For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Robert_Luechte2's avatar
Robert_Luechte2
Icon for Cirrus rankCirrus
Jul 05, 2016

static snat assignment not working as expected

I'm trying to do a static SNAT assignment for a virtual server based on the client's source IP address. I'm using the following iRule to do this:

when RULE_INIT {
     Use a local array to configure SNAT addresses.
     These addresses must be defined in a SNAT pool.
     Follow the pattern of the existing addresses to add more than three.

    set static::snat_ips(0) 10.x.y.253
    set static::snat_ips(1) 10.x.y.254

}

when CLIENT_ACCEPTED {
     Restrict port access to HTTP or HTTPS
     If it's a valid port, assign a SNAT entry and allow the connection to continue.
     if it's not a valid port, reject the connection.

    if { ( [TCP::local_port] == 80 ) or
         ( [TCP::local_port] == 443 ) or

             Calculate the crc32 checksum of the client IP.
             Use the modulo of the checksum and the number of SNAT IPs in the array.
             to select a SNAT IP address.

            snat $static::snat_ips([expr {[crc32 [IP::client_addr]] % [array size static::snat_ips]}])
        }
    else {
        reject
    }   
}

At this point in time, I'm the only client using the virtual server with this iRule, and in fact I have a tcpdump running that verifies that no one else is using this virtual server. But when I look at my snat translations in TMSH, I see that both of the SNAT IPs are being assigned.

sho ltm snat-translation 10.x.y.253

-----------------------------------
Ltm::SNAT Translation: 10.x.y.253
-----------------------------------
Traffic                ServerSide
  Bits In                  907.7K
  Bits Out                   3.0M
  Packets In                  439
  Packets Out                 410
  Current Connections           3
  Maximum Connections           3
  Total Connections             3


sho ltm snat-translation 10.x.y.254

-----------------------------------
Ltm::SNAT Translation: 10.x.y.254
-----------------------------------
Traffic                ServerSide
  Bits In                  688.0K
  Bits Out                   1.1M
  Packets In                  217
  Packets Out                 168
  Current Connections           0
  Maximum Connections           3
  Total Connections            10

Does anyone have any idea why this would be happening? I would expect my source IP address to always be assigned the same SNAT entry. I cleared the SNAT counters while my TCPDump was running and I verified that the only client IP address that accessed this virtual server after that point in time was my IP address.

Any help would be greatly appreciated.

Thanks, Robert

application delivery
iRules
LTM

1 Reply

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jul 05, 2016

    Are the SNAT IPs being used by any other configuration object or may be the iRule is assigned to some other VS ? Can't you utilize 1 pool member in the default pool attached to the VS and then do a tcpdump on the server ? That should be more definitive, assuming you are inserting the client IP in XFF header.

    or add a log statement in the iRule just below the snat IP selection:

    log local0. "CLIENT IP - [IP::client_addr] - Selected SNAT - $static::snat_ips([expr {[crc32 [IP::client_addr]] % [array size static::snat_ips]}])"