Forum Discussion
Kevin_Bozman_15
Nimbostratus
NimbostratusSNAT Issue with two virtual servers
I’m having an issue wrapping my head around setting up SNAT. I think SNAT is what I need.
Here is my setup
192.168.103.125 – ip of server hosting IIS site www.siteA.com
192.168.103.1 Default Gateway on server A which is the F5
192.168.100.141 – ip of Virtual server in F5 for siteA
192.168.103.211 – ip of server hosting IIS site www.siteB.com
192.168.103.1 Default Gateway on server B which is the F5
192.168.100.140 – ip of Virtual server in F5 for site B
If I try to browse to www.siteB.com from site A server. It won’t work If I try to browse to www.siteA.com from site B server. It won’t work
The only way I can get it to work is to create a static route like this to force the destination server to route any traffic back to the source to use to VIP.
On server B, I make a route – (route add 192.168.103.125 mask 255.255.255.255 192.168.100.141)
If I add the above on server B, I can then browse to www.siteB.com from server A
I read through https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html1199363 But I’m unsure exactly what to setup.
One other thing to add. For some reason when our F5’s were setup years ago. Any of the webservers use route domain 1. I don’t know if that is part of the problem or not
Appreciate any help.
natheCirrocumulus
Looks like asymmetric routing as source IP will be origin server which the other server will be able to route directly back to.
Try snat automap. This will source nat the traffic to be the bigip IP address. Hence traffic will return via bigip.
Hope this helps.
N
cdougall_14195Cirrus
So, what's happening is this.
server B calls VIP a - src : 192.168.103.211 dst : 192.168.100.141
VIP a sends to server a - src : 192.168.103.211 dst : 192.168.103.125
server A responds to request - src : 192.168.103.125 dst : 192.168.103.211
- That's a problem since server b is not expecting to be talking to that address, and has no session to associate the connection with.
Usually you don't need to worry about SNAT when the servers default gateway is the F5. However, you've just hit on one of the situations that does require some grooming. Do be careful if you do decide to put SNAT on the VIP as it will change the way all of the traffic appears on the back end server.
Kevin_Bozman_15So I just add automap on the vips for siteA and SiteB? I actually have two per, 80 & 443
- cdougall_14195
as long as you have floating IP(s) configured on that egress vlan, that should get you going.
When automatically choosing a self IP address to map to the specified original IP address, the system gives preference to floating self IP addresses over static (non-floating) self IP addresses. This prevents any interruption in service when failover occurs. Note that if no floating self IP address is currently assigned to the egress VLAN, the system uses the floating IP address of a non-egress VLAN instead.
- Kevin_Bozman_15
we do have floating IP address. I have two of these boxes running in a HA pair. I set all the virtual servers "Source address Translation" to "auto Map" no luck I can reach the sites via a different network. Like from my workstation but not from one another. Any other thoughts?
- Kevin_Bozman_15
Seems to be working now. I tried it again this am and I can pull up the sites from the other servers. I'm just using auto map on the virtual servers. I made the change yesterday and it didn't though. Maybe there was some kind of timeout that needed to happen?? I'll keep monitoring it though. thanks for the help
- cdougall_14195No problem.. If I had to quess about what happened yesterday, I would agree with you regarding the "timeout". I run into that with some frequency regarding changing iRule. Someone with an existing connection to a VIP will not get the "new" iRule until they reconnect.