Forum Discussion
NimbostratusSNAT problem, caused by oneconnect?
Is there a known problem with oneconnect and SNAT iRules?
I have to set a special SNAT adress for requests from some special users.
The iRule looks like this:
when CLIENT_ACCEPTED {
switch [IP::client_addr] {
??.??.??.??/?? {
snatpool SNAT_PENTESTER
}
default {
Default usage of SNAT Automap
snat automap
}
}
}
This works sometimes, sometimes not. We didn't found a reason, why the LTM sometimes uses the SNAT iRule and sometimes not. The VS uses a oneconnect profile. Could this be a reason for this confusing reaction?
Any help welcome!
22 Replies
Cory_50405Noctilucent
Does it work if you use an if statement?
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals ?.?.?.?/??] } { snatpool SNAT_PENTESTER } else { snat automap } }- Cory_50405I don't think OneConnect will cause any issues pertaining to SNAT configuration by the way.
Matthias_Ubben_We've tried it first with the if statement. Because this doesn't work, we've changed it to the switch statement, which also doesn't work.
We've tried also a solution with data-group:
when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals SNAT_PenTester_Pool]}{ snatpool SNAT_PENTESTER } }Without effort 😞
- Cory_50405
So when you say 'doesn't work', does that mean connections through the LTM from the particular range of penetration testers do not work, or they are being auto mapped rather than assigned to their specific SNAT pool?
Can you post your virtual server and SNAT pool configurations?
- Matthias_Ubben_They are being auto mapped with the standard IP adress.
- Cory_50405How often is the problem occurring? If it's a hit-or-miss issue, it almost sounds like the source address isn't matching in some cases. Are you certain all of the penetration testers are coming from the one network that you have defined in the iRule?
PK_BhatiaHave you tried remote address for the client to see if that make any difference?
1 when CLIENT_ACCEPTED { 2 if { [IP::addr [IP::remote_addr] equals 206.0.0.0 mask 255.0.0.0] } { 3 pool clients_from_206 4 } else { 5 pool other_clients_pool 6 } 7 }- PK_Bhatiasorry about the formatting, I am not sure why it came up like this... when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 206.0.0.0 mask 255.0.0.0] } { pool clients_from_206 } else { pool other_clients_pool } }
- Matthias_Ubben_I've tested it, but I don't see any traffic with the special SNAT adress.
PK_Bhatia_13533Cirrus
Have you tried remote address for the client to see if that make any difference?
1 when CLIENT_ACCEPTED { 2 if { [IP::addr [IP::remote_addr] equals 206.0.0.0 mask 255.0.0.0] } { 3 pool clients_from_206 4 } else { 5 pool other_clients_pool 6 } 7 }- PK_Bhatia_13533sorry about the formatting, I am not sure why it came up like this... when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 206.0.0.0 mask 255.0.0.0] } { pool clients_from_206 } else { pool other_clients_pool } }
- Matthias_Ubben_I've tested it, but I don't see any traffic with the special SNAT adress.
- PK_Bhatia
Did you check this iRule... https://devcentral.f5.com/wiki/iRules.DestinationSnatUsingDNS.ashx
- Matthias_Ubben_No, I won't use DNS.
- PK_BhatiaI am sorry, I was not asking to use DNS, I was suggesting the local_addr [IP::addr [IP::local_addr] equals 10.0.0.35] https://clouddocs.f5.com/api/irules/IP__local_addr.html
- PK_Bhatia_13533
Did you check this iRule... https://devcentral.f5.com/wiki/iRules.DestinationSnatUsingDNS.ashx
- Matthias_Ubben_No, I won't use DNS.
- PK_Bhatia_13533I am sorry, I was not asking to use DNS, I was suggesting the local_addr [IP::addr [IP::local_addr] equals 10.0.0.35] https://clouddocs.f5.com/api/irules/IP__local_addr.html
mimlo_61970Cumulonimbus
I'm trying to find a reference in newer documentation, but at least in version 10.2 it would appear that oneconnect MIGHT impact the SNAT.
From: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_snat.html
"The BIG-IP system OneConnectTM feature allows client requests to re-use idle server-side connections. Without a SNAT, the source IP address in the server-side connection remains the address of the client node that initially established the connection, regardless of which other client nodes re-use the connection. Although this is not an issue for traffic routing, you might find it confusing when examining various types of system output. A SNAT solves this problem."
This would lead me to believe that even with SNAT, it will use the SNAT of the first connection, and not re-evaluate it for each connection.
Might be best to ask support at this point. I use a rule exactly like your example without oneconnect and it works fine.
- mimlo_61970
the manual for 11.5.1 says the same thing. Its not entirely clear when it comes to your situation, but I infer from what they do say that the original SNAT address would get re-used for subsequent connections when oneconnect is on.
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-5-1/18.html?sr=37781710
- nitass
Employee
but I infer from what they do say that the original SNAT address would get re-used for subsequent connections when oneconnect is on.
yes, correct.
