Forum Discussion

Kalpesh_48932's avatar
Kalpesh_48932
Icon for Nimbostratus rankNimbostratus
Jan 08, 2013

Issue with SNAT

Hello, I have configured VIP with specific SNAT. snat IP is other than the LAN subnet. VIP works with AUTOMAP, however when specific SNAT configure is do not work,

 

 

below is the config of VIP.

 

 

 

virtual r_vs_agr {

 

snat automap

 

pool Pool_AGR

 

destination 10.155.65.39:https

 

ip protocol tcp

 

persist persist_sso

 

profiles {

 

http_sso {}

 

r_clientssl_uat-sso {

 

clientside

 

}

 

serverssl {

 

serverside

 

}

 

tcp {

 

clientside

 

}

 

tcp-lan-optimized {

 

serverside

 

}

 

}

 

vlans INTERCO enable

 

}

 

 

pool Pool_AGR {

 

lb method member observed

 

monitor all my_http_GET and tcp_halfopen_8446

 

members {

 

10.155.51.29:8446 {}

 

10.155.51.30:8446 {}

 

10.155.51.53:https {}

 

10.155.51.54:https {}

 

}

 

}

 

 

 

 

When I configure SNAT with an IP of 10.155.70.x range VIP becomes non accessible.

 

 

I also checked on pool nodes for route and found default route pointing to my core switches from which SNAT IP is accessible with source IP.

 

 

I dont understand, why it is not working with specific SNAT if it works with AUTOMAP. which IP VIP takes to communicate with nodes if automap is configured for VIP?

 

 

Regards,

 

Kalpesh

 

 

config
design

19 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 08, 2013
    Automap will use the floating Self IP of the VLAN used to communicate with the Pool Members.

     

     

    What configuration are you using when you assign a specific SNAT IP? Can you post that too?

     

     

    Regarding routing, are you sure the return traffic is being routed back to the F5 when you use the specific IP? That's normally where the issue lies. Without understanding the VLAN and routing infrastructure further it's hard to comment more.
  • Kalpesh_48932's avatar
    Kalpesh_48932
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2013
    SNAT is 10.155.70.144.

     

     

    I checked trace for this IP from server and found traffic pointing correctly to core switches..but then its not going to F5

     

     

    [cas@A92SV00498AGR ~]$ traceroute 10.155.48.84 -p 443

     

    traceroute to 10.155.48.84 (10.155.48.84), 30 hops max, 40 byte packets

     

    1 10.155.51.2 (10.155.51.2) 1.046 ms 1.023 ms 1.008 ms

     

    2 10.155.48.84 (10.155.48.84) 0.665 ms 0.653 ms 0.601 ms

     

     

    [cas@A92SV00498AGR ~]$ traceroute 10.155.70.144 -p 443

     

    traceroute to 10.155.70.144 (10.155.70.144), 30 hops max, 40 byte packets

     

    1 10.155.51.3 (10.155.51.3) 0.841 ms 0.813 ms 0.798 ms

     

    2 * * *

     

     

     

    I have route on core switches for SNAT IP

     

     

    ip route 10.155.70.144/32 10.155.48.84

     

     

    10.155.70.144/32, ubest/mbest: 1/0

     

    *via 10.155.48.84, Vlan234, [1/0], 3w4d, static

     

     

    Still it do not work
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 08, 2013
    [cas@A92SV00498AGR ~]$ traceroute 10.155.48.84 -p 443

     

    traceroute to 10.155.48.84 (10.155.48.84), 30 hops max, 40 byte packets

     

    1 10.155.51.2 (10.155.51.2) 1.046 ms 1.023 ms 1.008 ms

     

    2 10.155.48.84 (10.155.48.84) 0.665 ms 0.653 ms 0.601 ms

     

     

    [cas@A92SV00498AGR ~]$ traceroute 10.155.70.144 -p 443

     

    traceroute to 10.155.70.144 (10.155.70.144), 30 hops max, 40 byte packets

     

    1 10.155.51.3 (10.155.51.3) 0.841 ms 0.813 ms 0.798 ms

     

    2 * * * why is the first hop different (10.155.51.2 and 10.155.51.3)?
  • Kalpesh_48932's avatar
    Kalpesh_48932
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2013
    @Steve

     

    "And is 10.155.48.84 a floating Self IP on the F5, on VLAN234?"

     

     

    Yes..

     

     

    @Nitass

     

     

    Its OK..I have route on both the core server for SNAT IP..even if packet goes on 10.155.51.2 it is unreachable.

     

     

    [cas@A92SV00499AGR ~]$ traceroute -p 443 10.155.70.144

     

    traceroute to 10.155.70.144 (10.155.70.144), 30 hops max, 40 byte packets

     

    1 10.155.51.2 (10.155.51.2) 2.223 ms 2.194 ms 2.180 ms

     

    2 * * *

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 08, 2013
    When I configure SNAT with an IP of 10.155.70.x range VIP becomes non accessible.how did you configure the snat? would you mind posting the snat configuration you used?
  • Kalpesh_48932's avatar
    Kalpesh_48932
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2013
    @Nitass..right now i have kept snat as automap..and i have configured snat in snat pool list...and from there i am calling it in VIP.

     

     

    I tried with commandline to get config of snat but it gives me error as no such snat configured.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 08, 2013
    i have configured snat in snat pool list...and from there i am calling it in VIP.that should be correct already.

     

     

    do you remember when using snatpool, can you ping snatpool ip from server?

     

    when you test it again, would you mind also running tcpdump on bigip to see what is going on?

     

     

    e.g.

     

    tcpdump -nni 0.0 -s0 host 10.155.65.39 or host 10.155.70.144

     

    tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 10.155.65.39 or host 10.155.70.144
  • Kalpesh_48932's avatar
    Kalpesh_48932
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2013
    Can you please confirm me command to verify snat config..

     

     

    i tried

     

    bigpipe snat

     

     

    no result. it may be because..i have not assigned this snat to any VIP.