Distribute traffic to a number servers some of which have IPSEC enabled

Posting this on behalf of a customer.

 

 

They need to setup a set of load balancers which will allow them to distribute traffic to a number servers some of which have IPSEC enabled. IPSEC traffic runs over ports 500 and 4500 udp. What makes this a little more challenging is that I need to do this in an environment where we use SNAT for the clients addresses to reduce the amount of re-design for our core network. My initial plan was to use snatpool to provide a group of IP addresses which could be used by incoming connections and would allow for numbers of connections beyond the ~60K limit.

 

 

This works great for applications which use only a single IP:port combination but in the case of IPSEC I need to ensure that both the connections are run through the same SNAT address. What I found was that each separate connection could potentially be routed to any SNAT IP at any time. This resulted in very inconsistent connection results.

 

 

Technical support suggested trying to use an auto SNAT to see if those connections would use up all the > 1023 ports and then move to the next IP address which was marked for auto SNAT. What I found was that the behavior was the same for both snatpool and auto SNAT.

 

 

What I'd like to request is that F5 consider adding in some persistence for connections which are routed through a snatpool. Ideally this is something that could be added to 4.x, and certainly 9.x

 

 

Please let me know if you have any other ideas about how to accomplish this goal.