Forum Discussion
AltostratusDisabling Snat
Hello,
I have a question about disabling snat on a virtual server. Currently in this environment when there is a need to disable snat, we point the gateway on the server to use the F5 floating self IP. On the router for this subnet, we add a host route back to the F5 floating self IP for the server. For the non load balanced traffic we use a virtual forwarding server like this.
profile fastL4 FastL4_no_Idle_Timeout_Indefintie {
defaults from fastL4
idle timeout indefinite
tcp close timeout indefinite
}
virtual forward {
ip forward
destination any:any
mask 0.0.0.0 profiles
FastL4_no_Idle_Timeout_Indefintie {}
}My question is, if the forwarding VIP profile is changed to allow asymmetric connections as shown below, will this remove the need to route all client traffic back to the F5 floating self IP? Would there no longer be a need to add a static route for this server in the router?
profile fastl4 test {
defaults from fastL4
loose-initialization enabled
loose-close enabled
reset-on-timeout disabled
}1 Reply
IheartF5_45022Nacreous
The most obvious response is that you should change your topology so that the server and F5 are in one subnet (with the F5 the default route for the server), and the F5/router in another subnet, with the router the default route for the F5, and a network route to the server subnet pointing to the F5, on the router.
To answer the question you actually asked, I think yes, that will work, although you have to try it in your particular network - this is because the router will get arp responses for the server IP from the server MAC, but will see incoming packets from the server IP with another MAC (the F5) - this may confuse some router types or those who have some sort of security lockdowns (like IP Source Guard). I would seriously consider changing your topology if that's possible.
Also, be careful about "timeout indefinite" settings - can lead to session table filling up with zombie sessions.
