen -inherit-main-rules 30 {
        proto [IP::protocol]
        bind -allow [LINK::vlan_id],/Common/public1 -ip [serverside {IP::local_addr}]
        server [IP::client_addr] 7000
        allow [LB::server addr] 0
        inherit-vs [virtual]
    log local0. "LISTEN: $listen"

    # hairpin
    set listen_hairpin [XLAT::listen -hairpin 30 {
        proto [IP::protocol]
        bind -allow [clientside {LINK::vlan_id}]
        server [IP::client_addr] 7000