Snat Port Exhausting

you might be able to do so via the connection table, look for the IP which is used for SNAT and count the active session for it.

there isn´t some easy way like show SNAT IP used ports i believe.

tmsh show snatpool [snatpool name]

Sample output:

---------------------------------
Ltm::SNAT Pool: snatpool_test
---------------------------------
Traffic                ServerSide
    Bits In                110.0K
    Bits Out                 2.4M
    Packets In                225
    Packets Out               275
    Current Connections         0
    Maximum Connections        10
    Total Connections          25

You'll also get an error in /var/log/ltm if you reach port exhaustion:

01010201:2: Inet port exhaustion on (floating_self-ip) to (pool_member_ip):(port) (proto 6)

Please see the following DC threads for more insight:

https://devcentral.f5.com/questions/snat-automap-inet-port-exhaustion-and-self-ips

https://devcentral.f5.com/questions/snat-pool-port-exhaustion-to-irule-or-not-to-irule

Thanks Kevin for the reply ... so basically it's all manual work (which means the resolution will be slow) and there is no way to know it before any such situation arises....

You could certainly script something up to monitor for impending port exhaustion, but the recourse for this would probably be to add more SNAT IPs to the pool, which you'd be better off just doing in the first place.

Hi Kevin,

Thanks for the response above information will really help.... but I really don't see a reason why I have to do all the script/engineering to get all the stats when the stat is not something related to the third party integration thing but it is an actual configuration part of the box it self this feature for sure should be available on the box. Adding the IP at first place is an option but even if after adding the extra IP how will I know when I am running into port exhausting and should include more IP's. Scalability can't be target with so much blindness.

Can you recommend some software out there that can help with this.

Regards,

Port exhaustion occurs when a single (source) IP exceeds its ability to handle new connections. Each IP has roughly 65,000 ports so that's an opportunity for 65k active and concurrent connections. This is generally only ever an issue with devices that handle heavy loads and that perform source address translation (SNAT) to backend resources. Any given load bearing device will have a maximum active connection count (based on size and throughput characteristics), so there is a finite limit to the number of ports needed. So for one IP it's 65k. For 2 IPs it's 130k active concurrent connections, etc. But I guess my real question is what would you want this alerting function to do? At some threshold (getting close to port exhaustion), would you want it to add more SNAT addresses? Or simply let you know that it's about to happen?

I'm not saying it's not a good idea, but that it just isn't a "feature", and I'm unaware of any software or product that could do this, and would have better insight that the BIG-IP itself. I'd recommend opening a support case to request this feature, but in the meantime it can be done with a little custom coding.

Hi guys,

sort of old question, but might be helpful for someone looking for similar answer: https://support.f5.com/csp/article/K63275550

"Beginning in 12.0.0, the BIG-IP system will issue a threshold reached warning when approximately 80 percent of the available ephemeral ports are in use."

Jozef