Hello , recently we've migrated our bigip-3600 to a new bigip400 platform. Everithing is working correctly except NATs. Something has changed in the way ltm work with NATs. With version 9.4.6 ltm preserved the client source port and after 300 seconds timeout it deleted connection from table, but when new traffic arrived it recreated the session again and the connection keep working without interruption. With version 11.5.1 ltm doesn't preserve client source port, it changes it. Another problem is that after timeout it doesn't create again the sesion so connectionis interrupted. has anybody experienced the same situation? Thanks in advance

With version 11.5.1 ltm doesn't preserve client source port, it changes it. i understand it is due to hardware architecture and cmp. source port has to be changed to make return traffic going to the same tmm. sol14358: Overview of Clustered Multiprocessing (11.3.0 and later) https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14358.html there is request for enhancement to implement preserve-strict for nat configuration but it is not yet implemented. ID441079 - [RFE] Add "preserve-strict" option to NAT object to preserve source port strictly anyway, could it be possible to use virtual server with preserve strict instead of nat? sol11003: Configuring source port preservation for virtual servers https://support.f5.com/kb/en-us/solutions/public/11000/000/sol11003.html

Thanks for your answer nitass. do you know how can i "simulate" a NAT using a virtual server? Regards Javi

Hi Javi, it depends, how you are using it: In case of inbound only traffic only, a virtual server (PerformanceL4, all protocols) with a single member pool (both configured for port 0) will handle it. In case of outbound traffic a wildcard network virtual server (ForwardingIP) configured for port 0 with a SNATpool containing the NAT address will handle the traffic. As with your current NAT configuration network routes will be required to reach non-locally attached targets. For bi-directional traffic you will need both configuration elements. Thanks, Stephan

Thank you Stephan. It seems to be quite complicated only for doing a NAT but i'm going to try it. Regards Javi

I´m wondering, what kind of application is so sensitive about preserving the source port?

NAT (not SNAT) not preserving client source port

9 Replies

nitass
Employee
Mar 09, 2015
With version 11.5.1 ltm doesn't preserve client source port, it changes it.

i understand it is due to hardware architecture and cmp. source port has to be changed to make return traffic going to the same tmm.

sol14358: Overview of Clustered Multiprocessing (11.3.0 and later)

https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14358.html

there is request for enhancement to implement preserve-strict for nat configuration but it is not yet implemented.

ID441079 - [RFE] Add "preserve-strict" option to NAT object to preserve source port strictly

anyway, could it be possible to use virtual server with preserve strict instead of nat?

sol11003: Configuring source port preservation for virtual servers

https://support.f5.com/kb/en-us/solutions/public/11000/000/sol11003.html
swtbeer
Nimbostratus
Mar 09, 2015
Thanks for your answer nitass.

do you know how can i "simulate" a NAT using a virtual server?

Regards Javi
- StephanManthey
  MVP
  Mar 09, 2015
  Hi Javi, it depends, how you are using it: In case of inbound only traffic only, a virtual server (PerformanceL4, all protocols) with a single member pool (both configured for port 0) will handle it. In case of outbound traffic a wildcard network virtual server (ForwardingIP) configured for port 0 with a SNATpool containing the NAT address will handle the traffic. As with your current NAT configuration network routes will be required to reach non-locally attached targets. For bi-directional traffic you will need both configuration elements. Thanks, Stephan
swtbeer
Nimbostratus
Mar 09, 2015
Thank you Stephan.

It seems to be quite complicated only for doing a NAT but i'm going to try it.

Regards Javi
- StephanManthey
  MVP
  Mar 09, 2015
  I´m wondering, what kind of application is so sensitive about preserving the source port?
swtbeer
Nimbostratus
Mar 10, 2015
Hi Stephan ,

the important point here isn't the client source port. What I need is that ltm keep the NAT connection working after 300 seconds timeout. It seems that in versión 9, NAT connections used "lost initiation" feature adding again the connection to the connection table without requiring a SYN packet. For this to work correctly is necessary that the client source port keeps unchanged.

In version 11 , ltm drops the connection without sending RST and it doesn't add it again when new trafic comes. I think is related to the client source port is changed.

I don't know if I'm explaining fine.

Regards

nitass

Employee

Mar 10, 2015

do you know how can i "simulate" a NAT using a virtual server?

this is just a test. it may not be fully correct.

 platform and version

root@(B4200-R76-S10)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys hardware | grep -A 4 Platform
Platform
  Name           BIG-IP 4200
  BIOS Revision  OBJ-0433-xx Build: 2.02.171.0 05/02/2014
  Base MAC       00:23:e9:8d:03:80

root@(B4200-R76-S10)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys version | grep -A 5 Product
  Product  BIG-IP
  Version  11.5.1
  Build    8.0.175
  Edition  Hotfix HF8
  Date     Mon Feb  9 00:49:11 PST 2015

 nat

[root@B4200-R76-S10:Active:Standalone] config  tmsh list ltm nat test
ltm nat test {
    inherited-traffic-group true
    originating-address 200.200.200.101
    traffic-group traffic-group-1
    translation-address 101.101.101.101
}

 trace

[root@B4200-R76-S10:Active:Standalone] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
03:48:42.252624 IP 200.200.200.101.58123 > 101.101.101.6.80: S 2652003240:2652003240(0) win 5840  in slot1/tmm3 lis=
03:48:42.252683 IP 101.101.101.101.30203 > 101.101.101.6.80: S 2652003240:2652003240(0) win 5840  out slot1/tmm3 lis=/Common/test,SRC_NAT

[root@B4200-R76-S10:Active:Standalone] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
03:48:53.868216 IP 101.101.101.6.56619 > 101.101.101.101.80: S 3744296679:3744296679(0) win 5840  in slot1/tmm3 lis=
03:48:53.868298 IP 101.101.101.6.11327 > 200.200.200.101.80: S 3744296679:3744296679(0) win 5840  out slot1/tmm3 lis=/Common/test,DST_NAT

 virtual server for outbound

[root@B4200-R76-S10:Active:Standalone] config  tmsh list ltm virtual outbound
ltm virtual outbound {
    destination 0.0.0.0:0
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    source 200.200.200.101/32
    source-address-translation {
        pool snat_101.101.101.101
        type snat
    }
    source-port preserve-strict
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 4
}
[root@B4200-R76-S10:Active:Standalone] config  tmsh list ltm snatpool snat_101.101.101.101
ltm snatpool snat_101.101.101.101 {
    members {
        101.101.101.101
    }
}

 trace

[root@B4200-R76-S10:Active:Standalone] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
03:39:19.646364 IP 200.200.200.101.58120 > 101.101.101.6.80: S 800989615:800989615(0) win 5840  in slot1/tmm0 lis=
03:39:19.646591 IP 101.101.101.101.58120 > 101.101.101.6.80: S 800989615:800989615(0) win 5840  out slot1/tmm0 lis=/Common/outbound

 virtual server for inbound

[root@B4200-R76-S10:Active:Standalone] config  tmsh list ltm virtual inbound
ltm virtual inbound {
    destination 101.101.101.101:0
    mask 255.255.255.255
    pool pool_200.200.200.101
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    source-port preserve-strict
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 6
}
[root@B4200-R76-S10:Active:Standalone] config  tmsh list ltm pool pool_200.200.200.101
ltm pool pool_200.200.200.101 {
    members {
        200.200.200.101:0 {
            address 200.200.200.101
        }
    }
}

 trace

[root@B4200-R76-S10:Active:Standalone] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
03:41:53.120330 IP 101.101.101.6.56612 > 101.101.101.101.80: S 3185620727:3185620727(0) win 5840  in slot1/tmm2 lis=
03:41:53.120856 IP 101.101.101.6.56612 > 200.200.200.101.80: S 3185620727:3185620727(0) win 5840  out slot1/tmm2 lis=/Common/inbound

nitass

Employee

Mar 10, 2015

In version 11 , ltm drops the connection without sending RST and it doesn't add it again when new trafic comes.

it was not dropped here. i used hping to send push flag when connection was not in connection table.

e.g.

 version

[root@B4200-R76-S10:Active:Standalone] config  tmsh show sys version | grep -A 5 Product
  Product  BIG-IP
  Version  11.5.1
  Build    8.0.175
  Edition  Hotfix HF8
  Date     Mon Feb  9 00:49:11 PST 2015

 nat

[root@B4200-R76-S10:Active:Standalone] config  tmsh list ltm nat test
ltm nat test {
    inherited-traffic-group true
    originating-address 200.200.200.101
    traffic-group traffic-group-1
    translation-address 101.101.101.101
}
[root@B4200-R76-S10:Active:Standalone] config  tmsh list ltm virtual
[root@B4200-R76-S10:Active:Standalone] config 

 client

[root@centos101 ~] hping -P -c 1 -d 100 101.101.101.6 -p 80
HPING 101.101.101.6 (eth1 101.101.101.6): P set, 40 headers + 100 data bytes
len=46 ip=101.101.101.6 ttl=63 DF id=0 sport=80 flags=RA seq=0 win=0 rtt=1.3 ms

 trace

[root@B4200-R76-S10:Active:Standalone] config  date; tmsh show sys connection
Tue Mar 10 03:59:25 PDT 2015
Sys::Connections
Total records returned: 0

[root@B4200-R76-S10:Active:Standalone] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
03:59:28.959071 IP 200.200.200.101.1760 > 101.101.101.6.80: P 1126296173:1126296273(100) win 512 in slot1/tmm3 lis=
03:59:28.959134 IP 101.101.101.101.1476 > 101.101.101.6.80: P 1126296173:1126296273(100) win 512 out slot1/tmm3 lis=/Common/test,SRC_NAT

swtbeer
Nimbostratus
Mar 10, 2015
Hi Stephan ,

ii think hping opens a new connection each time you execute it . My problem is with connections that should be keep openned for more than 300 seconds without activity.

i'm trying to get some examples of my problem to post them here. I hope to achieve.

Regards

Forum Discussion

NAT (not SNAT) not preserving client source port

9 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

HTTP POST redirect preserving POST data

ASM/WAF rate limit and block clients by source ip (or device_id fingerprint) if there are too many violations

iRule based RADIUS Client Stack

iControl Library For Java With Source