For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kunalPatel_3157's avatar
kunalPatel_3157
Icon for Cirrus rankCirrus
Mar 30, 2017

SNAT and One-Connect

Big IP LTM performs SNAT before one connect. I want to have both SNAT + Oneconnect   Let's assume that because of SNAT my servers sees all the traffic coming from one IP address(10.1.1.1), Now ma...
application delivery
LTM
Jeremy_Church_3's avatar
Jeremy_Church_3
Icon for Cirrus rankCirrus
Apr 05, 2017

Hello,

For reference here is the OneConnect Overview article.

The article makes it clear, the F5 does not select a pool member based on available idle connections, it selects a pool member based on the load balancing algorithm.

OneConnect selection process
  1. Request comes in, pool selection takes place etc.
  2. Load balancing decision based on persistence or algorithm.
  3. Apply mask to translated source address.
  4. Re-use idle connection and mark in-use, or open new connection and mark in-use.
  5. Inspect server response:

    a. 200, 206, 3xx: eligible for re-use, mark connection idle.

    b. anything else: not eligible for re-use, close the connection.

It is possible to override the default OneConnect re-use behavior via iRule and/or db setting 

sys db tmm.http.oc.droponerror
.

OneConnect Mask

The mask on the OneConnect profile only applies to the server-side connection. If you SNAT all connections to a single address, the mask on the OneConnect profile for all intents and purposes is irrelevant.

Your scenario

In your round-robin scenario, the requests that come into the F5 will be balanced round-robin on a per-request basis.

As long as you don't have persistence:
  • request 1 --> server 1
  • request 2 --> server 2

If you want to test the behavior, you could try these steps:

  1. Configure a 255.255.255.255 mask in your OneConnect profile.
  2. Write a simple iRule to SNAT to a different IP if the request is from your test browser/client.
  3. Run tcpdump to capture the traffic server-side from the specific SNAT address from the iRule.

If you capture with noise and view in Wireshark with the F5 plugin, you can see which client-side connections are associated with the server-side connections.

Reducing connections

It is true, OneConnect can be used to reduce server-side TCP connections. However, it is important to keep the end goal in mind: performance.

  • It's better to have all servers handling requests from a single client-side connection than 1.
  • Connection setup is time-consuming, it's better to keep a connection open as long as possible.

The load balancing algorithm on the F5 is one of the tools F5 provides to put you in control of load distribution. I don't think of OneConnect as a way to "reduce server-side connections handled by the F5", the F5 is more than capable of handling lots of server-side connections.

OneConnect is another tool that works in concert with your load balancing algorithm. It allows the algorithm you choose to distribute HTTP load on a per-request basis instead of a per-connection basis.

kunalPatel_3157's avatar
kunalPatel_3157
Icon for Cirrus rankCirrus
Apr 06, 2017

Got it thanks for the detailed explanation.

 

This is from k7208 OneConnect and SNATs

 

When a client makes a new connection to a BIG-IP virtual server configured with a OneConnect profile and Secure Network Address Translation (SNAT), the BIG-IP system parses the HTTP request, selects a server using the load-balancing method defined in the pool, translates the source IP address in the request to the SNAT IP address, and creates a connection to the server. When the client's initial HTTP request is complete, the BIG-IP system temporarily holds the connection open and makes the idle TCP connection to the pool member available for reuse. When a new connection is initiated to the virtual server, the BIG-IP system performs SNAT address translation on the source IP address, and then applies the OneConnect source mask to the translated SNAT IP address to determine whether it is eligible to reuse an existing idle connection.