F5 LTM SNAT: only 1 outgoing connection, multiple internal clients
I have an F5 LTM SNAT configured: ltm snat /Common/outgoing_snat_v6 { description "IPv6 SNAT translation" mirror enabled origins { ::/0 { } } snatpool /Common/outgoing_snatpool_v6 vlans { /Common/internal } vlans-enabled } ... with a translation configured as: ltm snat-translation /Common/ext_SNAT_v6 { address 2607:f160:c:301d::63 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ... with snatpool configured as: ltm snatpool /Common/outgoing_snatpool_v6 { members { /Common/ext_SNAT_v6 } } ... and finally, with the SNAT type set to automap: vs_pool__snat_type { value automap } The goal is to achieve a single Diameter connection (single source IP, port) between F5 and the external element, while internally multiple Diameter clients connect via F5 to the external element: However, what ends up happening with this SNAT configuration is that multiple outgoing Diameter connections to the external Diameter element are opened, with the only difference between them being the source port (source IP, destination IP and port remained the same). The external element cannot handle multiple connections per the same origin IP and the same Diameter entity (internal clients are all configured to use the same Origin-Host during the Capabilities Exchange phase). Is there a way to configure F5 to funnel all the internal connections into a single outgoing one?
BIG-IP in DMZ - Reverse traffic to public subnets clarification
Hi guys, Please help with understanding routing on BIG-IP LTM device. We are using quite old version on the box - 10.2.4. The problem we are having is related to traffic flows from border firewall which is connected to public subnet and F5 load balancer. We are experiencing connectivity problems from outside to server pool behind the load balancer after we perform switch over operation on firewall cluster from primary to secondary node. Both firewall devices are in sync so they are using the same configuration and during switchover the secondary device just taking VIPs from primary. I suspect that the issue lies on the LTM side. What I can't understand right now is how BIG-IP is returning traffic back from the pool to the clients in the Internet if the load-balancer is in the DMZ already (it doesn't have public IPs assigned). Border firewall perform NAT translation for destination IP address leaving the clients public IPs unchanged. This changed packet is reaching LTM vServer in the VLAN20 (please take a look on the attached diagram) and based on the vServer settings traffic is directed to POOL of Web servers with source changed to self-IP of LTM (because of SNAT automap config). But the reverse path is not clear. Traffic is forwarder to LTM which in its turn will substitute original public IP address of the Internet's client. What then? Traffic will be directed based on routing table? But in that case asymmetric routing will happen because in our case default route is pointing to different VLAN. Here is our vserver config ltm virtual VS_VSERVER { destination 10.0.20.150:https ip-protocol tcp mask 255.255.255.255 partition APP20 persist { TST_cookiePersistence { default yes } } pool POOL_WEB1 profiles { TST_http_headerSource { } example.com { context clientside } tcp { } } rules { TST_redir } snat automap } Thank you very much!
Working without SNAT to see original client IP
Hi, In order to see the original client IP accessing a pool member from the WAN, I've disabled SNAT, then, because of assymetric routing the connection stopped working, so I've set the pool member server (windows server) DG IP address to be the F5 internal IP of that specific VLAN, then the connection was working again and I could see the original cliene IP accessing the pool member, but I lost connectivity to that server from my workstation since the routing to that VLAN in our LAN environment is done via our backbone switches / FW . How can I keep the above configuration (no SNAT, DG of pool member is the F5 IP instead of our FW IP) and still have access to that server inside the LAN ? Thank you.
Auto map works, SNAT Pool doesn't
LTM Virtual edition v13. I have added a new VLAN (24) to work with on my LTM VE. It is working fine with VLAN 25 already. Picked up an interface and added to the new VLAN and self IP mask /24 Then I copied a VIP working on another LTM VE on VLAN 24 to this LTM VE, same node, pool but picked up a different address for the VIP. VIP is up and is pingable, SNAT is pingable as well. When i hit the VIP from my browser I got a connection reset message. A capture on the LTM shows like the node (server behind the f5) sends a RST to the SNAT. If i remove the SNAT pool and use Automap the website loads properly. (tried configuring several VIPs and SNAT pools and same result) I don't now the reason of this behavior. SNAT pool is reachable from the server. My goal is to have VIPs running fin on this new vlan 24. Any help you can provide would be very appreciated. Regards!
