Forum Discussion

AhmedMS's avatar
AhmedMS
Icon for Altostratus rankAltostratus
Dec 24, 2023

F5 LTM question automap

Dears,

A simple question:

Could you please advise when to use automap? (Automap use cases)

 

thank you

5 Replies

  • Basically SNAT automap translates the source (client) ip when it egresses out to the backend server. It uses any available self-ip addresses assigned to the egress VLAN.

    We do have a solution article talking about SNAT features, you may refer to the following:
    K7820: Overview of SNAT features 

  • Hello,

    Generally SNAT is a feature server guys do not like ( it hides real client ip addresses in server logs).

    SNAT is configured whenever your servers default route does not pass through your BIGIP, in this case you have to change client source IP address by F5 floating Self to force server to return traffic back to your bigip.

    Hope this helps.

     

    Regards

    • zamroni777's avatar
      zamroni777
      Icon for Cumulonimbus rankCumulonimbus

      but without snat, oneconnect wont be possible.
      i have seen a big customer gets downtime (server overwhelmed) without connection pooling like oneconnect.

  • AhmedMS I think it's better to list the instances that you shouldn't use automap and instead use a SNAT pool.

    1. If you have a high connection virtual server or F5 LTM. The reason for this is it will exhaust the ephemeral ports on the F5s self IP which is what is used for health monitors and a few other things.
    2. If you need to differentiate specific VS traffic from traffic originating from the F5 such as health monitors and anything else it would use the self IP for.

    Aside from those two I can't think of any other reason you wouldn't want to use automap.

  • snat automap uses the egress vlan interface ip. by establishing a snat pool, and attaching, you can control what IP this translates to.

    For the Client->F5->Server, consider these scenarios:

    Routed, client source address goes to the server. Routes necessary back through BIG-IP on servers or servers gw

    Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes, must insert in an application header or possibly in tcp options.

    Snat Pool, client source is still managed on BIG-IP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.The SNAT automap feature may not use the intended translation address if a floating self IP is not available on the egress VLAN, or the floating self IP address was originally a static self IP address.

    The SNAT Automap feature selects a translation address from the available self IP address in the following order of preference: Floating self IP addresses on the egress VLAN. Floating self IP addresses on different VLANs. Non-floating self IP addresses on the egress VLAN

    The SNAT Automap feature selects a translation address from the available self IP address in the following order of preference:

    Floating self IP addresses on the egress VLAN
    Floating self IP addresses on different VLANs
    Non-floating self IP addresses on the egress VLAN
    Non-floating self IP addresses on different VLANs


    Note: When there are multiple self IP addresses on the egress VLAN, the BIG-IP system alternates the addresses using a load balancing selection similar to the Least Connections load balancing method.

    The selection of a floating self IP as translation address on a VLAN other than the egress VLAN is intended to avoid disruption in a high availability (HA) failover scenario. However, depending on the network routing configuration, selection of a self IP other than the egress VLAN may cause traffic disruption. F5 recommends that you ensure that you have configured floating self IP addresses on all VLANs from which you expect SNAT traffic to egress. Alternatively, you can mitigate the issue by using a SNAT pool with an IP address on the egress subnet VLAN as a member for the SNAT pool.

    F5 iHealth will list Heuristic H698361 on the Diagnostics > Identified > Medium page if SNAT Automap is configured and a VLAN is configured without a floating self IP address. For VLANs that do not require a floating self IP address, such as VLAN dedicated as an HA VLAN, you can safely disregard the heuristic warning.

    Important: SNAT Automap does not use non-floating self IP addresses that have been re-configured as floating self IP addresses. To convert a non-floating self IP address to become a floating self IP address for use with SNAT Automap, delete the non-floating self IP address first and then re-add the same self IP address as a floating self IP address. To delete the non-floating address from that VLAN, you must configure at least one other non-floating IP address on the associated VLAN.

    Note: In BIG-IP 10.x, a floating self IP address is designated by selecting the Floating IP check box on the self IP address properties page. In BIG-IP 11.x and later, a floating self IP address is designated by selecting a floating traffic group on the self IP address properties page.

    Hope this will Help

    🙏