For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kunalPatel_3157's avatar
kunalPatel_3157
Icon for Cirrus rankCirrus
Mar 30, 2017

SNAT and One-Connect

Big IP LTM performs SNAT before one connect. I want to have both SNAT + Oneconnect   Let's assume that because of SNAT my servers sees all the traffic coming from one IP address(10.1.1.1), Now ma...
application delivery
LTM
Jeremy_Church_3's avatar
Jeremy_Church_3
Icon for Cirrus rankCirrus
Apr 05, 2017

Hello,

For reference here is the OneConnect Overview article.

The article makes it clear, the F5 does not select a pool member based on available idle connections, it selects a pool member based on the load balancing algorithm.

OneConnect selection process
  1. Request comes in, pool selection takes place etc.
  2. Load balancing decision based on persistence or algorithm.
  3. Apply mask to translated source address.
  4. Re-use idle connection and mark in-use, or open new connection and mark in-use.
  5. Inspect server response:

    a. 200, 206, 3xx: eligible for re-use, mark connection idle.

    b. anything else: not eligible for re-use, close the connection.

It is possible to override the default OneConnect re-use behavior via iRule and/or db setting 

sys db tmm.http.oc.droponerror
.

OneConnect Mask

The mask on the OneConnect profile only applies to the server-side connection. If you SNAT all connections to a single address, the mask on the OneConnect profile for all intents and purposes is irrelevant.

Your scenario

In your round-robin scenario, the requests that come into the F5 will be balanced round-robin on a per-request basis.

As long as you don't have persistence:
  • request 1 --> server 1
  • request 2 --> server 2

If you want to test the behavior, you could try these steps:

  1. Configure a 255.255.255.255 mask in your OneConnect profile.
  2. Write a simple iRule to SNAT to a different IP if the request is from your test browser/client.
  3. Run tcpdump to capture the traffic server-side from the specific SNAT address from the iRule.

If you capture with noise and view in Wireshark with the F5 plugin, you can see which client-side connections are associated with the server-side connections.

Reducing connections

It is true, OneConnect can be used to reduce server-side TCP connections. However, it is important to keep the end goal in mind: performance.

  • It's better to have all servers handling requests from a single client-side connection than 1.
  • Connection setup is time-consuming, it's better to keep a connection open as long as possible.

The load balancing algorithm on the F5 is one of the tools F5 provides to put you in control of load distribution. I don't think of OneConnect as a way to "reduce server-side connections handled by the F5", the F5 is more than capable of handling lots of server-side connections.

OneConnect is another tool that works in concert with your load balancing algorithm. It allows the algorithm you choose to distribute HTTP load on a per-request basis instead of a per-connection basis.

kunalPatel_3157's avatar
kunalPatel_3157
Icon for Cirrus rankCirrus
Apr 05, 2017

Thanks for the answer , But don't you think Oneconnect overrides Load balancing,

 

I think this will be the case with SNAT + oneconnect request 1 --> server 1 request 2 --> server 1

 

Because SNAT is performed before Oneconnect oneconnect will see request is coming from the same source and it will send it to same server unless and until oneconnect is maxed out with number of connections. I will ask this to F5 Support also.