Application issue with SNAT pool

Question

Hi,&nbsp;
&nbsp;We have one VS configured with a SNAT pool, but server team complain that there is an issue accessing the application.&nbsp;
&nbsp;Giving that everything is working fine when they are accessing the real server directly (GW for the server is the FW).&nbsp;
&nbsp;Looking to tcpdump captured in both sides (client &amp; servers side), we found that client IP is translated to different IPs for each connection during the same session.&nbsp;
&nbsp;I'm going to apply the below iRule so that the testing client IP (10.1.0.2) wouldn't change for each connection. please advise if this iRule is ok to use and it will override the default SNAT pool.&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;        if {[IP::addr [IP::client_addr] equals 10.1.0.2} {
&nbsp;            snat 10.2.0.2
&nbsp;           } else {
&nbsp;            snat snat-pool
&nbsp;           }
&nbsp;}&nbsp;
&nbsp;If it's ok and it works for the testing client IP, is there a way through iRule to translate client IP address to a single IP address from the snat-pool for all connections during the same session. &nbsp;
&nbsp;Thanks in advance and sorry for the long post. &nbsp;
&nbsp;BR,
&nbsp;Abdul &nbsp;

richard__harlan · Answer

Yes the Above iRule should keep the Test client on the same IP address. The thing you also want to check is you have persistence enabled on the LTM to make sure each request goes to the correct server. The other thing is to make sure NTLM is not being used as it could cause problem with multiple session on multiple IP are using the same login.

gbps_31870 · Answer

Thanks Richard for your inputs.&nbsp;
&nbsp;Cookie persistence is enable and NTLM is not being used as you mentioned.&nbsp;
&nbsp;I do believe that this application is tracking the client communication via IP address, which F5 is changing for each connection. &nbsp;
&nbsp;Hopefully the above iRule will isolate the issue during the next testing window.&nbsp;
&nbsp;What about the other part "is there a way through iRule to translate Client IP address to a single IP from the snat-pool for all connections during the same session" ,,, Any ideas ??&nbsp;
&nbsp;BR,
&nbsp;Abdul  &nbsp;

michael_yates · Answer

Hi Gbps, 
&nbsp;  
&nbsp; Question:  Is there a way through iRule to translate Client IP address to a single IP from the snat-pool for all connections during the same session? 
&nbsp; The simple answer is yes, by specifying the SNAT Address like you are doing above but there are limitations.   
&nbsp;  
&nbsp; If you use SNAT Automap the BIG-IP will use one of its Self IP Addresses as the SNAT Address, but each Self IP Address can only snat 65,536 connections before the next Self IP Address is used (any SNAT Address you specify will have the same limitation).  Note that these are per connection and most browsers open up anywhere from 3 to 6 connections at a time to download a site faster.  So depending upon the usage of the site you may need to have multiple SNAT IP Addresses (use a SNAT Pool). 
&nbsp;  
&nbsp; Do you know if the application is capable of using an X-Forwarded-For HTTP Header?  This would deliver the True Client IP Address to the application and might help your situation as well. 
&nbsp;  
&nbsp; X Forwarded For Single Header Insert 
&nbsp; Using "X-Forwarded-For" in Apache or PHP 
&nbsp; X-Forwarded-For 
&nbsp;  
&nbsp; Hope this helps.

gbps_31870 · Answer

&nbsp; Hi Michael, 
&nbsp;  
&nbsp; Thanks for your reply. 
&nbsp;  
&nbsp; The iRule I made was just for testing and it's matching a single IP (10.1.0.2), what about if I have different clients with different IPs. It's ok for multiple client's sharing the same IP but they should stick to that IP during the session. 
&nbsp;  
&nbsp; Unfortunately, I'm not aware of the application capabilities, but the team will come back again for the DR testing and it's a good idea you are providing here which could be a solution if next test confirm that SNAT pool causing the issue. 
&nbsp;  
&nbsp; Thanks a lot all for the great support, I will get back and post the test result once done. 
&nbsp;  
&nbsp; BR, 
&nbsp; Abdul

Forum Discussion

Application issue with SNAT pool

4 Replies

Recent Discussions

google-visualization-issues

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Regex issue

Secure Modern Applications and MicroServices SSO with NGINX

Application keylogger issue with Datasafe

F5 GTM resolution issue

SAVE THE DATE AppWorld 2024: F5's Premier Application and API Security Conference, Feb 6-8