Forum Discussion

spud_141786's avatar
spud_141786
Icon for Nimbostratus rankNimbostratus
Mar 25, 2014

evaluating Automap port usage

One drawback of using Automap is source TCP port exhaustion. Is there a convenient way to view the "high water mark" for Automap source port usage for a specific self IP address?

 

  • Since the floating point IP is typically same, the max. concurrent connections on the system or on the specific VIP or virtual will give you how much SNAT usage is potential.

     

    For e.g. if all your virtuals use automap and the system is doing 60K concurrent connections, then quite likely you could run into SNAT port exhaustion.

     

    I typically setup each virtual with a 1 IP SNAT pool and set the SNAT port setting to "preserve". This provides a quick way to chain the server side connection using the src port to the client side connection(ofcourse assuming src port was preserved ;-) but with 1 SNAT pool IP, this seems more often the case than not !!)

     

    Best.

     

  • Statistics seem to show the current connection count on SNATs, SNAT pools, SNAT translations and NATs. But I don't see anything that shows the connection count on the AutoSNAT -- the self-IP floating IP.

     

  • The rule of thumb is 60k concurrent connections per SNAT pool member. Just keep an eye on your connection counts and always build your configuration so that the box tips over before the max of your configuration is reached.

     

    Keep in mind that multiple Virtual Servers using SNAT automap means you have to aggregate your connection counts across the applications. There are easy ways to see these connection counts via the TMUI (in statistics) or from the command line.

     

    IP's tend to come cheaply, when in doubt build larger than needed.

     

  • Same way I guess. Aggregating the connection count via SNMP on the server side VLAN.

     

    But a SNAT pool can contain multiple IP's while automap only uses the floating IP of the VLAN facing the server, so I reckon it's better to add enough SNAT Pool members to be sure that you never have to care.

     

    But if you want a simple way of ensuring that you don't run out you could use the server side connection count item in the F5 SNMP library and monitor that.

     

    /Patrik

     

  • Interesting question. Was thinking about using tables, adding/removing unique instances of TCP::server_port during the SERVER_CONNECTED and SERVER_CLOSED events and then send a warning via an outbound call (also via an iRule) but I think the answer could be simpler. :)

     

    You could always monitor the connections to the pool members that the self IP communicates with via SNMP and aggregate them in a graph.

     

    In my case though I did not want to risk ever running out so I took the maximum connections and multiplied it by 10, added it to a SNAT Pool used that instead of automap. Internal IP's are free after all. :)

     

    /Patrik