Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 LTM - SNAT fails in a /23 subnet

Hello all. We have installed a couple of BIG-IP LTM 1600 v11.3.0 (Build 3138.0) in active-passive mode. This cluster balances servers in two different DMZ (using Route Domains). Now the business asked also to balance servers in the internal LAN that is a /23 subnet (10.39.16.0/23 - VLAN 16 - DGW 10.39.16.250 a cisco router - F5 floating IP: 10.39.16.220 ). To reach that goal I configured all these objects: * New Route Domain creation (ID 16) * Interface configuration (on both devices) for self and floating IP in the new network (with the %16 suffix) * new Default Route (GW: 10.39.16.250 a Cisco Nexus switch) * A Forwarding IP virtual server And then I created a test farm to balance. As the balanced servers are in the LAN, most of the connections will come from the same LAN, so I configured the SNAT feature. And here I found the problem. The strange behavior is related to the SNAT IP, I hope to be able to explain what happen.

I said before the LAN is a /23 network. All the servers and all the devices have the /23 netmask configured. For this example let's split that subnet in two segments: one with a 10.39.16 prefix and the other with 10.39.17 prefix

If the SNAT IP reside in the same segment of the balanced servers the balancing DOES NOT WORK. If the SNAT IP reside in a different segment from the balanced servers the balancing WORKS FINE.

For example: * servers in the 10.39.17 segment * SNAT IP 10.39.17.195 ==> NOT WORKING

  • servers in the 10.39.17 segment
  • SNAT IP 10.39.16.195 ==> OK

  • servers in the 10.39.16 segment

  • SNAT IP 10.39.16.195 ==> NOT WORKING

  • servers in the 10.39.16 segment

  • SNAT IP 10.39.17.195 ==> OK

So it seems that the selected host does not know how to reach a SNAT IP in its segment, instead if the SNAT IP is in the other segment it is able to reach it. I'm talking on "segment" because the subnet is configured as /23 for all the servers and devices (unless I'll discover something different) It seems a netmask problem but I'm not able to find it...

Does anyone exeprieced something like this? Thanks in advance for any suggestion.

Below some configuration screens....

Stefano.

Image Text

Image Text

Image Text

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This behavior is strange. When I create a snatpool I typically select a snat subnet that is not shared with the servers. The behavior you are describing makes it sound like your cisco router has two /24 interfaces instead of a single /23. I assume this has been checked?

0
Comments on this Answer
Comment made 2 months ago by Gestione Reti WKI 55

Hello Dan, tahnks for your answer and sorry for the late of mine. I didn't really considered your suggestion, but is a good idea. I just tried with a test Virtual Server using a "172.16.16.x/24" SNAT POOL subnet and it seems to work. I'll deeply test this at next configuration request. (anyway the Cisco router configuration is ok...)

Thanks again Dan.

Have anice day.

Stefano.

0