Load Balancing and NAT

Question

Hi&nbsp;
&nbsp;Just wanted to get your opinion on an issue i am facing right now and was wondering if you could confirm my hypothesis. Also, if F5 recommends any solution to this peculiar problem !!! Just a brief background we have an application which is hosted behind a load balancer. The virtual IP on the load balancer receives the request from the client and LB then redirects the request to the appropriate real server based on algorithm selected could be fastest response, weighted round robin etc. Session persistence is enabled to ensure the same client is redirected to the same real server. &nbsp;
&nbsp;This persistence is based on Source IP of the client. We have some sites that are accessing this application from behind firewalls installed at those locations. I dont have access to those firewalls thus am unable to change the behavior. Now the problem is that all the clients behind these firewalls are being NAT'd using a single IP address. As a result when the requests of these users reach load balancer, they appear to be coming from a single IP and thus are redirected to the same real server causing an imbalance in the sessions on the real servers. &nbsp;
&nbsp;Someone proposed that we should try to find a load balancer that would be able to carry out persistence based on Source IP + Source Port. From a laymans perspective it would appear to be the correct solution but, when the NAT session table is looked @ it becomes pretty evident this cannot be done. Why ? The first time the client would initiate a session to the virtual IP on the load balancer, based on source IP + source port the server would be redirected to lets suppose real server A. But, when the second connection in the same session is initiated it will bring the same source IP but a different TCP port at the client end into play thus redirecting the client's session to a different real server - meaning no persistence because user session is being redirected to a different real server !!! Thus defeating the purpose why we were looking at this solution in the first place. This solution is ok if we are considering stateless access to the real servers i.e. in case we do not need persistence. But, where persistence is required i doubt any load balancer vendor implements this !!! The best solution for all those clients behind the firewall in my opinion is to either use SSL or cookies to ensure session persistence and more even load distribution. 
&nbsp;E.g: 
&nbsp;users original IP range is: 10.1.76.0/24 
&nbsp;Juniper FW(SSG) LAN IP is: 10.1.76.1/24 
&nbsp;Juniper FW(SSG) WAN IP is: 10.200.240.1/30 (this interface is in NAT mode, therefore all requests are being NAT'd - the request that is reaching 
&nbsp;SLB is from 10.200.240.1/32) &nbsp;
&nbsp;So when 50 users from my site start session on LB, the requests would appear to come from 10.200.240.1 thus the SLB would load-balance them ALL to the same real-server. Looking forward to your response :) ...

nitass · Answer

if cookie is not possible and there is no other data in either header or payload which is persistent across user session, i think not much bigip can do.

Forum Discussion

Load Balancing and NAT

1 Reply

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

NGINXaaS for Azure: Load Balancing

What is Load Balancing?

Load Balancing WebSockets

Deploying F5 BIG-IP with Azure Cross-region load balancer