Forum Discussion
Remco
Nimbostratus
NimbostratusVirtual sends [RST, ACK]
Hi,
we recently replaced Cisco CSS by F5 BigIP, but we know have a problem in our production environment under load which we did not noticed in out acceptance environment.
...
RemcoNimbostratus
NimbostratusFinally managed to replicate our problem in the acceptance environment.
What I have found that it looks like that once 'snat automap' is used for one of the pools in the irule all future request(in this tcp session) will also have snat enabled even for pools were this not configured.
Since there is a FW in between the F5 and the poolmembers, the tcp session where SNAT is incorrectly used are dropped by the FW, since it is only configured to allow traffic from specific clients and only the self-ips of the F5 (health monitors). After F5 unanswerred SYNC on the serverside the F5 is sending the [RST, ACK] on the client side.
My firs idea was to explicitly disable snat for all other pools by adding 'snat none' but this did not make a difference.
Does anybody have an idea how to limit SNAT to only be used in the pools were is it required?