SNAT pool port exhaustion - to iRule or not to iRule?

Hi all -- I'm new to the iRules capability, but I've been managing load balancing in a relatively simple context for a while now.

 

 

I'm having an issue with a basic web-server load balancing scheme -- it is a one-arm configuration with a SNAT pool with 2 IP addresses defined. Simple source IP affinity is used for session persistence. The LTMs are running v10.1.

 

 

The load balancing is a simple round robin, but the volume of traffic is significant enough to exhaust the 65k available ports for the first SNAT IP. The problem is that there is little/no traffic leveraging the secondary SNAT IP address to expand the number of available ports for new connections.

 

 

The result appears to be unavailability of the web site on occasion -- the sessions/ports do not appear to be consistently added back into the pool and they stay open longer than expected. This may be the behavior of the web application or client -- I'm not certain.

 

 

I'd like to determine a) if there's some kind of bug that is preventing the active use of the secondary SNAT IP/ports, or b) if there is a means of identifying when a session is no longer in active use and force the closure of the ports so the 65k range is not exhausted.

 

 

Any help/insight would be appreciated!

 

 

UPDATE: I ran the iHeath checks on the LTMs and it recommended updating to version 10.2.1 based on a SNAT pool issue related to FastL4 (SOL11135), but the vip in question is running standard TCP (not FastL4) based on some of the profiles needed.

 

 

I will try this approach for the time being (who knows -- it might apply here too) to determine if it solves my particular issue...

 

 

-Will-