Forum Discussion

nick871230_1404's avatar
nick871230_1404
Icon for Nimbostratus rankNimbostratus
Dec 26, 2013

SNAT POOL AUTOMAP ISSUE

Hi: Here is the topology:

 

Client-192.168.81.61--------F5-130.97.120.19---------------Server-130.97.121.131

 

the client(192.168.81.61) want to connect the server(130.97.121.131) with a virtual ip 192.168.120.131:9000.For this purpose,I configure a standard VS at LTM using a vitual IP 192.168.120.131:9000.If I choose AUTOMAP as my SNAT POOL,the connection is fine,but the source ip will translate to 130.97.120.19,and I really don't want this happen.If I set SNAT POOL to NONE,then the source IP remain to 192.168.81.61,but the tcp connection will fail...In order to find out what's going on,I do some captue in both client and server

 

For client, I can see these packet:

 

192.168.81.61----SYN---->192.168.120.131

 

192.168.120.131---SYN ACK---->192.168.81.61

 

192.168.81.61---ACK--->192.168.120.131

 

For server, I can only see these packet

 

192.168.81.61---SYN--->130.97.121.131

 

130.97.121.131---SYN ACK--->192.168.81.61

 

Apparently,the ACK from F5 to server is missing,I don't know why F5 wouldn't send the ACK.But when I used the AUTO MAP at SNAT POOL,F5 would send the ACK,that's why the connection can be success.

 

Have anybody met this issue before? Appreciate for your helpging.

 

  • Hi Nick, I understood it is a single arm LB setup where your backend servers are not behind the LB.

    In this setup, you should enable SNAT to achieve the symmetric traffic flow as shown below.

    By Assuming Server's gateway as your L3 device which is having internet connection

    Forward Path
    End client-->Internet-->L3 Device-->Loadbalancer--->L3 Device-->Backend server
    !
    Reverse Path
    Backend server-->L3 Device-->Loadbalancer-->L3 Device-->Internet-->End Client
    

    In case, if SNAT is not enabled, then traffic flow will be assymetric as shown below

       Forward Path
        End client-->Internet-->L3 Device-->Loadbalancer--->L3 Device-->Backend server
        !
        Reverse Path
        Backend server-->L3 Device-->Internet-->End Client
    

    The traffic flow should be symmetric to control and process the traffic completely by Load balancer and firewall.

    So, in the single arm setup (If server gateway is not LB), please enable SNAT (Auto-map).

    It will solve your issues.

    Function of SNAT

    If SNAT is enabled at LB, at TCP/HTTP header source IP of client requests get changed to Interface IP of loadbalance on which backend servers are routed.(obviously only one production NIC at single arm setup).

    Since the traffic from LB to backend server communication source IP will be Loadbalancer interface IP, response traffic from server will be get back to the load balancer. And loadbalancer will process the traffic and respond back to the end client.

    In case, if SNAT is not enabled, Processing of response traffic at LB will not happen and hence the connection failure.

    If there is a firewall as your WAN L3 device, it will also drop asmmetric connections, since it's behavior is also to drop the asymmetric connections by default.

  • Additionally if your server want to get the end client IP details, you can use x-forwarded-for field at http header at your application.

     

    At LB http profile, enable the X-forwarded-for option which will insert the client IP address in the X-forwarded field of http header.

     

    At your application server, code it to understand the x-forwarded field at http header.

     

    That's it.