Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SNAT Issue with two virtual servers

I’m having an issue wrapping my head around setting up SNAT. I think SNAT is what I need.

Here is my setup

192.168.103.125 – ip of server hosting IIS site www.siteA.com

192.168.103.1 Default Gateway on server A which is the F5

192.168.100.141 – ip of Virtual server in F5 for siteA


192.168.103.211 – ip of server hosting IIS site www.siteB.com

192.168.103.1 Default Gateway on server B which is the F5

192.168.100.140 – ip of Virtual server in F5 for site B


If I try to browse to www.siteB.com from site A server. It won’t work If I try to browse to www.siteA.com from site B server. It won’t work

The only way I can get it to work is to create a static route like this to force the destination server to route any traffic back to the source to use to VIP.

On server B, I make a route – (route add 192.168.103.125 mask 255.255.255.255 192.168.100.141)

If I add the above on server B, I can then browse to www.siteB.com from server A

I read through https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html#1199363 But I’m unsure exactly what to setup.

One other thing to add. For some reason when our F5’s were setup years ago. Any of the webservers use route domain 1. I don’t know if that is part of the problem or not

Appreciate any help.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Looks like asymmetric routing as source IP will be origin server which the other server will be able to route directly back to.

Try snat automap. This will source nat the traffic to be the bigip IP address. Hence traffic will return via bigip.

Hope this helps.

N

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So, what's happening is this.

server B calls VIP a - src : 192.168.103.211 dst : 192.168.100.141

VIP a sends to server a - src : 192.168.103.211 dst : 192.168.103.125

server A responds to request - src : 192.168.103.125 dst : 192.168.103.211

  • That's a problem since server b is not expecting to be talking to that address, and has no session to associate the connection with.

Usually you don't need to worry about SNAT when the servers default gateway is the F5. However, you've just hit on one of the situations that does require some grooming. Do be careful if you do decide to put SNAT on the VIP as it will change the way all of the traffic appears on the back end server.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So I just add automap on the vips for siteA and SiteB? I actually have two per, 80 & 443

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

as long as you have floating IP(s) configured on that egress vlan, that should get you going.

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_snat.html

When automatically choosing a self IP address to map to the specified original IP address, the system gives preference to floating self IP addresses over static (non-floating) self IP addresses. This prevents any interruption in service when failover occurs. Note that if no floating self IP address is currently assigned to the egress VLAN, the system uses the floating IP address of a non-egress VLAN instead.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

we do have floating IP address. I have two of these boxes running in a HA pair. I set all the virtual servers "Source address Translation" to "auto Map" no luck I can reach the sites via a different network. Like from my workstation but not from one another. Any other thoughts?

0
Comments on this Answer
Comment made 08-Jan-2015 by nathan 7337
Might be an idea to do a tcpdump on the bigip and see what's happening.
0
Comment made 08-Jan-2015 by nathan 7337
Tcpdump -nni 0.0 host 'VIP IP' or 'pool member IP'. Something like that should help.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Seems to be working now. I tried it again this am and I can pull up the sites from the other servers. I'm just using auto map on the virtual servers. I made the change yesterday and it didn't though. Maybe there was some kind of timeout that needed to happen?? I'll keep monitoring it though. thanks for the help

0
Comments on this Answer
Comment made 09-Jan-2015 by cdougall 135
No problem.. If I had to quess about what happened yesterday, I would agree with you regarding the "timeout". I run into that with some frequency regarding changing iRule. Someone with an existing connection to a VIP will not get the "new" iRule until they reconnect.
0