Forum Discussion
Logan_Ramirez_5
Nimbostratus
Nimbostratusconditional SNAT
We have a relatively simple environment: two data centers, one web server in each, one bigip in each. Basic pool in each office for web servers consists of (a) local web server and (b) other data center virtual server containing the other web server.
So, if local web down --> send to BIGIP in other DC to get serviced.
Recently, however, deployed an MPLS network with a couple of additional routers which has stopped this functionality from working (because I cannot, or do not know, how to get all of those routers to change their default gateway based on a web server failure).
While I could solve this by SNATTING all requests to the web server (the issue is the return path to the customer does not make it out because of incorrect default gateways in all intermediate routers), we use the IP logs for security auditing, etc.
What would be great is if when a external web request gets serviced by BIGIP, if it send the packet to the local web server, it does not SNAT, however, if it needs to send it to the other web server in the 2nd DC, it SNATS.
Being fairly new to iRules, I have no idea how to write this...would love some help...
Logan_Ramirez_5Indeed, that search tool is very useful and I have been doing some excellent reading, many posts by yourself (Colin), however, I suppose I left off some data:
Client are accessing a VIP of 192.168.199.100, however, the servers themselves are 192.168.197.100 (local) and 192.168.198.100 (remote behind BIGIP in other DC).
So all requests are going to the VIP and I need to make a SNAT decision (using the interface on the BIGIP as the Source-NAT'ed address) based on whether it's going to the local 197 server or the remote 198 one.
What about
when LB_SELECTED {
if { [IP::addr [IP::remote_addr] equals "192.168.198.100"] } {
snat automap
}
}
we are on 9.1
Thank you!!- Logan_Ramirez_5While I am not sure how you inserted the HTML link (is it just the commands?), the link you sent sounded exactly like the issue I am having, however, there was no resolution on it! Some very good steps were taken (most of which I repeated on my box), but still not working like we need it to.
Interestingly, I did not get my logs to show the file, either...
The last one I tried was (a) enabling SNAT, (b) lowering the level of rule validation, and (c) applying the rule belowwhen LB_SELECTED { if {[IP::addr [IP::remote_addr] equals "192.168.197.0/24"]} { LB:reselect snat none log "In LB_SELECTED, using server:" log [IP::remote_addr] } }
but still seeing the SNAT (automap) when it selects the local server, 197.100... - Logan_Ramirez_5Leveraging the LOGs and considering that perhaps my logic is bad (that is, the SNAT may not be failing, but actually just not applying to the condition I set, because the remote_addr variable I am expecting is ACTUALLY something different), I set up this rule:
when LB_SELECTED { if {[IP::addr [IP::client_addr] equals "192.168.1.1"]} { log "remote_addr: [IP::remote_addr]" log "local_addr: [IP::local_addr]" log "client_addr: [IP::client_addr]" log "server_addr: [IP::server_addr]" } }
Where I am coming from 192.168.1.1, what I see in the LOG is:Rule test_snat : remote_addr: 192.168.1.1 Rule test_snat : local_addr: 192.168.201.100 Rule test_snat : client_addr: 192.168.1.1 TCL error: Rule test_snat - Error: No serverside connection established (line 5) invoked from within "IP::server_addr"
Any reason why nothing is coming back for IP::server_addr? Per discussion thread 4284 (where I picked up these 4 variables), I would have expected the server_addr to be my pool member.
Incidentally, the session does not connect with this rule applied.
I am thinking the issue now, the reason it is still SNATing, is it is not actually falling under the logic.
This is where discussion thread 4686 essentially leaves off...
agh!!
Help appreciated. - The reason you're not seeing anything set for IP::server_addr is just like it says in the rule, there is no server side connection established.
Since you're logging these variables in the LB_SELECTED event, you are trying to log the server_addr just before the rule makes a connection to the server.
Try changing the event from LB_SELECTED to SERVER_CONNECTED and the variable should be filled out.
-Colin - Logan_Ramirez_5Ok, changed the iRule to:
when SERVER_CONNECTED { set client 192.168.1.1 if {[IP::client_addr] == $client} { log "local_addr: [IP::local_addr]" log "remote_addr: [IP::remote_addr]" log "client_addr: [IP::client_addr]" log "server_addr: [IP::server_addr]" } }
and submitted command from client and it did not connect (if I remove the irule, it connects okay) and now the log show this:Dec 9 08:57:28 tmm tmm[703]: 01220001:3: TCL error: Rule test_snat - Error: No connection established IP::client_addr needs an established connection! (line 2) invoked from within "IP::client_addr"
I am really confused now...
the virtual:virtual test_snat { destination 192.168.201.100:any snat automap pool test_snat_pool rule test_snat vlans internal enable }
the pool:pool test_snat_pool { min active members 1 monitor all gateway_icmp member 192.168.197.100:any priority 12 member 192.168.198.100:any priority 5 monitor none }
Again, 197 is local, 198 is remote, but right now, with this iRule on the VS, it does not connected. Remove the iRule, connects. Of course, still have not solved the conditional SNAT we desire.
Thanks, F5. I am, at the very least, enjoying the learning process...admittedly, frustrated, but hoping we will get there...
-Logan - JRahm
Admin
Some other alternatives in the event you can't get this working.
1) Snat always and insert the client information into a header that you can then extract on your webservers
2) Snat always and log client info on the BigIP and send to a syslog server where the information can be extracted
3) Use another approach with iRules that involves redirects to the other datacenter if the server selected was not local. Insert a cookie with the other datacenter's server information so the other BigIP will evaluate the cookie and send the connection immediately to that server, circumventing the load balancing decision and avoiding potential redirection loops. - Logan_Ramirez_5Thanks.
Admittedly, a rookie at this, it's going to take some learning to figure out how to do any of those!
I appreciate the suggestion.
I am still very interested in getting the correct information passed to begin with, that is, why even deal with inserting header information, etc, when it seems as if we should be able to solve the original issue I posted! - Logan_Ramirez_5Ok, tried this rule, but do not see anything different in my IIS logs:
when HTTP_REQUEST { log "CLIENT_ADDR added as IP - [IP::client_addr]" HTTP::header insert client [IP::client_addr] }
The connection gets made, the packet gets SNATTED, the correct IP (client) shows up in the /var/log/ltm, but can't find the 411 in the IIS log (I am logging everything in ISS on that web service).
Thoughts?
??? - Logan_Ramirez_5Good morning, F5...
Still hoping to find some answers on this issue through this forum...I feel like I have exhausted my knowledge, but still have been unable to get this to work...
Maintining hope... - Try using [LB::server addr] in LB_SELECTED.
