Forum Discussion
Xylene_UK_11374
Nimbostratus
NimbostratusLTM9.4.6:- snat pool with 2 ISP links question
I would like to know how to set up the following:-
backend servers are mail relays / servers who make many DNS lookups, so many that the normal snat automap exhausts all ports.
I have2 links (isps available)
So my plan is to create a new virtual server on an internal IP address.
This vip will have a pool with a single member, the external DNS server (reachable via both isp links)
and then create a snat pool on the virtual which will have 2 IP addresses from each of the 2 subnets / links
Now the question is once the client IP has been snatted with one of the pool members, how does it know how to route out to the correct link?????
It will use the default gateway pool, but will it be 50 / 50 on getting the right gateway ???
DNS_VIP_UDP
10.159.144.120:53
protocol: UDP
protocol profile: udp_gtm_dns
SNAT_pool: DNS_SNAT
default pool: DNS_POOL
DNS_VIP_TCP
10.159.144.120:53
protocol: TCP
protocol profile: tcp_gtm_dns
SNAT_pool: DNS_SNAT
default pool: DNS_POOL
DNS_POOL
members: x.y.4.12:53
DNS_SNAT
4.xx.218.220
4.xx.218.221
12.yy.149.20
12.yy.149.21
-------------
My current routes has a default to a pool with the two ISP router IP.
4.xx.21.132 and 12.yy.149.4
Anyone give me a clue how to work around this with a rule or have any other idea's
Thanks
Xyleneuk
- dennypayne
Employee
Hi Xyleneuk,
LTM should automatically pick the locally-connected gateway for whichever SNAT is used. Similar to auto lasthop but in the other direction.
Denny 
Xylene_UK_11374Hi Denny thanks for the speedy reply...much appreciated.
Xyleneuk
Bob_Cox_10935Denny,
love your avatar. I track an 85 911.
my doubt/uncertainty about your reply is how the F5 "automatically pick the locally-connected gateway".
how will the F5 know this? my default route is to a pool with the two ISP routers' IP addresses. if the F5 intends to SNAT from the 12... but the ISP POOL returns the 4... address?- Bob_Cox_10935Denny.
I am with Ohio Valley (OVR). my last DE was midohio in april.
"Maverick"?
semi-daily driver an 84 928S or my Ford F150 for bad weather days.
I can believe the F5 will sort this out. but considering the need to coordinate changes with both internal and our external service provider, don't want to just 'try it'.
are you saying you have implemented somethink similar to this? thanks again for the replies - Bob_Cox_10935Denny,
the other idea I am considering is configuring more floating IP on these interfaces. then SNAT automap will have a 'pool'. but would prefer to do the VIP thing, since I also want to reduce the UDP timeout. my problem is driven by a high number of DNS rejects and the default UDP timeout appears to be 300sec. my applic team tells me these DNS rejects are expected and not easily eliminated. - dennypayneMaverick = Dallas Metroplex region of PCA - mav.pca.org
Yes I have implemented this configuration many times with no issue, in fact the whole functionality of Link Controller (which is basically LTM/GTM lite) depends on this.
You shouldn't need a SNAT pool unless you have enough traffic to exhaust all the ephemeral ports on one IP address (65535).
Denny - Bob_Cox_10935Denny,
which approach have you implemented? mult floating IP for autosnat or a vip/pool with snatpool? I have done snatpool several times, but not a snatpool wiith IP on different VLANs.
exhausting the ephmeral ports is my problem. very high volume environement. since the timeout default is so high, these F5s are exhausting the snat ports on both self IP.
thanks again. starting to make me feel better about resolving our issue. - dennypayneHi Bob,
I haven't implemented multiple floating IP's for autosnat, I would probably go with the snatpool. Either way should work though.
Denny - Bob,
Did you consider lowering the UDP timeout for the snat translation addresses used in a SNAT pool? Yes the default is 300s - for UDP, I'd bump this way down - that way, connection flows go away sooner and you don't exhaust your ephemeral ports. - Bob_Cox_10935cpp999,
as far as I know, the default UDP timeout cannot be changed for autosnat. but when I create a VIP/POOL/SNATPOOL I will create a custom UDP/TCP profile and lower the timeouts.
thanks for the comment. once we make the change, I'll post the results.
