Forum Discussion

Jason_Keating's avatar
Jason_Keating
Icon for Altostratus rankAltostratus
Feb 07, 2008

SNAT address checking?

Hi all,

 

 

I ran in to a problem today which I have found a solution for but it left me wondering about a few things, I hope someone might be able to shed a little light on my finding's.

 

 

Inadvertently I mis configured a test LTM (9.3), I neglected to add a route to network 10.35.1.0, which left me with only the following routes (loopbacks etc left out)

 

 

10.162.128.0 * 255.255.255.0 U 0 0 0 eth0

 

10.162.134.0 * 255.255.255.0 U 0 0 0 external

 

default 10.162.128.1 0.0.0.0 UG 1 0 0 eth0

 

 

The self IP is 10.162.134.50 (external VLAN) and eth0 is my management interface.

 

 

I created a virtual server (10.162.134.52) and added a pool with members in the 10.35.1.0 network, the node monitor and pool health monitors suggested all was well, and I confirmed this with both a ping to the member parent nodes and telnet's to the ports of the pool members. In short 10.35.1.0 was routable via my default route. (note this is when I should have added a static route/gateway for the 10.35.1.0 network if I had not been half asleep)

 

 

Next I created a standard SNAT with origin all addresses and translation to the address of the virtual server (10.162.134.52)

 

 

So I now have a route to my members (albeit not a good one) and green lights on all my monitors.

 

 

At this point I discover connections to my Virtual Server are being reset, I checked using Wireshark on the client, and I see the syn, syn-ack, ack, psh-ack followed by a rst-ack from the virtual server (10.162.134.52)

 

 

So next I ran tcpdump on the external interface, I can see the same traffic between my client and the virtual server, but nothing to the pool members, note I also noticed there was no monitor traffic.

 

 

So next I ran tcpdump on the eth0 interface, I see no traffic to or from either the virtual server or the pool members.

 

 

Now I realise my error, and add a route entry to the 10.35.1.0 network via a gateway on the external VLAN, and everything works ok.

 

tcpdump on the external interface shows the monitors happily chattering to the parent node of the pool members and the pool member services themselves, and I also see my client chattering with the virtual server, and the SNAT'ed packets from the virtual server to the pool members.

 

 

So whats my problem? Well I am wondering why I did not see SNAT'ed packets going out on the eth0 interface when that was the only route (default route) does the LTM chuck these packets in the trash because the SNAT is not being routed via a matching network?

 

 

NB: Addresses changed to protect the innocent.

 

 

Regards

 

J

 

2 Replies

  • eth0 is not a TMM interface, it is a management interface, and thus will not route ingress or egress traffic through the F5. You can route to it, and from it, but not through it. personally I wish the deliniation was even more clear than it is to avoid this confusion.
  • Thanks citizen_elah, confirmation makes me more confident about my config.

     

     

    Regards

     

    J