Forum Discussion

Will_Harkrider_'s avatar
Icon for Nimbostratus rankNimbostratus
Feb 15, 2011

SNAT pool port exhaustion - to iRule or not to iRule?

Hi all -- I'm new to the iRules capability, but I've been managing load balancing in a relatively simple context for a while now.



I'm having an issue with a basic web-server load balancing scheme -- it is a one-arm configuration with a SNAT pool with 2 IP addresses defined. Simple source IP affinity is used for session persistence. The LTMs are running v10.1.



The load balancing is a simple round robin, but the volume of traffic is significant enough to exhaust the 65k available ports for the first SNAT IP. The problem is that there is little/no traffic leveraging the secondary SNAT IP address to expand the number of available ports for new connections.



The result appears to be unavailability of the web site on occasion -- the sessions/ports do not appear to be consistently added back into the pool and they stay open longer than expected. This may be the behavior of the web application or client -- I'm not certain.



I'd like to determine a) if there's some kind of bug that is preventing the active use of the secondary SNAT IP/ports, or b) if there is a means of identifying when a session is no longer in active use and force the closure of the ports so the 65k range is not exhausted.



Any help/insight would be appreciated!



UPDATE: I ran the iHeath checks on the LTMs and it recommended updating to version 10.2.1 based on a SNAT pool issue related to FastL4 (SOL11135), but the vip in question is running standard TCP (not FastL4) based on some of the profiles needed.



I will try this approach for the time being (who knows -- it might apply here too) to determine if it solves my particular issue...





3 Replies

  • Hi Will,



    I'm not sure SOL11135 is relevant if you're using a standard IP virtual server without connection mirroring. I thought LTM would round robin between the addresses in a SNAT pool. If you're seeing port exhaustion errors for one SNAT IP and not the other, I'd open a case with F5 Support on this.



    You could also tailor the idle timeout on a custom TCP profile and add that to the virtual server. Per SOL7606, the lower of the idle timeouts on the TCP profile and the SNAT timeout will be honored:



    SOL7606: Overview of BIG-IP idle session timeouts




  • Aaron -- thanks for the reference. I will check this as well to see if there is anything in here that I haven't already tried to tweak in an effort to get the SNAT pool IP's to properly balance or properly timeout and reuse the ports.



    If nothing else, I'll open the case with F5 and post any updates for anyone else that might be having this issue..





  • Please do reply back with what you find either in your testing or via Support.



    Thanks, Aaron