For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eric_Stewart_36's avatar
Eric_Stewart_36
Icon for Nimbostratus rankNimbostratus
Oct 03, 2018

SNAT Pool - Can't seem to make work

Hi

 

I have defined a SNAT pool and I have assigned it to a virtual server. However, when I enter the VIP in my browser i cannot make a connection. If I enter the pool server ip it connects. When i check the SNAT Pool statistics, there is no activity. I am very new to this....what step may I have missed?

 

Thanks!

 

Eric

 

application delivery
LTM

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 04, 2018

    There could be a few things wrong:

    • First try the SNAT Automap selection. You wouldn't want to use this in production, but whether or not it works will tell us more about the problem.

    • TCPdump on the server side VLAN of the BIG-IP. Here you want to see if any traffic is making its way to the server, and what the IPs are.

      tcpdump -lnni [server-side vlan]

    The fact that you can access the pool member directly from your client machine implies that you're either on the same network, or have a route to it, and not going through the BIG-IP to get to it. This could either mean that the SNAT configuration is incorrect, or that perhaps you're not making it to the BIG-IP VIP in the first place.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 04, 2018

    Okay, so I assume X.X.70.108 is your client and X.X.53.24 is the VIP. Quick questions then,

     

    • Do you have a pool assigned to the VIP, and are there members in the pool?
    • Does the pool have a monitor assigned and if so what type of monitor and what is its status?
    • You said "But don't see any reference to any pool member". Does that mean you didn't see any traffic from the BIG-IP to any pool members from a tcpdump capture on the server-side VLAN?
    • Do you have a server-side VLAN defined that also has an associated self-IP in the same subnet as the pool members?
    • Are you using route domains on either side of the BIG-IP?
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 04, 2018

    Okay, so you have ONE VLAN that connects clients and pool members to the BIG-IP.

    • Are the clients natively on the same subnet as the pool members? The X.X.70.108 subnet?
    • Do you have a self-IP assigned? And if so, is it in the same subnet as the pool members?

    When you do a tcpdump, specify the name of the VLAN with the -i option, example:

    tcpdump -lnni FW_Inside

    This allows you to focus on traffic crossing this one VLAN. So doing this, do you see monitor traffic (HTTP GETs and HTTP responses) in the capture? Hopefully you should.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 05, 2018

    I do have a self ip assigned and it is not on the same subnet as the pool members

     

    That may be the problem. The BIG-IP generally uses self-IPs to tell it which VLAN to send traffic. Is there at least a gateway route on the box to allow the BIG-IP to get to the pool members? You may have to include a "nexthop" in an iRule to force traffic to the gateway.