Forum Discussion

Xylene_UK_11374's avatar
Xylene_UK_11374
Icon for Nimbostratus rankNimbostratus
May 27, 2009

LTM9.4.6:- snat pool with 2 ISP links question

I would like to know how to set up the following:-

 

 

backend servers are mail relays / servers who make many DNS lookups, so many that the normal snat automap exhausts all ports.

 

 

I have2 links (isps available)

 

 

So my plan is to create a new virtual server on an internal IP address.

 

This vip will have a pool with a single member, the external DNS server (reachable via both isp links)

 

and then create a snat pool on the virtual which will have 2 IP addresses from each of the 2 subnets / links

 

 

Now the question is once the client IP has been snatted with one of the pool members, how does it know how to route out to the correct link?????

 

 

It will use the default gateway pool, but will it be 50 / 50 on getting the right gateway ???

 

 

 

DNS_VIP_UDP

 

10.159.144.120:53

 

protocol: UDP

 

protocol profile: udp_gtm_dns

 

SNAT_pool: DNS_SNAT

 

default pool: DNS_POOL

 

 

DNS_VIP_TCP

 

10.159.144.120:53

 

protocol: TCP

 

protocol profile: tcp_gtm_dns

 

SNAT_pool: DNS_SNAT

 

default pool: DNS_POOL

 

 

 

DNS_POOL

 

members: x.y.4.12:53

 

 

DNS_SNAT

 

4.xx.218.220

 

4.xx.218.221

 

12.yy.149.20

 

12.yy.149.21

 

-------------

 

My current routes has a default to a pool with the two ISP router IP.

 

4.xx.21.132 and 12.yy.149.4

 

 

 

Anyone give me a clue how to work around this with a rule or have any other idea's

 

 

Thanks

 

 

Xyleneuk
application delivery
dev
devops
iRules

11 Replies

Sort By
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    May 27, 2009
    Hi Xyleneuk,

     

     

    LTM should automatically pick the locally-connected gateway for whichever SNAT is used. Similar to auto lasthop but in the other direction.

     

     

    Denny
  • Bob_Cox_10935's avatar
    Bob_Cox_10935
    Icon for Nimbostratus rankNimbostratus
    May 28, 2009
    Denny,

     

    love your avatar. I track an 85 911.

     

     

    my doubt/uncertainty about your reply is how the F5 "automatically pick the locally-connected gateway".

     

     

    how will the F5 know this? my default route is to a pool with the two ISP routers' IP addresses. if the F5 intends to SNAT from the 12... but the ISP POOL returns the 4... address?
  • Bob_Cox_10935's avatar
    Bob_Cox_10935
    Icon for Nimbostratus rankNimbostratus
    May 28, 2009
    Denny.

     

    I am with Ohio Valley (OVR). my last DE was midohio in april.

     

    "Maverick"?

     

    semi-daily driver an 84 928S or my Ford F150 for bad weather days.

     

     

    I can believe the F5 will sort this out. but considering the need to coordinate changes with both internal and our external service provider, don't want to just 'try it'.

     

     

    are you saying you have implemented somethink similar to this? thanks again for the replies
  • Bob_Cox_10935's avatar
    Bob_Cox_10935
    Icon for Nimbostratus rankNimbostratus
    May 28, 2009
    Denny,

     

     

    the other idea I am considering is configuring more floating IP on these interfaces. then SNAT automap will have a 'pool'. but would prefer to do the VIP thing, since I also want to reduce the UDP timeout. my problem is driven by a high number of DNS rejects and the default UDP timeout appears to be 300sec. my applic team tells me these DNS rejects are expected and not easily eliminated.
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    May 28, 2009
    Maverick = Dallas Metroplex region of PCA - mav.pca.org

     

     

    Yes I have implemented this configuration many times with no issue, in fact the whole functionality of Link Controller (which is basically LTM/GTM lite) depends on this.

     

     

    You shouldn't need a SNAT pool unless you have enough traffic to exhaust all the ephemeral ports on one IP address (65535).

     

     

    Denny
  • Bob_Cox_10935's avatar
    Bob_Cox_10935
    Icon for Nimbostratus rankNimbostratus
    May 28, 2009
    Denny,

     

     

    which approach have you implemented? mult floating IP for autosnat or a vip/pool with snatpool? I have done snatpool several times, but not a snatpool wiith IP on different VLANs.

     

     

    exhausting the ephmeral ports is my problem. very high volume environement. since the timeout default is so high, these F5s are exhausting the snat ports on both self IP.

     

     

    thanks again. starting to make me feel better about resolving our issue.
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    May 28, 2009
    Hi Bob,

     

     

    I haven't implemented multiple floating IP's for autosnat, I would probably go with the snatpool. Either way should work though.

     

     

    Denny
  • c_p_i_o_17707's avatar
    c_p_i_o_17707
    Historic F5 Account
    May 29, 2009
    Bob,

     

    Did you consider lowering the UDP timeout for the snat translation addresses used in a SNAT pool? Yes the default is 300s - for UDP, I'd bump this way down - that way, connection flows go away sooner and you don't exhaust your ephemeral ports.

     

     

  • Bob_Cox_10935's avatar
    Bob_Cox_10935
    Icon for Nimbostratus rankNimbostratus
    Jun 02, 2009
    cpp999,

     

     

    as far as I know, the default UDP timeout cannot be changed for autosnat. but when I create a VIP/POOL/SNATPOOL I will create a custom UDP/TCP profile and lower the timeouts.

     

     

    thanks for the comment. once we make the change, I'll post the results.