Forum Discussion

Kevin_Bozman_15's avatar
Kevin_Bozman_15
Icon for Nimbostratus rankNimbostratus
Jan 08, 2015

SNAT Issue with two virtual servers

I’m having an issue wrapping my head around setting up SNAT. I think SNAT is what I need.

 

Here is my setup

 

192.168.103.125 – ip of server hosting IIS site www.siteA.com

 

192.168.103.1 Default Gateway on server A which is the F5

 

192.168.100.141 – ip of Virtual server in F5 for siteA

 

192.168.103.211 – ip of server hosting IIS site www.siteB.com

 

192.168.103.1 Default Gateway on server B which is the F5

 

192.168.100.140 – ip of Virtual server in F5 for site B

 

If I try to browse to www.siteB.com from site A server. It won’t work If I try to browse to www.siteA.com from site B server. It won’t work

 

The only way I can get it to work is to create a static route like this to force the destination server to route any traffic back to the source to use to VIP.

 

On server B, I make a route – (route add 192.168.103.125 mask 255.255.255.255 192.168.100.141)

 

If I add the above on server B, I can then browse to www.siteB.com from server A

 

I read through https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html1199363 But I’m unsure exactly what to setup.

 

One other thing to add. For some reason when our F5’s were setup years ago. Any of the webservers use route domain 1. I don’t know if that is part of the problem or not

 

Appreciate any help.

 

9 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Looks like asymmetric routing as source IP will be origin server which the other server will be able to route directly back to.

     

    Try snat automap. This will source nat the traffic to be the bigip IP address. Hence traffic will return via bigip.

     

    Hope this helps.

     

    N

     

  • So, what's happening is this.

     

    server B calls VIP a - src : 192.168.103.211 dst : 192.168.100.141

     

    VIP a sends to server a - src : 192.168.103.211 dst : 192.168.103.125

     

    server A responds to request - src : 192.168.103.125 dst : 192.168.103.211

     

    • That's a problem since server b is not expecting to be talking to that address, and has no session to associate the connection with.

    Usually you don't need to worry about SNAT when the servers default gateway is the F5. However, you've just hit on one of the situations that does require some grooming. Do be careful if you do decide to put SNAT on the VIP as it will change the way all of the traffic appears on the back end server.

     

  • So I just add automap on the vips for siteA and SiteB? I actually have two per, 80 & 443

     

  • as long as you have floating IP(s) configured on that egress vlan, that should get you going.

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_snat.html

     

    When automatically choosing a self IP address to map to the specified original IP address, the system gives preference to floating self IP addresses over static (non-floating) self IP addresses. This prevents any interruption in service when failover occurs. Note that if no floating self IP address is currently assigned to the egress VLAN, the system uses the floating IP address of a non-egress VLAN instead.

     

  • we do have floating IP address. I have two of these boxes running in a HA pair. I set all the virtual servers "Source address Translation" to "auto Map" no luck I can reach the sites via a different network. Like from my workstation but not from one another. Any other thoughts?

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Might be an idea to do a tcpdump on the bigip and see what's happening.
    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Tcpdump -nni 0.0 host 'VIP IP' or 'pool member IP'. Something like that should help.
  • Seems to be working now. I tried it again this am and I can pull up the sites from the other servers. I'm just using auto map on the virtual servers. I made the change yesterday and it didn't though. Maybe there was some kind of timeout that needed to happen?? I'll keep monitoring it though. thanks for the help

     

    • cdougall_14195's avatar
      cdougall_14195
      Icon for Cirrus rankCirrus
      No problem.. If I had to quess about what happened yesterday, I would agree with you regarding the "timeout". I run into that with some frequency regarding changing iRule. Someone with an existing connection to a VIP will not get the "new" iRule until they reconnect.