For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

marlon_Gino-gi1's avatar
marlon_Gino-gi1
Icon for Nimbostratus rankNimbostratus
Dec 28, 2006

conditional snat with multiple gateway

 

The LTM box is setup with multiple gateway,what we need is for our internal network that sit behind the LTM to SNAT to different IPs so that it can use the snat address defined for the secondary link once the primary link goes down.the issue here is that icmp ping to the external sites are timing out whenever the primary link goes down and the secondary link becomes active. we can no longer ping certain sites on the external network using the secondary link. it seems that the LTM box is still using the snat address on the primary link to reach the external sites.what we want is for the irule to use the secondary snat address once the primary link goes down.

 

here's my setup

 

 

internal network : 192.168.5.0 /24

 

external network1 : 203.131.1.0 /24

 

external network2 : 222.126.20.0/24

 

 

gateway address :

 

 

external network1 : 203.131.1.1

 

external network2 : 222.126.20.1

 

application delivery
dev
devops
iRules

4 Replies

  • kykong_107132's avatar
    kykong_107132
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2006
    Hi,

     

    u can try out this irule. Happy trying and happy new year.

     

     

    -----------------------------------------------------------------------------

     

    when LB_FAILED {

     

    if { [LB::status pool gateway_pool member 203.131.1.1] eq "down" } {

     

    snat 222.126.20.10

     

    }

     

    else {snat 203.131.1.10}

     

    }

     

    -----------------------------------------------------------------------------

     

     

    Assign this irule to your wildcard virtual server.

     

     

    In this irule, I assume that 222.126.20.10 will be your external network2 Snat IP address and 203.131.1.10 will be external network1 snat IP address.

     

     

    if F5 detected your gateway_pool member for external network1 is down, it will snat using external network2 IP address.

     

     

    regards,
  • marlon_Gino-gi1's avatar
    marlon_Gino-gi1
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2006
    hello KKY,

     

     

    when i tried to create the irule that you suggested, I am getting errot messages

     

     

     

     

    01070151:3: Rule [test1] error:

     

    line 2: [wrong args] [LB::status pool gateway_pool member 203.131.1.1]

     

     

    hoping for your reply
  • kykong_107132's avatar
    kykong_107132
    Icon for Nimbostratus rankNimbostratus
    Dec 30, 2006
    Hi,

     

     

    Sorry, I miss out something. you can try this one.

     

    ------------------------------------------------------------------------------------

     

    when LB_FAILED {

     

    set IP

     

    if { [LB::status pool default_gw_pool member 60.51.217.105 0] == "down" } {

     

    snat 222.101.1.1

     

    }

     

    else {snat 203.131.1.10}

     

    }

     

    ------------------------------------------------------------------------------------

     

    regards,
  • G__Wesley_Rober's avatar
    G__Wesley_Rober
    Historic F5 Account
    Jan 04, 2007
    Hi,

     

     

    It isn't clear how your current SNAT is defined, but LTM has a baked-in feature to do exactly what you describe...SNAT auto-map. Designed for the BIG-IP Link Controller product for load balancing ISP links, it will SNAT to the SelfIP (or SNATpool member)of the egress VLAN.

     

     

    The simplest mechanism for killing "stale" connections already pinned to the downed link would be to set the TCP profile timeouts as low as possible. If you really had to apply treatment to existing connections, you might want to look into the LB::reselect iRule command.

     

     

    Regards,

     

    Wes