SNAT with oneconnect

Question

I have the following scenario, standard HTTPS VS with snat pool (4 ip addresses) that load balance to 4 servers in the back end (ssl offload). Oneconnect profile is applied with 255.255.255.255. All idle timeouts are set to 60seconds. Load balance is round robin and persistence is based on ssl. The setup works fine, 1000 inbound connections and about 50 back end connections.&nbsp;
Now the issue is that when from one client I open 500 connections I get around 500 new back end connections, on each connection I only perform one GET. I cannot explain this since oneconnect should minimize the number of back end connections, and it does, but not for this specific test. Does anyone has an idea why this is happening ?&nbsp;

nitass · Answer

Now the issue is that when from one client I open 500 connections I get around 500 new back end connections, on each connection I only perform one GET.&nbsp;

did you fire them in parallel or sequential?&nbsp;

nitass · Answer

it seems okay here. do you have any special configuration?
 configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        myoneconnect { }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 3
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile one-connect myoneconnect
ltm profile one-connect myoneconnect {
    app-service none
    source-mask 255.255.255.255
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  log local0. [IP::client_addr]:[TCP::client_port]
}
when SERVER_CONNECTED {
  log local0. [IP::local_addr]:[TCP::local_port]
}
}

test by generating 500 requests from 1 client (ab -n 500 -c 1 http://172.28.24.10/)

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show ltm profile one-connect myoneconnect

-------------------------------------
Ltm::OneConnect Profile: myoneconnect
-------------------------------------
Virtual Server Name  N/A

Connections
  Current Idle         2
  Maximum              4
  Total Reuses       494
  New                  6

[root@ve11a:Active:In Sync] config  grep -i client_accepted /var/log/ltm | grep 172.28.24.8 | wc -l
500

[root@ve11a:Active:In Sync] config  grep -i server_connected /var/log/ltm | wc -l
6

Forum Discussion

SNAT with oneconnect

2 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

AWIC (test)

AWS F5_OWASP Managed Rule Blocking requests

F5OS VLAN naming length restrictions

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

Maintenance page / local website that includes subfolders

Related Content

How OneConnect Profile works with Cookie Persistence

What is HTTP Part VII - OneConnect

Lightboard Lessons: OneConnect

SNAT pool persistence

How OneConnect Profile's max-size works

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS