I heard someone say by default open NAT connections are maintained when a failover occurs in a HA pair.. I can't find any doc referencing this online.. Any insight? Thanks!

From what I can see, SNAT and Virtual Server connections are mirrored. https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7222.html

Yep I found the same thing.. I don't have a HA pair I can test this on right now... Can someone from F5 chime in or someone who could test this?? Thanks!

i'm getting stuck on some test. anyway, if no one is available, i may be able to test it tomorrow - here is about 10:30pm now. what tmos version would u like to test? can u explain a bit more what u want to verify?

Thanks anything 10x is fine... Specifically I'm trying to prove if NAT connections are maintained on a standby unit in a HA pair by default... upon failover the connections should be maintained...

Are open NAT connections maintained upon failover?

9 Replies

Chris_Miller
Altostratus
Nov 29, 2010
From what I can see, SNAT and Virtual Server connections are mirrored.

https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7222.html
Austin_Geraci
MVP
Nov 30, 2010
Yep I found the same thing.. I don't have a HA pair I can test this on right now...

Can someone from F5 chime in or someone who could test this??

Thanks!
nitass
Employee
Nov 30, 2010
i'm getting stuck on some test. anyway, if no one is available, i may be able to test it tomorrow - here is about 10:30pm now.

what tmos version would u like to test?

can u explain a bit more what u want to verify?
Austin_Geraci
MVP
Nov 30, 2010
Thanks anything 10x is fine...

Specifically I'm trying to prove if NAT connections are maintained on a standby unit in a HA pair by default... upon failover the connections should be maintained...
Austin_Geraci
MVP
Nov 30, 2010
Thanks anything 10x is fine...

Specifically I'm trying to prove if NAT connections are maintained on a standby unit in a HA pair by default... upon failover the connections should be maintained...
nitass
Employee
Nov 30, 2010
will do and update u all.

anyway, imo, it should work.
Austin_Geraci
MVP
Nov 30, 2010
What is leading you to believe it should work?
nitass
Employee
Nov 30, 2010
since nat is stateless, i think we don't need mirroring.

i tested on 10.2.0. SSH and FTP survived after failing over. I didn't use mac masquerade.

BIG-IP Version 10.2.0 1707.0

Final Edition

vlan external {

tag 4093

interfaces 1.1

}

vlan internal {

tag 4094

interfaces 1.3

}

self 10.10.72.50 {

netmask 255.255.0.0

vlan internal

allow default

}

self 10.10.72.55 {

netmask 255.255.0.0

unit 1

floating enable

vlan internal

allow default

}

self 172.28.17.50 {

netmask 255.255.255.0

vlan external

}

nat 10.10.70.110 to 172.28.17.55 {

}

[root@bigip01:Active] config b virtual list

No Virtual Servers were found.

[root@bigip01:Active] config b snat list

No SNATs were found.
Austin_Geraci
MVP
Dec 01, 2010
Ahhh that's exactly what I was missing.. Makes perfect sense now if you think about it... Using NAT on an LTM is one instance where the LTM isn't considered a full proxy... It does not jump in the middle of the connection.. Hence why you don't need to configure a VS etc for a NAT... It's stateless and will forward on the the communication appropriately upon failover.

Thanks for running the tests!