Snat Pool Question

Question

Hi, 
&nbsp;  
&nbsp; We have a unique design in which our LTM has no internal subnet... instead everything flows out through the core router... to accomplish this we had to create a SNAT pool and SNAT all incoming connections to the VIP so that when the LTM load-balanced the request and sent it back out, it would come back to the LTM... 
&nbsp;  
&nbsp; Problem:  Siteminder protected applications are experiencing problems with this because when clients click on another part of a page.. the SNAT IP could change and thus breaks the SMSESSION cookie. 
&nbsp;  
&nbsp; Question: Is there a way to make a SNAT pool selection stick so that it always uses the same IP until the connection is closed? 
&nbsp;  
&nbsp; Thanks for the help.

strongarm_46960 · Answer

From your description, can I assume that your Siteminder is being protected by LTM or is it the other way round?, if it’s the former, then just setup SMSSESSION cookie based persistence with perhaps fall back on client source IP on LTM profile, and associate it to the Siteminders VIP, thus ensuring stickiness.

kevin_nail · Answer

Correct. Our Siteminder policy servers are behind the LTM. I'll give your suggestion a try

kevin_nail · Answer

BTW, is there such a cookie persistence in LTM. You mentioned setting the SMSESSION cookie based persistence. How is this done? with an iRule or is it just cookie based persistence? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Kevin

strongarm_46960 · Answer

in the Local Traffic, goto Profiles,  
&nbsp; click on the Persistence tab, click create ,  
&nbsp; give a name such as smscookie,  
&nbsp; sellect cookie within the list. 
&nbsp;  
&nbsp; Sellect Prefared cookie method. 
&nbsp; give cookie name to show the world. 
&nbsp; Expiration ==&gt; click on the session cookie 
&nbsp; click finished

kevin_nail · Answer

Yep, I got the setup correct... but my problem is that the IP presented to the Siteminder policy will change based on the SNAT pool.... I need to be able to present the true client_ip to the policy server on a one-armed LTM setup whil still ensuring that return traffic comes back throught the LTM... Don't know if this can be done or not...

Forum Discussion

Snat Pool Question

6 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Related Content

SNAT pool persistence

Multiple SNAT pools under a single VIP

How to get Virtual servers associated with a specific SNAT pool

SNAT IP address logging

Health monitor question