UDP Datagram LB

Question

Hello,To enable fair load balancing between backend servers (5 syslog srv &gt;&gt; F5 &gt;&gt; 2 splunk srv)I created a new udp&nbsp;profile and activated the option :&nbsp;"Datagram LB" :&nbsp;https://support.f5.com/csp/article/K3605100% of logs received with the default udp profile, but not with the new profile udp (the other parameters are equal)an idea?Thanks!

cpt_ri_f5 · Accepted Answer

hello,FYI, I solved this problem with a simple stateless VS: K13675Thank you all

kai_wilke · Answer

Hi Cpt_Rl_F5,
The loss could be also be a problem with snat port allocations.
A syslog-originator may open a single UDP connection to the syslog-collector and send multiple subsequent messages where each message is carried in a single UDP datagram.
When enabling UDP-Datagram-LB your LTM would treat each arriving UDP datagram as a new UDP connection flow and will maintain the flow, LB decission, SNAT allocations independently of previously received UDP datagrams.
This behavior may drain your SNAT pools very quick resulting in SNAT pool port allocation errors causing packet loses (See&nbsp;K33355231 for more details)
To avoid such snat exhaustions you may either deploy bigger snat pools or simply ignore the "Important" recommendation of K3605:
"Important:&nbsp;With&nbsp;UDP Datagram LB&nbsp;set to&nbsp;Enabled, if you also set the&nbsp;Timeout&nbsp;to&nbsp;Immediate, UDP response traffic is forwarded to the client using the origin server's source IP address and port. As a result, response traffic may not appear to have originated from the virtual server to which the request was sent, and traffic disruption may occur when a client and/or routing&nbsp;expects the UDP source IP address to be the address other than the origin server. You can avoid this issue by setting the timeout to a value other than&nbsp;Immediate&nbsp;whenever possible."
... and set the timeout well-knowing to "Immediate" to allow the individual UDP Datagrams to timeout immediately allowing them to basically share UDP sockets.
Syslog is a simplex protocol, so a originator will never get any answers back from the collector anyway. No need to maintain any timeouts for responses for syslog...
Cheers, Kai

ca_valli · Answer

UDP datagram LB forwards traffic packet-by-packet, and no loger treats UDP packets from the same source and port as part of a connection, so if syslog message is split into multiple packets you might have part of the log on one server and part of the log on the other one, possibly resulting in messages missing.&nbsp;

cpt_ri_f5 · Answer

Hello&nbsp;CA_Valli,&nbsp;
Sorry, I don't understand your answer,&nbsp;the stats show&nbsp;approx. 1 million logs received with the default udp profile and approx. 200k with "Datagram LB",&nbsp;there is a loss of logs, isn't it?
Or do you mean in the same entry (with Datagram LB profil), contains several logs?
Thanks!(Edited by Leslie_Hubertus&nbsp;to tag CA_Valli, to make sure he sees this reply)
&nbsp;

ca_valli · Answer

Where are you checking the stats? F5 or splunk? Also is this a live stat or is is a cumulative counter?
What I wanted to point out is that datagramLB changes load balancing behvior, and while "standard" UDP profile keeps track of UDP connection and forwards all packets of the same connection to the same destination, this is no longer true with DLB -- meaning that if a syslog message is split into multiple UDP packets you might end up with some of them being balanced to one pool member and other packets of the same flow being balanced to the second pool member.
I thought that this could be a possible problem, as one splunk server might not be able to reconstruct the full syslog message due to part of it being sent to the other server -- and possibly discarding/not logging the "incomplete" packets.&nbsp;

cpt_ri_f5 · Answer

Thank you it's clearI checked the stats on splunk, cumulative counter (per minute),&nbsp;but it's the same splunk request.In the splunk graph I see when I change the UDP profile that the number of logs is divided /5 or moreif we can't recover the integrity of the logs, in this case, I don't understand the point of the option "Datagram LB" !I am interested in another solution to fairly share the logs on the splunk serversThanks!&nbsp;

Forum Discussion

UDP Datagram LB

8 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

UDP TCP Packet Duplication

F5 XC - UDP traffic

F5 LTM LB

Inspecting HTTP LB traffic for security