Forum Discussion

Austin_Geraci's avatar
Austin_Geraci
Icon for MVP rankMVP
Nov 29, 2010

Are open NAT connections maintained upon failover?

I heard someone say by default open NAT connections are maintained when a failover occurs in a HA pair..

 

 

I can't find any doc referencing this online.. Any insight?

 

 

Thanks!

 

config
design
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 29, 2010
    From what I can see, SNAT and Virtual Server connections are mirrored.

     

     

    https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7222.html
  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Nov 30, 2010
    Yep I found the same thing.. I don't have a HA pair I can test this on right now...

     

     

    Can someone from F5 chime in or someone who could test this??

     

     

    Thanks!
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 30, 2010
    i'm getting stuck on some test. anyway, if no one is available, i may be able to test it tomorrow - here is about 10:30pm now.

     

     

    what tmos version would u like to test?

     

    can u explain a bit more what u want to verify?
  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Nov 30, 2010
    Thanks anything 10x is fine...

     

     

    Specifically I'm trying to prove if NAT connections are maintained on a standby unit in a HA pair by default... upon failover the connections should be maintained...
  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Nov 30, 2010
    Thanks anything 10x is fine...

     

     

    Specifically I'm trying to prove if NAT connections are maintained on a standby unit in a HA pair by default... upon failover the connections should be maintained...
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 30, 2010
    will do and update u all.

     

     

    anyway, imo, it should work.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 01, 2010

    since nat is stateless, i think we don't need mirroring.

     

     

    i tested on 10.2.0. SSH and FTP survived after failing over. I didn't use mac masquerade.

     

     

    BIG-IP Version 10.2.0 1707.0

     

    Final Edition

     

    vlan external {

     

    tag 4093

     

    interfaces 1.1

     

    }

     

    vlan internal {

     

    tag 4094

     

    interfaces 1.3

     

    }

     

    self 10.10.72.50 {

     

    netmask 255.255.0.0

     

    vlan internal

     

    allow default

     

    }

     

    self 10.10.72.55 {

     

    netmask 255.255.0.0

     

    unit 1

     

    floating enable

     

    vlan internal

     

    allow default

     

    }

     

    self 172.28.17.50 {

     

    netmask 255.255.255.0

     

    vlan external

     

    }

     

    nat 10.10.70.110 to 172.28.17.55 {

     

    }

     

    [root@bigip01:Active] config b virtual list

     

    No Virtual Servers were found.

     

     

    [root@bigip01:Active] config b snat list

     

    No SNATs were found.

     

  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Dec 01, 2010
    Ahhh that's exactly what I was missing.. Makes perfect sense now if you think about it... Using NAT on an LTM is one instance where the LTM isn't considered a full proxy... It does not jump in the middle of the connection.. Hence why you don't need to configure a VS etc for a NAT... It's stateless and will forward on the the communication appropriately upon failover.

     

     

    Thanks for running the tests!