Health monitor SNAT

Hi Zoltan,

 

Is the external system on the public subnet?

 

 

/CB

 

I don't think there is a way to specify a source IP address in a default monitor. You might be able to use an external monitor which references a custom script. Using netcat, you could specify a source IP/port. For your specific scenario, I'm not sure how this would work though. The IP you select for the source of the monitor traffic must be an IP that the BIG-IP will ARP for. It will only answer ARPs for IP's it's configured for. So I think you'd need to configure the source IP as a self IP address.

 

 

Aaron

Hi,

 

 

It's facing towards the external subnets, but not part of it.

 

It is part of a private subnet, and another public subnet is routed to the floating private IP, so the F5 can have public IP virtual servers, SNATs from the public range.

 

 

Regards,

 

Zoltan

Hi,

 

 

Even though the LTM doesn't have the subnet specified as a self IP and VLAN, it has the public subnet routed to it.

 

I have virtual servers and NAT/SNAT for those IP addresses, and I see the F5 responds to the ARP requests for those addresses.

 

I just think it would be a good feature to extend the transparent health check type to make it possible to originate from specific IP address other than the self IP.

 

I tried to use ping, tracepath, traceroute to use a different originating IP address, but it was not possible. I will look into the netcat that you proposed.

 

 

Regards,

 

Zoltan

I concur with Aaron. I cannot get the BIGIP to use a snat for the monitors. The only thing I can think of is snating on a router or firewall before it hits the external system.

 

 

/cb

As you have discovered, SNATs & NATs apply only to load balanced traffic.

 

 

hoolio is, as usual, right on all counts.

 

 

I am wondering though why you can't use the external address and source NAT at the firewall, allowing only internally initiated requests for the external service ports in question? There should be no load balanced traffic sourced from the LTM selfIPs, just system requests like DNS, ssh/ftp outbound by an admin, that kind of stuff.

 

 

If you do want to go the external monitor route, this doc will be most helpful:

 

Click here

 

 

If you'd like to pursue this request: I just think it would be a good feature to extend the transparent health check type to make it possible to originate from specific IP address other than the self IP.you can open a case with F5 Support and request a CR (change request) be created (or there might already be a CR for it). This isn't a bad idea, so anyone who thinks it would be valuable, open a case to raise its visibility in Dev.

 

 

HTH

 

/deb