Forum Discussion
If you're dealing with exchange, this command is important for your snat:
snat $static::snat_exch2007([expr {[crc32 [IP::client_addr]] % [array size static::snat_exch2007]}])
The reason why is that RPC in particular, will require re-authentication if a client IP changes midstream. Since RPC clients can open up to 10 connections to the same server, it is important that each of these connections has the same source IP, otherwise the session may fail completely.
If you do not use that command for snatting, then subsequent requests from the same client may get a different IP address from the snatpool, and your service may fail.
Also, if your HTTP application requires reauthentication if a session's IP addresss changes, the command serves the same purpose.
Finally, make sure to put the IP addresses you use inside a snatpool, otherwise the F5 will not answer ARP traffic for those addresses, and your service will not function correctly.
- mmory09_63087Mar 05, 2014NimbostratusExactly right. That command is required if the snatpool has a few members but shouldn't be an issue if its a single member. The challenge for me is how I can include that in the selective irule below. when CLIENT_ACCEPTED { snat $static::snat_exch2007([expr {[crc32 [IP::client_addr]] % [array size static::snat_exch2007]}]) } when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snatpool snat_exch2007 } }
- mmory09_63087Mar 05, 2014NimbostratusWhat takes precedent? I'd like the LTM to only SNAT those same subnet but not the request coming from the client. Once the LTM does the SNAT, it should perform that required command for the exchange...
- Mar 05, 2014If you only have one server in the SNAT pool, my rule below will work as you want it to, it only SNAT the servers and use the same IP while doing so. /Patrik
- BinaryCanary_19Mar 05, 2014Historic F5 AccountIf you require predictable source IPs, then wherever logic tells you you should be snatting here, don't be calling "snatpool", but rather, the snat command that includes the CRC32 calculation. So you should remove the "snat" command from CLIENT_ACCEPTED, unless that's where you want to snat (in which case, remove the snatpool from the LB_SELECTED event). if you want to snat in LB_SELECTED, then use the crc32 enabled snat command. As your irule stands, you're trying to snat twice, once with the crc32 command, and the second time just allowing the F5 to chose whatever IP it wants by giving it a snatpool.
- BinaryCanary_19Mar 05, 2014Historic F5 AccountAlso, if your servers need to communicate with other servers on the same subnet, and this traffic is going through the LTM, usually people will create a new virtual server to handle this traffic, and then apply SNAT on that virtual. Then the servers are configured to talk to the newly created VIP, instead of any specific server directly. The target servers are then a pool for the new VIP.