SNAT pool port exhaustion - to iRule or not to iRule?
Hi all -- I'm new to the iRules capability, but I've been managing load balancing in a relatively simple context for a while now.
I'm having an issue with a basic web-server load balancing scheme -- it is a one-arm configuration with a SNAT pool with 2 IP addresses defined. Simple source IP affinity is used for session persistence. The LTMs are running v10.1.
The load balancing is a simple round robin, but the volume of traffic is significant enough to exhaust the 65k available ports for the first SNAT IP. The problem is that there is little/no traffic leveraging the secondary SNAT IP address to expand the number of available ports for new connections.
The result appears to be unavailability of the web site on occasion -- the sessions/ports do not appear to be consistently added back into the pool and they stay open longer than expected. This may be the behavior of the web application or client -- I'm not certain.
I'd like to determine a) if there's some kind of bug that is preventing the active use of the secondary SNAT IP/ports, or b) if there is a means of identifying when a session is no longer in active use and force the closure of the ports so the 65k range is not exhausted.
Any help/insight would be appreciated!
UPDATE: I ran the iHeath checks on the LTMs and it recommended updating to version 10.2.1 based on a SNAT pool issue related to FastL4 (SOL11135), but the vip in question is running standard TCP (not FastL4) based on some of the profiles needed.
I will try this approach for the time being (who knows -- it might apply here too) to determine if it solves my particular issue...