SNAT Automap, INET Port Exhaustion, and Self-IPs

Question

We have a number of heavily used VIPs which use the SNAT Automap feature. And every once in a while the LTM outputs this log entry:&nbsp;&nbsp;&nbsp;

&nbsp;01010201:2: Inet port exhaustion on (floating_self-ip) to (pool_member_ip):(port) (proto 6) &nbsp;
&nbsp;

&nbsp;I was reading through "sol7820: Overview of SNAT features" today, and I see this statement:&nbsp;&nbsp;
&nbsp;When BIG-IP processes connections from the origin IP address(es) matching a SNAT automap definition, it chooses a translation address from the available self IP addresses. Floating self IP addresses on the egress VLAN are preferred to support seamless failover. &nbsp;&nbsp;
&nbsp;We apply both a floating and a non-floating self-IP to each LTM VLAN, so each unit has two self-IP addresses for each VLAN. My assumption, given the paragraph above, was that the LTM can theoretically support 2 x 65535 TCP connections to any individual pool member since each LTM has two IP addresses (a floating and a base) for any given VLAN. And if that's true, the message about Inet port exhaustion means that all the connections for the floating IP address have been used up (since it's preferred), but I still have another 65535 connections available since the base IP address can still be used.&nbsp;
&nbsp;Am I thinking that through correctly?&nbsp;&nbsp;&nbsp;

hooleylist · Answer

Hi SMP, 
&nbsp;  
&nbsp; On a unit in a redundant pair, the static (non-floating) self IPs cannot be used to source traffic.  If you want to avoid the inet port exhaustion, you can add more floating self IPs or configure a SNAT pool per virtual server.  The latter would help if you use the same pool member IP:ports on multiple virtual servers that you have SNAT automap enabled for. 
&nbsp;  
&nbsp; With multiple SNAT addresses TMM will round robin through them.  This can cause problems with apps that track the source IP address over a session.  If you need to ensure the source IP stays the same across multiple connections, you can use an iRule like these to do so: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/snat_pool_persistence.html 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/Exchange2010_SNATPool_Persist.html 
&nbsp;  
&nbsp; Aaron

smp_86112 · Answer

How did you come to this conclusion: &nbsp;
&nbsp;On a unit in a redundant pair, the static (non-floating) self IPs cannot be used to source traffic. &nbsp;&nbsp;
&nbsp;I found this on page 15-7 of the 10.1 LTM config guide: &nbsp;
&nbsp;When automatically choosing a self IP address to map to the specified original IP address, the system gives preference to floating self IP addresses over static (non-floating) self IP addresses. This prevents any interruption in service when failover occurs. Note that if no floating self IP address is currently assigned to the egress VLAN, the system uses the floating IP address of a non-egress VLAN instead. &nbsp;&nbsp;
&nbsp;The way I read this, "gives preference to floating self IP addresses over static (non-floating) self IP addresses" does not mean static addresses are excluded - just that they are not preferred. Is there some other document which states static addresses can't be used at all?

hooleylist · Answer

I don't remember reading it--I've just never seen it happen in practice.  Though I guess it might happen if you don't have a floating self IP on the egress VLAN?  You could try testing it to see, but I expect that only the floating self IP would be used if there is one. 
&nbsp;  
&nbsp; Aaron

smp_86112 · Answer

OK that makes me feel better that you can't point at a specific doc. If my logic is correct, then you wouldn't see the static IP until you ran out of connections with the floating. I wish I had a way to test this, but I don't have that kind of transient environment...

jcohen · Answer

It actually can use non-floating addresses for SNAT automap,  but there are some VERY significant caveats to this.  The affinity for a floating address is so strong that it is chosen over the fact that an address is on the correct egress VLAN.  SOL7336 
&nbsp;  
&nbsp; So, if you have _NO_ floating addresses on you box at all, you can use the non-floating addresses for SNAT automap.  If you hove a floating address on some VLANs and not others and the egress VLAN is one that does not have a floating, SNAT automap will choose the first floating address listed in your config and use that. 
&nbsp;  
&nbsp; When there is a floating address(es) on the egress VLAN SNAT automap will only use the floating address(es) on that VLAN. 
&nbsp;  
&nbsp; Hoolio's suggestio nfor avoiding port exhaustion is on the money..  SNAT pool or additional floating addresses.

Forum Discussion

SNAT Automap, INET Port Exhaustion, and Self-IPs

5 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Copy over self IPs from several partitions

Kill SNAT AutoMap!

New Virtual Server Pool, Self IP and routing configuration

Using Public IPs as a self, external and VS IPs

F5 self IP TLS/SSL hand shake fail with tcp port node member