Forum Discussion

gto481_34301's avatar
gto481_34301
Icon for Nimbostratus rankNimbostratus
Oct 16, 2011

No acknowledge from destination after SNAT using iRule

I have one client server with one IP address (192.168.1.1). I would like to SNAT the server IP address base on outgoing port 2222. Actually, the default SNAT is 10.230.10.1 for any other ports. However, I would like to SNAT to 10.10.1.1 just only when I connect to app server 172.17.30.1 on port 2222.

 

 

I just create Virtual Server 172.17.30.1 port 2222 and have 172.17.30.1 port 2222 as server pool. Then I associated iRule SNAT to 10.10.1.1 on match port 2222.

 

 

It seems SNAT is working but the client server cannot communicate to the app server since no acknowledge from the app server. Something like below

 

 

10.10.1.1 38569 --> 172.17.30.1 2222

 

10.10.1.1 58967 --> 172.17.30.1 2222

 

 

The following is my iRule to match port 2222 and SNAT to 10.10.1.1

 

 

when CLIENT_ACCEPTED {

 

if { [TCP::local_port] == 2222 } {

 

snat 10.10.1.1

 

}

 

else {

 

forward

 

}

 

}

 

 

However, if I change default SNAT to 10.10.1.1 then it can get acknowledge from the app server.

 

 

Do you guys know how to solve my problem? Any suggestion would be appreciated.

 

8 Replies

  • have you enabled arp on 10.10.1.1 under local traffic > snats > snat translation list > 10.10.1.1?
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    gto481:

     

    Since the virtual server has 2222 as the destination port, [TCP::local_port] is always going to be 2222. This means that the irule as you show it is not doing anything more than assigning the SNAT pool in the virtual properties.

     

     

    Even if we fixed the irule, you would only get the default SNAT.

     

     

    So, remove the port from the virtual , replace it with 0, and try again.

     

     

    remove the whole "else" structure, it is not needed.

     

     

    Be sure to tail the log when you test. This will produce a line in the log.

     

     

    if you are still having problems, send the tail of the log together with the virtual configuration.

     

     

    HTH.
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Try this irule instead:

     

     

    when CLIENT_ACCEPTED {

     

    if { [TCP::local_port clientside] equals "2222" } {

     

    log local0. "SNATting using 10.10.1.1 for client [IP::remote_addr]"

     

    snat 10.10.1.1

     

    }

     

    }
  • John Alam:

     

     

    The problem still persists. Still doesn't get ack from destination. The following is my configuration.

     

     

    virtual OPCO1_CO_VS {

     

    pool OPCO1_CO_Pool

     

    destination 172.17.30.1:any

     

    ip protocol tcp

     

    rules OPCO1_CH_SNAT_PORT

     

    }

     

     

    pool OPCO1_CO_Pool {

     

    members 172.17.30.1:2222

     

    }

     

     

    rule OPCO1_CH_SNAT_PORT {

     

    when CLIENT_ACCEPTED {

     

    if { [TCP::local_port clientside] equals "2222" } {

     

    log local0. "SNATting using 10.10.1.1 for client [IP::remote_addr]"

     

    snat 10.10.1.1

     

    }

     

    }

     

    }

     

     

  • have you created 10.10.1.1 as snat translation list and enabled arp?
  • Forgot to attached tail log.

     

     

    Oct 17 10:29:00 tmm tmm[2118]: Rule OPCO1_CH_SNAT_PORT : SNATting using 10.10.1.1 for client 192.168.1.1

     

     

     

  • nitass:

     

    It works !!! I just added 10.10.1.1 into SNAT translation list and enabled ARP. Thank you for your help :)
  • welcome.

     

     

    snat irule does not do arp for us. it does snat only (as its name :p).

     

     

    cheer!